clusterapi: refresh kubeconfig bearer tokens for management and workload kubeconfigs dynamically

cnmcavoy · cnmcavoy · commit 911efe7644ff · 2023-07-13T16:17:24.000-05:00
diff --git a/cluster-autoscaler/cloudprovider/clusterapi/clusterapi_provider.go b/cluster-autoscaler/cloudprovider/clusterapi/clusterapi_provider.go
@@ -17,10 +17,13 @@ limitations under the License.
 package clusterapi
 
 import (
+	"fmt"
+	"net/http"
 	"reflect"
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
+	utilnet "k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/discovery/cached/memory"
 	"k8s.io/client-go/dynamic"
@@ -158,13 +161,22 @@ func BuildClusterAPI(opts config.AutoscalingOptions, do cloudprovider.NodeGroupD
 	if err != nil {
 		klog.Fatalf("cannot build management cluster config: %v", err)
 	}
+	if managementConfig.BearerToken != "" && !opts.ClusterAPICloudConfigAuthoritative {
+		managementConfig.Wrap(func(rt http.RoundTripper) http.RoundTripper {
+			return &bearerAuthRoundTripper{rt: rt, kubeconfigPath: managementKubeconfig}
+		})
+	}
 
 	workloadKubeconfig := opts.KubeConfigPath
-
 	workloadConfig, err := clientcmd.BuildConfigFromFlags("", workloadKubeconfig)
 	if err != nil {
 		klog.Fatalf("cannot build workload cluster config: %v", err)
 	}
+	if workloadConfig.BearerToken != "" {
+		workloadConfig.Wrap(func(rt http.RoundTripper) http.RoundTripper {
+			return &bearerAuthRoundTripper{rt: rt, kubeconfigPath: workloadKubeconfig}
+		})
+	}
 
 	// Grab a dynamic interface that we can create informers from
 	managementClient, err := dynamic.NewForConfig(managementConfig)
@@ -207,3 +219,20 @@ func BuildClusterAPI(opts config.AutoscalingOptions, do cloudprovider.NodeGroupD
 
 	return newProvider(cloudprovider.ClusterAPIProviderName, rl, controller)
 }
+
+type bearerAuthRoundTripper struct {
+	kubeconfigPath string
+	rt             http.RoundTripper
+}
+
+func (rt bearerAuthRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	req = utilnet.CloneRequest(req)
+	kubeConfig, err := clientcmd.BuildConfigFromFlags("", rt.kubeconfigPath)
+	if err != nil {
+		return nil, fmt.Errorf("cannot build kube cluster config: %w", err)
+	}
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", kubeConfig.BearerToken))
+	return rt.rt.RoundTrip(req)
+}
+
+var _ http.RoundTripper = &bearerAuthRoundTripper{}
