Skip to content

Commit 891b28f

Browse files
deads2ksoltysh
deads2k
authored and
soltysh
committed
UPSTREAM: <carry>: kube-controller-manager: add service serving cert signer to token controller
:100644 100644 b32534e... 3e694fc... M pkg/controller/serviceaccount/tokens_controller.go openshift-rebase(v1.24):source=194864933ce openshift-rebase(v1.24):source=194864933ce openshift-rebase(v1.24):source=194864933ce
1 parent bc6d594 commit 891b28f

File tree

1 file changed

+23
-9
lines changed

1 file changed

+23
-9
lines changed

pkg/controller/serviceaccount/tokens_controller.go

Lines changed: 23 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,8 @@ import (
4343
"k8s.io/kubernetes/pkg/serviceaccount"
4444
)
4545

46+
const ServiceServingCASecretKey = "service-ca.crt"
47+
4648
// RemoveTokenBackoff is the recommended (empirical) retry interval for removing
4749
// a secret reference from a service account when the secret is deleted. It is
4850
// exported for use by custom secret controllers.
@@ -71,6 +73,9 @@ type TokensControllerOptions struct {
7173

7274
// AutoGenerate decides the auto-generation of secret-based token for service accounts.
7375
AutoGenerate bool
76+
77+
// This CA will be added in the secrets of service accounts
78+
ServiceServingCA []byte
7479
}
7580

7681
// NewTokensController returns a new *TokensController.
@@ -81,9 +86,10 @@ func NewTokensController(serviceAccounts informers.ServiceAccountInformer, secre
8186
}
8287

8388
e := &TokensController{
84-
client: cl,
85-
token: options.TokenGenerator,
86-
rootCA: options.RootCA,
89+
client: cl,
90+
token: options.TokenGenerator,
91+
rootCA: options.RootCA,
92+
serviceServingCA: options.ServiceServingCA,
8793

8894
syncServiceAccountQueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "serviceaccount_tokens_service"),
8995
syncSecretQueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "serviceaccount_tokens_secret"),
@@ -139,7 +145,8 @@ type TokensController struct {
139145
client clientset.Interface
140146
token serviceaccount.TokenGenerator
141147

142-
rootCA []byte
148+
rootCA []byte
149+
serviceServingCA []byte
143150

144151
serviceAccounts listersv1.ServiceAccountLister
145152
// updatedSecrets is a wrapper around the shared cache which allows us to record
@@ -411,6 +418,9 @@ func (e *TokensController) ensureReferencedToken(serviceAccount *v1.ServiceAccou
411418
if e.rootCA != nil && len(e.rootCA) > 0 {
412419
secret.Data[v1.ServiceAccountRootCAKey] = e.rootCA
413420
}
421+
if e.serviceServingCA != nil && len(e.serviceServingCA) > 0 {
422+
secret.Data[ServiceServingCASecretKey] = e.serviceServingCA
423+
}
414424

415425
// Save the secret
416426
createdToken, err := e.client.CoreV1().Secrets(serviceAccount.Namespace).Create(context.TODO(), secret, metav1.CreateOptions{})
@@ -504,22 +514,23 @@ func (e *TokensController) hasReferencedToken(serviceAccount *v1.ServiceAccount)
504514
return false, nil
505515
}
506516

507-
func (e *TokensController) secretUpdateNeeded(secret *v1.Secret) (bool, bool, bool) {
517+
func (e *TokensController) secretUpdateNeeded(secret *v1.Secret) (bool, bool, bool, bool) {
508518
caData := secret.Data[v1.ServiceAccountRootCAKey]
509519
needsCA := len(e.rootCA) > 0 && !bytes.Equal(caData, e.rootCA)
520+
needsServiceServingCA := len(e.serviceServingCA) > 0 && bytes.Compare(secret.Data[ServiceServingCASecretKey], e.serviceServingCA) != 0
510521

511522
needsNamespace := len(secret.Data[v1.ServiceAccountNamespaceKey]) == 0
512523

513524
tokenData := secret.Data[v1.ServiceAccountTokenKey]
514525
needsToken := len(tokenData) == 0
515526

516-
return needsCA, needsNamespace, needsToken
527+
return needsCA, needsServiceServingCA, needsNamespace, needsToken
517528
}
518529

519530
// generateTokenIfNeeded populates the token data for the given Secret if not already set
520531
func (e *TokensController) generateTokenIfNeeded(serviceAccount *v1.ServiceAccount, cachedSecret *v1.Secret) ( /* retry */ bool, error) {
521532
// Check the cached secret to see if changes are needed
522-
if needsCA, needsNamespace, needsToken := e.secretUpdateNeeded(cachedSecret); !needsCA && !needsToken && !needsNamespace {
533+
if needsCA, needsServiceServingCA, needsNamespace, needsToken := e.secretUpdateNeeded(cachedSecret); !needsCA && !needsServiceServingCA && !needsToken && !needsNamespace {
523534
return false, nil
524535
}
525536

@@ -538,8 +549,8 @@ func (e *TokensController) generateTokenIfNeeded(serviceAccount *v1.ServiceAccou
538549
return false, nil
539550
}
540551

541-
needsCA, needsNamespace, needsToken := e.secretUpdateNeeded(liveSecret)
542-
if !needsCA && !needsToken && !needsNamespace {
552+
needsCA, needsServiceServingCA, needsNamespace, needsToken := e.secretUpdateNeeded(liveSecret)
553+
if !needsCA && !needsServiceServingCA && !needsToken && !needsNamespace {
543554
return false, nil
544555
}
545556

@@ -554,6 +565,9 @@ func (e *TokensController) generateTokenIfNeeded(serviceAccount *v1.ServiceAccou
554565
if needsCA {
555566
liveSecret.Data[v1.ServiceAccountRootCAKey] = e.rootCA
556567
}
568+
if needsServiceServingCA {
569+
liveSecret.Data[ServiceServingCASecretKey] = e.serviceServingCA
570+
}
557571
// Set the namespace
558572
if needsNamespace {
559573
liveSecret.Data[v1.ServiceAccountNamespaceKey] = []byte(liveSecret.Namespace)

0 commit comments

Comments
 (0)