UPSTREAM: <carry>: kube-controller-manager: add service serving cert signer to token controller

:100644 100644 b32534e... 3e694fc... M	pkg/controller/serviceaccount/tokens_controller.go

OpenShift-Rebase-Source: 891b28f

Author: deads2k

pkg/controller/serviceaccount/tokens_controller.go

@@ -41,6 +41,8 @@ import (
 	"k8s.io/kubernetes/pkg/serviceaccount"
 )
 
+const ServiceServingCASecretKey = "service-ca.crt"
+
 // RemoveTokenBackoff is the recommended (empirical) retry interval for removing
 // a secret reference from a service account when the secret is deleted. It is
 // exported for use by custom secret controllers.
@@ -66,6 +68,9 @@ type TokensControllerOptions struct {
 	// MaxRetries controls the maximum number of times a particular key is retried before giving up
 	// If zero, a default max is used
 	MaxRetries int
+
+	// This CA will be added in the secrets of service accounts
+	ServiceServingCA []byte
 }
 
 // NewTokensController returns a new *TokensController.
@@ -76,9 +81,10 @@ func NewTokensController(serviceAccounts informers.ServiceAccountInformer, secre
 	}
 
 	e := &TokensController{
-		client: cl,
-		token:  options.TokenGenerator,
-		rootCA: options.RootCA,
+		client:           cl,
+		token:            options.TokenGenerator,
+		rootCA:           options.RootCA,
+		serviceServingCA: options.ServiceServingCA,
 
 		syncServiceAccountQueue: workqueue.NewTypedRateLimitingQueueWithConfig(
 			workqueue.DefaultTypedControllerRateLimiter[serviceAccountQueueKey](),
@@ -134,7 +140,8 @@ type TokensController struct {
 	client clientset.Interface
 	token  serviceaccount.TokenGenerator
 
-	rootCA []byte
+	rootCA           []byte
+	serviceServingCA []byte
 
 	serviceAccounts listersv1.ServiceAccountLister
 	// updatedSecrets is a wrapper around the shared cache which allows us to record
@@ -352,22 +359,23 @@ func (e *TokensController) deleteToken(ns, name string, uid types.UID) ( /*retry
 	return true, err
 }
 
-func (e *TokensController) secretUpdateNeeded(secret *v1.Secret) (bool, bool, bool) {
+func (e *TokensController) secretUpdateNeeded(secret *v1.Secret) (bool, bool, bool, bool) {
 	caData := secret.Data[v1.ServiceAccountRootCAKey]
 	needsCA := len(e.rootCA) > 0 && !bytes.Equal(caData, e.rootCA)
+	needsServiceServingCA := len(e.serviceServingCA) > 0 && bytes.Compare(secret.Data[ServiceServingCASecretKey], e.serviceServingCA) != 0
 
 	needsNamespace := len(secret.Data[v1.ServiceAccountNamespaceKey]) == 0
 
 	tokenData := secret.Data[v1.ServiceAccountTokenKey]
 	needsToken := len(tokenData) == 0
 
-	return needsCA, needsNamespace, needsToken
+	return needsCA, needsServiceServingCA, needsNamespace, needsToken
 }
 
 // generateTokenIfNeeded populates the token data for the given Secret if not already set
 func (e *TokensController) generateTokenIfNeeded(logger klog.Logger, serviceAccount *v1.ServiceAccount, cachedSecret *v1.Secret) ( /* retry */ bool, error) {
 	// Check the cached secret to see if changes are needed
-	if needsCA, needsNamespace, needsToken := e.secretUpdateNeeded(cachedSecret); !needsCA && !needsToken && !needsNamespace {
+	if needsCA, needsServiceServingCA, needsNamespace, needsToken := e.secretUpdateNeeded(cachedSecret); !needsCA && !needsServiceServingCA && !needsToken && !needsNamespace {
 		return false, nil
 	}
 
@@ -386,8 +394,8 @@ func (e *TokensController) generateTokenIfNeeded(logger klog.Logger, serviceAcco
 		return false, nil
 	}
 
-	needsCA, needsNamespace, needsToken := e.secretUpdateNeeded(liveSecret)
-	if !needsCA && !needsToken && !needsNamespace {
+	needsCA, needsServiceServingCA, needsNamespace, needsToken := e.secretUpdateNeeded(liveSecret)
+	if !needsCA && !needsServiceServingCA && !needsToken && !needsNamespace {
 		return false, nil
 	}
 
@@ -402,6 +410,9 @@ func (e *TokensController) generateTokenIfNeeded(logger klog.Logger, serviceAcco
 	if needsCA {
 		liveSecret.Data[v1.ServiceAccountRootCAKey] = e.rootCA
 	}
+	if needsServiceServingCA {
+		liveSecret.Data[ServiceServingCASecretKey] = e.serviceServingCA
+	}
 	// Set the namespace
 	if needsNamespace {
 		liveSecret.Data[v1.ServiceAccountNamespaceKey] = []byte(liveSecret.Namespace)