Skip to content

Commit 56ceb03

Browse files
deads2kbertinatto
deads2k
authored and
bertinatto
committed
UPSTREAM: <carry>: kube-controller-manager: add service serving cert signer to token controller
:100644 100644 b32534e... 3e694fc... M pkg/controller/serviceaccount/tokens_controller.go OpenShift-Rebase-Source: 891b28f
1 parent 8bb7c58 commit 56ceb03

File tree

1 file changed

+20
-9
lines changed

1 file changed

+20
-9
lines changed

Diff for: pkg/controller/serviceaccount/tokens_controller.go

+20-9
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,8 @@ import (
4141
"k8s.io/kubernetes/pkg/serviceaccount"
4242
)
4343

44+
const ServiceServingCASecretKey = "service-ca.crt"
45+
4446
// RemoveTokenBackoff is the recommended (empirical) retry interval for removing
4547
// a secret reference from a service account when the secret is deleted. It is
4648
// exported for use by custom secret controllers.
@@ -66,6 +68,9 @@ type TokensControllerOptions struct {
6668
// MaxRetries controls the maximum number of times a particular key is retried before giving up
6769
// If zero, a default max is used
6870
MaxRetries int
71+
72+
// This CA will be added in the secrets of service accounts
73+
ServiceServingCA []byte
6974
}
7075

7176
// NewTokensController returns a new *TokensController.
@@ -76,9 +81,10 @@ func NewTokensController(logger klog.Logger, serviceAccounts informers.ServiceAc
7681
}
7782

7883
e := &TokensController{
79-
client: cl,
80-
token: options.TokenGenerator,
81-
rootCA: options.RootCA,
84+
client: cl,
85+
token: options.TokenGenerator,
86+
rootCA: options.RootCA,
87+
serviceServingCA: options.ServiceServingCA,
8288

8389
syncServiceAccountQueue: workqueue.NewTypedRateLimitingQueueWithConfig(
8490
workqueue.DefaultTypedControllerRateLimiter[serviceAccountQueueKey](),
@@ -137,7 +143,8 @@ type TokensController struct {
137143
client clientset.Interface
138144
token serviceaccount.TokenGenerator
139145

140-
rootCA []byte
146+
rootCA []byte
147+
serviceServingCA []byte
141148

142149
serviceAccounts listersv1.ServiceAccountLister
143150
// updatedSecrets is a wrapper around the shared cache which allows us to record
@@ -355,22 +362,23 @@ func (e *TokensController) deleteToken(ns, name string, uid types.UID) ( /*retry
355362
return true, err
356363
}
357364

358-
func (e *TokensController) secretUpdateNeeded(secret *v1.Secret) (bool, bool, bool) {
365+
func (e *TokensController) secretUpdateNeeded(secret *v1.Secret) (bool, bool, bool, bool) {
359366
caData := secret.Data[v1.ServiceAccountRootCAKey]
360367
needsCA := len(e.rootCA) > 0 && !bytes.Equal(caData, e.rootCA)
368+
needsServiceServingCA := len(e.serviceServingCA) > 0 && bytes.Compare(secret.Data[ServiceServingCASecretKey], e.serviceServingCA) != 0
361369

362370
needsNamespace := len(secret.Data[v1.ServiceAccountNamespaceKey]) == 0
363371

364372
tokenData := secret.Data[v1.ServiceAccountTokenKey]
365373
needsToken := len(tokenData) == 0
366374

367-
return needsCA, needsNamespace, needsToken
375+
return needsCA, needsServiceServingCA, needsNamespace, needsToken
368376
}
369377

370378
// generateTokenIfNeeded populates the token data for the given Secret if not already set
371379
func (e *TokensController) generateTokenIfNeeded(logger klog.Logger, serviceAccount *v1.ServiceAccount, cachedSecret *v1.Secret) ( /* retry */ bool, error) {
372380
// Check the cached secret to see if changes are needed
373-
if needsCA, needsNamespace, needsToken := e.secretUpdateNeeded(cachedSecret); !needsCA && !needsToken && !needsNamespace {
381+
if needsCA, needsServiceServingCA, needsNamespace, needsToken := e.secretUpdateNeeded(cachedSecret); !needsCA && !needsServiceServingCA && !needsToken && !needsNamespace {
374382
return false, nil
375383
}
376384

@@ -389,8 +397,8 @@ func (e *TokensController) generateTokenIfNeeded(logger klog.Logger, serviceAcco
389397
return false, nil
390398
}
391399

392-
needsCA, needsNamespace, needsToken := e.secretUpdateNeeded(liveSecret)
393-
if !needsCA && !needsToken && !needsNamespace {
400+
needsCA, needsServiceServingCA, needsNamespace, needsToken := e.secretUpdateNeeded(liveSecret)
401+
if !needsCA && !needsServiceServingCA && !needsToken && !needsNamespace {
394402
return false, nil
395403
}
396404

@@ -405,6 +413,9 @@ func (e *TokensController) generateTokenIfNeeded(logger klog.Logger, serviceAcco
405413
if needsCA {
406414
liveSecret.Data[v1.ServiceAccountRootCAKey] = e.rootCA
407415
}
416+
if needsServiceServingCA {
417+
liveSecret.Data[ServiceServingCASecretKey] = e.serviceServingCA
418+
}
408419
// Set the namespace
409420
if needsNamespace {
410421
liveSecret.Data[v1.ServiceAccountNamespaceKey] = []byte(liveSecret.Namespace)

0 commit comments

Comments
 (0)