add the service serving cert signer ca to SA token secret

pkg/cmd/server/origin/run_components.go

@@ -122,10 +122,30 @@ func (c *MasterConfig) RunServiceAccountTokensController(cm *cmapp.CMServer) {
 			glog.Fatalf("Error parsing master ca file for Service Account Token Manager: %s: %v", c.Options.ServiceAccountConfig.MasterCA, err)
 		}
 	}
+	servingServingCABundle := []byte{}
+	if c.Options.ControllerConfig.ServiceServingCert.Signer != nil && len(c.Options.ControllerConfig.ServiceServingCert.Signer.CertFile) > 0 {
+		servingServingCA, err := ioutil.ReadFile(c.Options.ControllerConfig.ServiceServingCert.Signer.CertFile)
+		if err != nil {
+			glog.Fatalf("Error reading ca file for Service Serving Certificate Signer: %s: %v", c.Options.ControllerConfig.ServiceServingCert.Signer.CertFile, err)
+		}
+		if _, err := kcrypto.CertsFromPEM(servingServingCA); err != nil {
+			glog.Fatalf("Error parsing ca file for Service Serving Certificate Signer: %s: %v", c.Options.ControllerConfig.ServiceServingCert.Signer.CertFile, err)
+		}
+
+		// if we have a rootCA bundle add that too.  The rootCA will be used when hitting the default master service, since those are signed
+		// using a different CA by default.  The rootCA's key is more closely guarded than ours and if it is compromised, that power could
+		// be used to change the trusted signers for every pod anyway, so we're already effectively trusting it.
+		if len(rootCA) > 0 {
+			servingServingCABundle = append(servingServingCABundle, rootCA...)
+			servingServingCABundle = append(servingServingCABundle, []byte("\n")...)
+		}
+		servingServingCABundle = append(servingServingCABundle, servingServingCA...)
+	}
 
 	options := sacontroller.TokensControllerOptions{
-		TokenGenerator: serviceaccount.JWTTokenGenerator(privateKey),
-		RootCA:         rootCA,
+		TokenGenerator:   serviceaccount.JWTTokenGenerator(privateKey),
+		RootCA:           rootCA,
+		ServiceServingCA: servingServingCABundle,
 	}
 
 	go sacontroller.NewTokensController(clientadapter.FromUnversionedClient(c.KubeClient()), options).Run(int(cm.ConcurrentSATokenSyncs), utilwait.NeverStop)

test/extended/cmd.sh

@@ -178,7 +178,9 @@ os::cmd::expect_success_and_not_text 'oc status' 'pod\/test-deployment-config-1-
 
 # break mac os
 service_ip=$(oc get service/nginx -o=jsonpath={.spec.clusterIP})
-os::cmd::try_until_success "curl --cacert ${MASTER_CONFIG_DIR}/service-signer.crt --resolve nginx.service-serving-cert-generation.svc:443:${service_ip} https://nginx.service-serving-cert-generation.svc:443"
+os::cmd::try_until_success 'oc run --restart=Never --generator=run-pod/v1 --image=centos centos -- bash -c "curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt https://nginx.service-serving-cert-generation.svc:443"'
+os::cmd::try_until_text 'oc get pods/centos -o jsonpath={.status.phase}' "Succeeded"
+os::cmd::expect_success_and_text 'oc logs pods/centos' "Welcome to nginx"
 os::test::junit::declare_suite_end
 
 os::test::junit::declare_suite_end