Skip to content

Commit 03758a9

Browse files
dinhxuanvudinhxuanvu
committed
fix(scoped): update scoped client library to handle token secret
In k8s 1.24, token secret is no longer referenced in ServiceAccount. By listing all secrets in the namespace and then filter them with SA name via kubernetes.io/service-account.name annotation, the token secret can be retrieved successfully. Signed-off-by: Vu Dinh <[email protected]>
1 parent b14f97d commit 03758a9

File tree

1 file changed

+28
-13
lines changed

1 file changed

+28
-13
lines changed

pkg/lib/scoped/token_retriever.go

+28-13
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,6 @@ import (
77
"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorclient"
88
"github.com/sirupsen/logrus"
99
corev1 "k8s.io/api/core/v1"
10-
apierrors "k8s.io/apimachinery/pkg/api/errors"
1110
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
1211
)
1312

@@ -50,29 +49,45 @@ func (r *BearerTokenRetriever) Retrieve(reference *corev1.ObjectReference) (toke
5049
}
5150

5251
func getAPISecret(logger logrus.FieldLogger, kubeclient operatorclient.ClientInterface, sa *corev1.ServiceAccount) (APISecret *corev1.Secret, err error) {
53-
for _, ref := range sa.Secrets {
54-
// corev1.ObjectReference only has Name populated.
55-
secret, getErr := kubeclient.KubernetesInterface().CoreV1().Secrets(sa.GetNamespace()).Get(context.TODO(), ref.Name, metav1.GetOptions{})
56-
if getErr != nil {
57-
if apierrors.IsNotFound(getErr) {
58-
logger.Warnf("skipping secret %s - %v", ref.Name, getErr)
59-
continue
60-
}
52+
seList, err := kubeclient.KubernetesInterface().CoreV1().Secrets(sa.GetNamespace()).List(context.TODO(), metav1.ListOptions{})
53+
if err != nil {
54+
logger.Errorf("unable to retrieve list of secrets in the namespace %s - %v", sa.GetNamespace(), err)
55+
return nil, err
56+
}
57+
secrets := filterSecretsBySAName(sa.Name, seList)
6158

62-
err = getErr
63-
break
59+
for _, ref := range sa.Secrets {
60+
if _, ok := secrets[ref.Name]; !ok {
61+
logger.Warnf("skipping secret %s: secret not found", ref.Name)
62+
continue
6463
}
64+
}
6565

66+
for _, secret := range secrets {
6667
// Validate that this is a token for API access.
6768
if !IsServiceAccountToken(secret, sa) {
68-
logger.Warnf("skipping secret %s - %v", ref.Name, getErr)
69+
logger.Warnf("skipping secret %s: not token secret", secret.Name)
6970
continue
7071
}
71-
7272
// The first eligible secret that has an API access token is returned.
7373
APISecret = secret
7474
break
7575
}
7676

7777
return
7878
}
79+
80+
// filterSecretsBySAName returna a maps of secrets that are associated with a
81+
// specific ServiceAccount via annotations kubernetes.io/service-account.name
82+
func filterSecretsBySAName(saName string, secrets *corev1.SecretList) map[string]*corev1.Secret {
83+
secretMap := make(map[string]*corev1.Secret)
84+
for _, ref := range secrets.Items {
85+
annotations := ref.GetAnnotations()
86+
value := annotations[corev1.ServiceAccountNameKey]
87+
if value == saName {
88+
secretMap[ref.Name] = &ref
89+
}
90+
}
91+
92+
return secretMap
93+
}

0 commit comments

Comments
 (0)