diff --git a/staging/src/k8s.io/apiextensions-apiserver/Godeps/Godeps.json b/staging/src/k8s.io/apiextensions-apiserver/Godeps/Godeps.json index 71fb5c9b1b9..39b9ab36563 100644 --- a/staging/src/k8s.io/apiextensions-apiserver/Godeps/Godeps.json +++ b/staging/src/k8s.io/apiextensions-apiserver/Godeps/Godeps.json @@ -686,6 +686,14 @@ "ImportPath": "golang.org/x/net/websocket", "Rev": "1c05540f6879653db88113bc4a2b70aec4bd491f" }, + { + "ImportPath": "golang.org/x/oauth2", + "Rev": "a6bd8cefa1811bd24b86f8902872e4e8225f74c4" + }, + { + "ImportPath": "golang.org/x/oauth2/internal", + "Rev": "a6bd8cefa1811bd24b86f8902872e4e8225f74c4" + }, { "ImportPath": "golang.org/x/sys/unix", "Rev": "95c6576299259db960f6c5b9b69ea52422860fce" diff --git a/staging/src/k8s.io/cli-runtime/Godeps/Godeps.json b/staging/src/k8s.io/cli-runtime/Godeps/Godeps.json index 133310f134b..e5edf2ebea0 100644 --- a/staging/src/k8s.io/cli-runtime/Godeps/Godeps.json +++ b/staging/src/k8s.io/cli-runtime/Godeps/Godeps.json @@ -142,6 +142,14 @@ "ImportPath": "golang.org/x/net/lex/httplex", "Rev": "1c05540f6879653db88113bc4a2b70aec4bd491f" }, + { + "ImportPath": "golang.org/x/oauth2", + "Rev": "a6bd8cefa1811bd24b86f8902872e4e8225f74c4" + }, + { + "ImportPath": "golang.org/x/oauth2/internal", + "Rev": "a6bd8cefa1811bd24b86f8902872e4e8225f74c4" + }, { "ImportPath": "golang.org/x/sys/unix", "Rev": "95c6576299259db960f6c5b9b69ea52422860fce" diff --git a/staging/src/k8s.io/client-go/rest/BUILD b/staging/src/k8s.io/client-go/rest/BUILD index f45e77618a8..0d95e60cad3 100644 --- a/staging/src/k8s.io/client-go/rest/BUILD +++ b/staging/src/k8s.io/client-go/rest/BUILD @@ -13,6 +13,7 @@ go_test( "config_test.go", "plugin_test.go", "request_test.go", + "token_source_test.go", "url_utils_test.go", "urlbackoff_test.go", ], @@ -41,6 +42,7 @@ go_test( "//vendor/github.com/golang/glog:go_default_library", "//vendor/github.com/google/gofuzz:go_default_library", "//vendor/github.com/stretchr/testify/assert:go_default_library", + "//vendor/golang.org/x/oauth2:go_default_library", ], ) @@ -51,6 +53,7 @@ go_library( "config.go", "plugin.go", "request.go", + "token_source.go", "transport.go", "url_utils.go", "urlbackoff.go", @@ -78,6 +81,7 @@ go_library( "//staging/src/k8s.io/client-go/util/flowcontrol:go_default_library", "//vendor/github.com/golang/glog:go_default_library", "//vendor/golang.org/x/net/http2:go_default_library", + "//vendor/golang.org/x/oauth2:go_default_library", ], ) diff --git a/staging/src/k8s.io/client-go/rest/config.go b/staging/src/k8s.io/client-go/rest/config.go index 6700f5b4c8d..87e87905523 100644 --- a/staging/src/k8s.io/client-go/rest/config.go +++ b/staging/src/k8s.io/client-go/rest/config.go @@ -30,7 +30,6 @@ import ( "time" "github.com/golang/glog" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" @@ -314,17 +313,23 @@ func DefaultKubernetesUserAgent() string { // running inside a pod running on kubernetes. It will return ErrNotInCluster // if called from a process not running in a kubernetes environment. func InClusterConfig() (*Config, error) { + const ( + tokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token" + rootCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" + ) host, port := os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT") if len(host) == 0 || len(port) == 0 { return nil, ErrNotInCluster } - token, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token") - if err != nil { + ts := newCachedPathTokenSource(tokenFile) + + if _, err := ts.Token(); err != nil { return nil, err } + tlsClientConfig := TLSClientConfig{} - rootCAFile := "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" + if _, err := certutil.NewPool(rootCAFile); err != nil { glog.Errorf("Expected to load root CA config from %s, but got err: %v", rootCAFile, err) } else { @@ -334,8 +339,8 @@ func InClusterConfig() (*Config, error) { return &Config{ // TODO: switch to using cluster DNS. Host: "https://" + net.JoinHostPort(host, port), - BearerToken: string(token), TLSClientConfig: tlsClientConfig, + WrapTransport: TokenSourceWrapTransport(ts), }, nil } diff --git a/staging/src/k8s.io/client-go/rest/token_source.go b/staging/src/k8s.io/client-go/rest/token_source.go new file mode 100644 index 00000000000..296b2a0481d --- /dev/null +++ b/staging/src/k8s.io/client-go/rest/token_source.go @@ -0,0 +1,138 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package rest + +import ( + "fmt" + "io/ioutil" + "net/http" + "strings" + "sync" + "time" + + "github.com/golang/glog" + "golang.org/x/oauth2" +) + +// TokenSourceWrapTransport returns a WrapTransport that injects bearer tokens +// authentication from an oauth2.TokenSource. +func TokenSourceWrapTransport(ts oauth2.TokenSource) func(http.RoundTripper) http.RoundTripper { + return func(rt http.RoundTripper) http.RoundTripper { + return &tokenSourceTransport{ + base: rt, + ort: &oauth2.Transport{ + Source: ts, + Base: rt, + }, + } + } +} + +func newCachedPathTokenSource(path string) oauth2.TokenSource { + return &cachingTokenSource{ + now: time.Now, + leeway: 1 * time.Minute, + base: &fileTokenSource{ + path: path, + // This period was picked because it is half of the minimum validity + // duration for a token provisioned by they TokenRequest API. This is + // unsophisticated and should induce rotation at a frequency that should + // work with the token volume source. + period: 5 * time.Minute, + }, + } +} + +type tokenSourceTransport struct { + base http.RoundTripper + ort http.RoundTripper +} + +func (tst *tokenSourceTransport) RoundTrip(req *http.Request) (*http.Response, error) { + // This is to allow --token to override other bearer token providers. + if req.Header.Get("Authorization") != "" { + return tst.base.RoundTrip(req) + } + return tst.ort.RoundTrip(req) +} + +type fileTokenSource struct { + path string + period time.Duration +} + +var _ = oauth2.TokenSource(&fileTokenSource{}) + +func (ts *fileTokenSource) Token() (*oauth2.Token, error) { + tokb, err := ioutil.ReadFile(ts.path) + if err != nil { + return nil, fmt.Errorf("failed to read token file %q: %v", ts.path, err) + } + tok := strings.TrimSpace(string(tokb)) + if len(tok) == 0 { + return nil, fmt.Errorf("read empty token from file %q", ts.path) + } + + return &oauth2.Token{ + AccessToken: tok, + Expiry: time.Now().Add(ts.period), + }, nil +} + +type cachingTokenSource struct { + base oauth2.TokenSource + leeway time.Duration + + sync.RWMutex + tok *oauth2.Token + + // for testing + now func() time.Time +} + +var _ = oauth2.TokenSource(&cachingTokenSource{}) + +func (ts *cachingTokenSource) Token() (*oauth2.Token, error) { + now := ts.now() + // fast path + ts.RLock() + tok := ts.tok + ts.RUnlock() + + if tok != nil && tok.Expiry.Add(-1*ts.leeway).After(now) { + return tok, nil + } + + // slow path + ts.Lock() + defer ts.Unlock() + if tok := ts.tok; tok != nil && tok.Expiry.Add(-1*ts.leeway).After(now) { + return tok, nil + } + + tok, err := ts.base.Token() + if err != nil { + if ts.tok == nil { + return nil, err + } + glog.Errorf("Unable to rotate token: %v", err) + return ts.tok, nil + } + + ts.tok = tok + return tok, nil +} diff --git a/staging/src/k8s.io/client-go/rest/token_source_test.go b/staging/src/k8s.io/client-go/rest/token_source_test.go new file mode 100644 index 00000000000..40851f80d71 --- /dev/null +++ b/staging/src/k8s.io/client-go/rest/token_source_test.go @@ -0,0 +1,156 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package rest + +import ( + "fmt" + "reflect" + "sync" + "testing" + "time" + + "golang.org/x/oauth2" +) + +type testTokenSource struct { + calls int + tok *oauth2.Token + err error +} + +func (ts *testTokenSource) Token() (*oauth2.Token, error) { + ts.calls++ + return ts.tok, ts.err +} + +func TestCachingTokenSource(t *testing.T) { + start := time.Now() + tokA := &oauth2.Token{ + AccessToken: "a", + Expiry: start.Add(10 * time.Minute), + } + tokB := &oauth2.Token{ + AccessToken: "b", + Expiry: start.Add(20 * time.Minute), + } + tests := []struct { + name string + + tok *oauth2.Token + tsTok *oauth2.Token + tsErr error + wait time.Duration + + wantTok *oauth2.Token + wantErr bool + wantTSCalls int + }{ + { + name: "valid token returned from cache", + tok: tokA, + wantTok: tokA, + }, + { + name: "valid token returned from cache 1 minute before scheduled refresh", + tok: tokA, + wait: 8 * time.Minute, + wantTok: tokA, + }, + { + name: "new token created when cache is empty", + tsTok: tokA, + wantTok: tokA, + wantTSCalls: 1, + }, + { + name: "new token created 1 minute after scheduled refresh", + tok: tokA, + tsTok: tokB, + wait: 10 * time.Minute, + wantTok: tokB, + wantTSCalls: 1, + }, + { + name: "error on create token returns error", + tsErr: fmt.Errorf("error"), + wantErr: true, + wantTSCalls: 1, + }, + } + for _, c := range tests { + t.Run(c.name, func(t *testing.T) { + tts := &testTokenSource{ + tok: c.tsTok, + err: c.tsErr, + } + + ts := &cachingTokenSource{ + base: tts, + tok: c.tok, + leeway: 1 * time.Minute, + now: func() time.Time { return start.Add(c.wait) }, + } + + gotTok, gotErr := ts.Token() + if got, want := gotTok, c.wantTok; !reflect.DeepEqual(got, want) { + t.Errorf("unexpected token:\n\tgot:\t%#v\n\twant:\t%#v", got, want) + } + if got, want := tts.calls, c.wantTSCalls; got != want { + t.Errorf("unexpected number of Token() calls: got %d, want %d", got, want) + } + if gotErr == nil && c.wantErr { + t.Errorf("wanted error but got none") + } + if gotErr != nil && !c.wantErr { + t.Errorf("unexpected error: %v", gotErr) + } + }) + } +} + +func TestCachingTokenSourceRace(t *testing.T) { + for i := 0; i < 100; i++ { + tts := &testTokenSource{ + tok: &oauth2.Token{ + AccessToken: "a", + Expiry: time.Now().Add(1000 * time.Hour), + }, + } + + ts := &cachingTokenSource{ + now: time.Now, + base: tts, + leeway: 1 * time.Minute, + } + + var wg sync.WaitGroup + wg.Add(100) + + for i := 0; i < 100; i++ { + go func() { + defer wg.Done() + if _, err := ts.Token(); err != nil { + t.Fatalf("err: %v", err) + } + }() + } + wg.Wait() + if tts.calls != 1 { + t.Errorf("expected one call to Token() but saw: %d", tts.calls) + } + } +} diff --git a/staging/src/k8s.io/csi-api/Godeps/Godeps.json b/staging/src/k8s.io/csi-api/Godeps/Godeps.json index 0c2d11a7eab..f9cc4e25f1c 100644 --- a/staging/src/k8s.io/csi-api/Godeps/Godeps.json +++ b/staging/src/k8s.io/csi-api/Godeps/Godeps.json @@ -122,6 +122,14 @@ "ImportPath": "golang.org/x/net/lex/httplex", "Rev": "1c05540f6879653db88113bc4a2b70aec4bd491f" }, + { + "ImportPath": "golang.org/x/oauth2", + "Rev": "a6bd8cefa1811bd24b86f8902872e4e8225f74c4" + }, + { + "ImportPath": "golang.org/x/oauth2/internal", + "Rev": "a6bd8cefa1811bd24b86f8902872e4e8225f74c4" + }, { "ImportPath": "golang.org/x/sys/unix", "Rev": "95c6576299259db960f6c5b9b69ea52422860fce" diff --git a/staging/src/k8s.io/kube-aggregator/Godeps/Godeps.json b/staging/src/k8s.io/kube-aggregator/Godeps/Godeps.json index a778967fdf3..dee16ad4c33 100644 --- a/staging/src/k8s.io/kube-aggregator/Godeps/Godeps.json +++ b/staging/src/k8s.io/kube-aggregator/Godeps/Godeps.json @@ -370,6 +370,14 @@ "ImportPath": "golang.org/x/net/websocket", "Rev": "1c05540f6879653db88113bc4a2b70aec4bd491f" }, + { + "ImportPath": "golang.org/x/oauth2", + "Rev": "a6bd8cefa1811bd24b86f8902872e4e8225f74c4" + }, + { + "ImportPath": "golang.org/x/oauth2/internal", + "Rev": "a6bd8cefa1811bd24b86f8902872e4e8225f74c4" + }, { "ImportPath": "golang.org/x/sys/unix", "Rev": "95c6576299259db960f6c5b9b69ea52422860fce" diff --git a/staging/src/k8s.io/metrics/Godeps/Godeps.json b/staging/src/k8s.io/metrics/Godeps/Godeps.json index 66c7c984839..8a3032fd29c 100644 --- a/staging/src/k8s.io/metrics/Godeps/Godeps.json +++ b/staging/src/k8s.io/metrics/Godeps/Godeps.json @@ -114,6 +114,14 @@ "ImportPath": "golang.org/x/net/lex/httplex", "Rev": "1c05540f6879653db88113bc4a2b70aec4bd491f" }, + { + "ImportPath": "golang.org/x/oauth2", + "Rev": "a6bd8cefa1811bd24b86f8902872e4e8225f74c4" + }, + { + "ImportPath": "golang.org/x/oauth2/internal", + "Rev": "a6bd8cefa1811bd24b86f8902872e4e8225f74c4" + }, { "ImportPath": "golang.org/x/sys/unix", "Rev": "95c6576299259db960f6c5b9b69ea52422860fce" diff --git a/staging/src/k8s.io/sample-apiserver/Godeps/Godeps.json b/staging/src/k8s.io/sample-apiserver/Godeps/Godeps.json index e3c753452c0..8d406dc5b82 100644 --- a/staging/src/k8s.io/sample-apiserver/Godeps/Godeps.json +++ b/staging/src/k8s.io/sample-apiserver/Godeps/Godeps.json @@ -342,6 +342,14 @@ "ImportPath": "golang.org/x/net/websocket", "Rev": "1c05540f6879653db88113bc4a2b70aec4bd491f" }, + { + "ImportPath": "golang.org/x/oauth2", + "Rev": "a6bd8cefa1811bd24b86f8902872e4e8225f74c4" + }, + { + "ImportPath": "golang.org/x/oauth2/internal", + "Rev": "a6bd8cefa1811bd24b86f8902872e4e8225f74c4" + }, { "ImportPath": "golang.org/x/sys/unix", "Rev": "95c6576299259db960f6c5b9b69ea52422860fce" diff --git a/staging/src/k8s.io/sample-cli-plugin/Godeps/Godeps.json b/staging/src/k8s.io/sample-cli-plugin/Godeps/Godeps.json index e17ec100ab1..d2e03dfa074 100644 --- a/staging/src/k8s.io/sample-cli-plugin/Godeps/Godeps.json +++ b/staging/src/k8s.io/sample-cli-plugin/Godeps/Godeps.json @@ -130,6 +130,14 @@ "ImportPath": "golang.org/x/net/lex/httplex", "Rev": "1c05540f6879653db88113bc4a2b70aec4bd491f" }, + { + "ImportPath": "golang.org/x/oauth2", + "Rev": "a6bd8cefa1811bd24b86f8902872e4e8225f74c4" + }, + { + "ImportPath": "golang.org/x/oauth2/internal", + "Rev": "a6bd8cefa1811bd24b86f8902872e4e8225f74c4" + }, { "ImportPath": "golang.org/x/sys/unix", "Rev": "95c6576299259db960f6c5b9b69ea52422860fce" diff --git a/staging/src/k8s.io/sample-controller/Godeps/Godeps.json b/staging/src/k8s.io/sample-controller/Godeps/Godeps.json index db59fa5de5e..5100e609c8a 100644 --- a/staging/src/k8s.io/sample-controller/Godeps/Godeps.json +++ b/staging/src/k8s.io/sample-controller/Godeps/Godeps.json @@ -134,6 +134,14 @@ "ImportPath": "golang.org/x/net/lex/httplex", "Rev": "1c05540f6879653db88113bc4a2b70aec4bd491f" }, + { + "ImportPath": "golang.org/x/oauth2", + "Rev": "a6bd8cefa1811bd24b86f8902872e4e8225f74c4" + }, + { + "ImportPath": "golang.org/x/oauth2/internal", + "Rev": "a6bd8cefa1811bd24b86f8902872e4e8225f74c4" + }, { "ImportPath": "golang.org/x/sys/unix", "Rev": "95c6576299259db960f6c5b9b69ea52422860fce"