github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-06 18:54:06 +00:00
Code Issues Projects Releases Wiki Activity

Clarify KCM --service-account-private-key-file flag documentation and remove legacy token controller warning message.

Browse Source
This commit is contained in:
Emiliano Spinella 2024-09-04 17:06:07 +02:00
parent 746f08a8da
commit 29f23af012
No known key found for this signature in database
2 changed files with 4 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
cmd/kube-controller-manager/app/controllermanager.go
View File

@ -232,7 +232,7 @@ func Run(ctx context.Context, c *config.CompletedConfig) error {
}
}
clientBuilder, rootClientBuilder := createClientBuilders(logger, c)
clientBuilder, rootClientBuilder := createClientBuilders(c)
saTokenControllerDescriptor := newServiceAccountTokenControllerDescriptor(rootClientBuilder)
@ -869,16 +869,12 @@ func readCA(file string) ([]byte, error) {
}
// createClientBuilders creates clientBuilder and rootClientBuilder from the given configuration
func createClientBuilders(logger klog.Logger, c *config.CompletedConfig) (clientBuilder clientbuilder.ControllerClientBuilder, rootClientBuilder clientbuilder.ControllerClientBuilder) {
func createClientBuilders(c *config.CompletedConfig) (clientBuilder clientbuilder.ControllerClientBuilder, rootClientBuilder clientbuilder.ControllerClientBuilder) {
rootClientBuilder = clientbuilder.SimpleControllerClientBuilder{
ClientConfig: c.Kubeconfig,
}
if c.ComponentConfig.KubeCloudShared.UseServiceAccountCredentials {
if len(c.ComponentConfig.SAController.ServiceAccountKeyFile) == 0 {
// It's possible another controller process is creating the tokens for us.
// If one isn't, we'll timeout and exit when our client builder is unable to create the tokens.
logger.Info("Warning: --use-service-account-credentials was specified without providing a --service-account-private-key-file")
}
clientBuilder = clientbuilder.NewDynamicClientBuilder(
restclient.AnonymousClientConfig(c.Kubeconfig),

2
cmd/kube-controller-manager/app/options/serviceaccountcontroller.go
View File

@ -33,7 +33,7 @@ func (o *SAControllerOptions) AddFlags(fs *pflag.FlagSet) {
return
}
fs.StringVar(&o.ServiceAccountKeyFile, "service-account-private-key-file", o.ServiceAccountKeyFile, "Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.")
fs.StringVar(&o.ServiceAccountKeyFile, "service-account-private-key-file", o.ServiceAccountKeyFile, "Enables legacy secret-based tokens when set. Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.")
fs.Int32Var(&o.ConcurrentSATokenSyncs, "concurrent-serviceaccount-token-syncs", o.ConcurrentSATokenSyncs, "The number of service account token objects that are allowed to sync concurrently. Larger number = more responsive token generation, but more CPU (and network) load")
fs.StringVar(&o.RootCAFile, "root-ca-file", o.RootCAFile, "If set, this root certificate authority will be included in service account's token secret. This must be a valid PEM-encoded CA bundle.")
}