From 29f23af012a73c9dfabcabd5790f5d38ce7cb2bf Mon Sep 17 00:00:00 2001 From: Emiliano Spinella Date: Wed, 4 Sep 2024 17:06:07 +0200 Subject: [PATCH] Clarify KCM --service-account-private-key-file flag documentation and remove legacy token controller warning message. --- cmd/kube-controller-manager/app/controllermanager.go | 10 +++------- .../app/options/serviceaccountcontroller.go | 2 +- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/cmd/kube-controller-manager/app/controllermanager.go b/cmd/kube-controller-manager/app/controllermanager.go index 39bdcdc805d..99332e92b9f 100644 --- a/cmd/kube-controller-manager/app/controllermanager.go +++ b/cmd/kube-controller-manager/app/controllermanager.go @@ -232,7 +232,7 @@ func Run(ctx context.Context, c *config.CompletedConfig) error { } } - clientBuilder, rootClientBuilder := createClientBuilders(logger, c) + clientBuilder, rootClientBuilder := createClientBuilders(c) saTokenControllerDescriptor := newServiceAccountTokenControllerDescriptor(rootClientBuilder) @@ -869,16 +869,12 @@ func readCA(file string) ([]byte, error) { } // createClientBuilders creates clientBuilder and rootClientBuilder from the given configuration -func createClientBuilders(logger klog.Logger, c *config.CompletedConfig) (clientBuilder clientbuilder.ControllerClientBuilder, rootClientBuilder clientbuilder.ControllerClientBuilder) { +func createClientBuilders(c *config.CompletedConfig) (clientBuilder clientbuilder.ControllerClientBuilder, rootClientBuilder clientbuilder.ControllerClientBuilder) { + rootClientBuilder = clientbuilder.SimpleControllerClientBuilder{ ClientConfig: c.Kubeconfig, } if c.ComponentConfig.KubeCloudShared.UseServiceAccountCredentials { - if len(c.ComponentConfig.SAController.ServiceAccountKeyFile) == 0 { - // It's possible another controller process is creating the tokens for us. - // If one isn't, we'll timeout and exit when our client builder is unable to create the tokens. - logger.Info("Warning: --use-service-account-credentials was specified without providing a --service-account-private-key-file") - } clientBuilder = clientbuilder.NewDynamicClientBuilder( restclient.AnonymousClientConfig(c.Kubeconfig), diff --git a/cmd/kube-controller-manager/app/options/serviceaccountcontroller.go b/cmd/kube-controller-manager/app/options/serviceaccountcontroller.go index 571838c5db5..c89b3021a08 100644 --- a/cmd/kube-controller-manager/app/options/serviceaccountcontroller.go +++ b/cmd/kube-controller-manager/app/options/serviceaccountcontroller.go @@ -33,7 +33,7 @@ func (o *SAControllerOptions) AddFlags(fs *pflag.FlagSet) { return } - fs.StringVar(&o.ServiceAccountKeyFile, "service-account-private-key-file", o.ServiceAccountKeyFile, "Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.") + fs.StringVar(&o.ServiceAccountKeyFile, "service-account-private-key-file", o.ServiceAccountKeyFile, "Enables legacy secret-based tokens when set. Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.") fs.Int32Var(&o.ConcurrentSATokenSyncs, "concurrent-serviceaccount-token-syncs", o.ConcurrentSATokenSyncs, "The number of service account token objects that are allowed to sync concurrently. Larger number = more responsive token generation, but more CPU (and network) load") fs.StringVar(&o.RootCAFile, "root-ca-file", o.RootCAFile, "If set, this root certificate authority will be included in service account's token secret. This must be a valid PEM-encoded CA bundle.") }