github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 03:41:45 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #71713 from liggitt/tokenfile-reload

Browse Source 
Plumb token and token file through rest.Config
This commit is contained in:
Kubernetes Prow Robot 2018-12-04 11:41:03 -08:00 committed by GitHub
commit 2bd14ea60e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 71 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go
View File

@ -177,6 +177,7 @@ func restConfigFromKubeconfig(configAuthInfo *clientcmdapi.AuthInfo) (*rest.Conf
return nil, err return nil, err
} }
config.BearerToken = string(tokenBytes) config.BearerToken = string(tokenBytes)
config.BearerTokenFile = configAuthInfo.TokenFile
} }
if len(configAuthInfo.Impersonate) > 0 { if len(configAuthInfo.Impersonate) > 0 {
config.Impersonate = rest.ImpersonationConfig{ config.Impersonate = rest.ImpersonationConfig{

4
staging/src/k8s.io/client-go/rest/BUILD
View File

@ -13,7 +13,6 @@ go_test(
"config_test.go", "config_test.go",
"plugin_test.go", "plugin_test.go",
"request_test.go", "request_test.go",
"token_source_test.go",
"url_utils_test.go", "url_utils_test.go",
"urlbackoff_test.go", "urlbackoff_test.go",
], ],
@ -41,7 +40,6 @@ go_test(
"//staging/src/k8s.io/client-go/util/testing:go_default_library", "//staging/src/k8s.io/client-go/util/testing:go_default_library",
"//vendor/github.com/google/gofuzz:go_default_library", "//vendor/github.com/google/gofuzz:go_default_library",
"//vendor/github.com/stretchr/testify/assert:go_default_library", "//vendor/github.com/stretchr/testify/assert:go_default_library",
"//vendor/golang.org/x/oauth2:go_default_library",
"//vendor/k8s.io/klog:go_default_library", "//vendor/k8s.io/klog:go_default_library",
], ],
) )
@ -53,7 +51,6 @@ go_library(
"config.go", "config.go",
"plugin.go", "plugin.go",
"request.go", "request.go",
"token_source.go",
"transport.go", "transport.go",
"url_utils.go", "url_utils.go",
"urlbackoff.go", "urlbackoff.go",
@ -80,7 +77,6 @@ go_library(
"//staging/src/k8s.io/client-go/util/cert:go_default_library", "//staging/src/k8s.io/client-go/util/cert:go_default_library",
"//staging/src/k8s.io/client-go/util/flowcontrol:go_default_library", "//staging/src/k8s.io/client-go/util/flowcontrol:go_default_library",
"//vendor/golang.org/x/net/http2:go_default_library", "//vendor/golang.org/x/net/http2:go_default_library",
"//vendor/golang.org/x/oauth2:go_default_library",
"//vendor/k8s.io/klog:go_default_library", "//vendor/k8s.io/klog:go_default_library",
], ],
) )

26
staging/src/k8s.io/client-go/rest/config.go
View File

@ -70,6 +70,11 @@ type Config struct {
// TODO: demonstrate an OAuth2 compatible client. // TODO: demonstrate an OAuth2 compatible client.
BearerToken string BearerToken string
// Path to a file containing a BearerToken.
// If set, the contents are periodically read.
// The last successfully read value takes precedence over BearerToken.
BearerTokenFile string
// Impersonate is the configuration that RESTClient will use for impersonation. // Impersonate is the configuration that RESTClient will use for impersonation.
Impersonate ImpersonationConfig Impersonate ImpersonationConfig
@ -322,9 +327,8 @@ func InClusterConfig() (*Config, error) {
return nil, ErrNotInCluster return nil, ErrNotInCluster
} }
ts := NewCachedFileTokenSource(tokenFile) token, err := ioutil.ReadFile(tokenFile)
if err != nil {
if _, err := ts.Token(); err != nil {
return nil, err return nil, err
} }
@ -340,7 +344,8 @@ func InClusterConfig() (*Config, error) {
// TODO: switch to using cluster DNS. // TODO: switch to using cluster DNS.
Host: "https://" + net.JoinHostPort(host, port), Host: "https://" + net.JoinHostPort(host, port),
TLSClientConfig: tlsClientConfig, TLSClientConfig: tlsClientConfig,
WrapTransport: TokenSourceWrapTransport(ts), BearerToken: string(token),
BearerTokenFile: tokenFile,
}, nil }, nil
} }
@ -430,12 +435,13 @@ func AnonymousClientConfig(config *Config) *Config {
// CopyConfig returns a copy of the given config // CopyConfig returns a copy of the given config
func CopyConfig(config *Config) *Config { func CopyConfig(config *Config) *Config {
return &Config{ return &Config{
Host: config.Host, Host: config.Host,
APIPath: config.APIPath, APIPath: config.APIPath,
ContentConfig: config.ContentConfig, ContentConfig: config.ContentConfig,
Username: config.Username, Username: config.Username,
Password: config.Password, Password: config.Password,
BearerToken: config.BearerToken, BearerToken: config.BearerToken,
BearerTokenFile: config.BearerTokenFile,
Impersonate: ImpersonationConfig{ Impersonate: ImpersonationConfig{
Groups: config.Impersonate.Groups, Groups: config.Impersonate.Groups,
Extra: config.Impersonate.Extra, Extra: config.Impersonate.Extra,

1
staging/src/k8s.io/client-go/rest/config_test.go
View File

@ -264,6 +264,7 @@ func TestAnonymousConfig(t *testing.T) {
// is added to Config, update AnonymousClientConfig to preserve the field otherwise. // is added to Config, update AnonymousClientConfig to preserve the field otherwise.
expected.Impersonate = ImpersonationConfig{} expected.Impersonate = ImpersonationConfig{}
expected.BearerToken = "" expected.BearerToken = ""
expected.BearerTokenFile = ""
expected.Username = "" expected.Username = ""
expected.Password = "" expected.Password = ""
expected.AuthProvider = nil expected.AuthProvider = nil

7
staging/src/k8s.io/client-go/tools/clientcmd/client_config.go
View File

@ -229,11 +229,12 @@ func (config *DirectClientConfig) getUserIdentificationPartialConfig(configAuthI
if len(configAuthInfo.Token) > 0 { if len(configAuthInfo.Token) > 0 {
mergedConfig.BearerToken = configAuthInfo.Token mergedConfig.BearerToken = configAuthInfo.Token
} else if len(configAuthInfo.TokenFile) > 0 { } else if len(configAuthInfo.TokenFile) > 0 {
ts := restclient.NewCachedFileTokenSource(configAuthInfo.TokenFile) tokenBytes, err := ioutil.ReadFile(configAuthInfo.TokenFile)
if _, err := ts.Token(); err != nil { if err != nil {
return nil, err return nil, err
} }
mergedConfig.WrapTransport = restclient.TokenSourceWrapTransport(ts) mergedConfig.BearerToken = string(tokenBytes)
mergedConfig.BearerTokenFile = configAuthInfo.TokenFile
} }
if len(configAuthInfo.Impersonate) > 0 { if len(configAuthInfo.Impersonate) > 0 {
mergedConfig.Impersonate = restclient.ImpersonationConfig{ mergedConfig.Impersonate = restclient.ImpersonationConfig{

15
staging/src/k8s.io/client-go/tools/clientcmd/client_config_test.go
View File

@ -18,7 +18,6 @@ package clientcmd
import ( import (
"io/ioutil" "io/ioutil"
"net/http"
"os" "os"
"reflect" "reflect"
"strings" "strings"
@ -334,19 +333,7 @@ func TestBasicTokenFile(t *testing.T) {
t.Fatalf("Unexpected error: %v", err) t.Fatalf("Unexpected error: %v", err)
} }
var out *http.Request matchStringArg(token, clientConfig.BearerToken, t)
clientConfig.WrapTransport(fakeTransport(func(req *http.Request) (*http.Response, error) {
out = req
return &http.Response{}, nil
})).RoundTrip(&http.Request{})
matchStringArg(token, strings.TrimPrefix(out.Header.Get("Authorization"), "Bearer "), t)
}
type fakeTransport func(*http.Request) (*http.Response, error)
func (ft fakeTransport) RoundTrip(req *http.Request) (*http.Response, error) {
return ft(req)
} }
func TestPrecedenceTokenFile(t *testing.T) { func TestPrecedenceTokenFile(t *testing.T) {

4
staging/src/k8s.io/client-go/transport/BUILD
View File

@ -11,9 +11,11 @@ go_test(
srcs = [ srcs = [
"cache_test.go", "cache_test.go",
"round_trippers_test.go", "round_trippers_test.go",
"token_source_test.go",
"transport_test.go", "transport_test.go",
], ],
embed = [":go_default_library"], embed = [":go_default_library"],
deps = ["//vendor/golang.org/x/oauth2:go_default_library"],
) )
go_library( go_library(
@ -22,12 +24,14 @@ go_library(
"cache.go", "cache.go",
"config.go", "config.go",
"round_trippers.go", "round_trippers.go",
"token_source.go",
"transport.go", "transport.go",
], ],
importmap = "k8s.io/kubernetes/vendor/k8s.io/client-go/transport", importmap = "k8s.io/kubernetes/vendor/k8s.io/client-go/transport",
importpath = "k8s.io/client-go/transport", importpath = "k8s.io/client-go/transport",
deps = [ deps = [
"//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
"//vendor/golang.org/x/oauth2:go_default_library",
"//vendor/k8s.io/klog:go_default_library", "//vendor/k8s.io/klog:go_default_library",
], ],
) )

7
staging/src/k8s.io/client-go/transport/config.go
View File

@ -39,6 +39,11 @@ type Config struct {
// Bearer token for authentication // Bearer token for authentication
BearerToken string BearerToken string
// Path to a file containing a BearerToken.
// If set, the contents are periodically read.
// The last successfully read value takes precedence over BearerToken.
BearerTokenFile string
// Impersonate is the config that this Config will impersonate using // Impersonate is the config that this Config will impersonate using
Impersonate ImpersonationConfig Impersonate ImpersonationConfig
@ -80,7 +85,7 @@ func (c *Config) HasBasicAuth() bool {
// HasTokenAuth returns whether the configuration has token authentication or not. // HasTokenAuth returns whether the configuration has token authentication or not.
func (c *Config) HasTokenAuth() bool { func (c *Config) HasTokenAuth() bool {
return len(c.BearerToken) != 0 return len(c.BearerToken) != 0 || len(c.BearerTokenFile) != 0
} }
// HasCertAuth returns whether the configuration has certificate authentication or not. // HasCertAuth returns whether the configuration has certificate authentication or not.

39
staging/src/k8s.io/client-go/transport/round_trippers.go
View File

@ -22,6 +22,7 @@ import (
"strings" "strings"
"time" "time"
"golang.org/x/oauth2"
"k8s.io/klog" "k8s.io/klog"
utilnet "k8s.io/apimachinery/pkg/util/net" utilnet "k8s.io/apimachinery/pkg/util/net"
@ -44,7 +45,11 @@ func HTTPWrappersForConfig(config *Config, rt http.RoundTripper) (http.RoundTrip
case config.HasBasicAuth() && config.HasTokenAuth(): case config.HasBasicAuth() && config.HasTokenAuth():
return nil, fmt.Errorf("username/password or bearer token may be set, but not both") return nil, fmt.Errorf("username/password or bearer token may be set, but not both")
case config.HasTokenAuth(): case config.HasTokenAuth():
rt = NewBearerAuthRoundTripper(config.BearerToken, rt) var err error
rt, err = NewBearerAuthWithRefreshRoundTripper(config.BearerToken, config.BearerTokenFile, rt)
if err != nil {
return nil, err
}
case config.HasBasicAuth(): case config.HasBasicAuth():
rt = NewBasicAuthRoundTripper(config.Username, config.Password, rt) rt = NewBasicAuthRoundTripper(config.Username, config.Password, rt)
} }
@ -265,13 +270,35 @@ func (rt *impersonatingRoundTripper) WrappedRoundTripper() http.RoundTripper { r
type bearerAuthRoundTripper struct { type bearerAuthRoundTripper struct {
bearer string bearer string
source oauth2.TokenSource
rt http.RoundTripper rt http.RoundTripper
} }
// NewBearerAuthRoundTripper adds the provided bearer token to a request // NewBearerAuthRoundTripper adds the provided bearer token to a request
// unless the authorization header has already been set. // unless the authorization header has already been set.
func NewBearerAuthRoundTripper(bearer string, rt http.RoundTripper) http.RoundTripper { func NewBearerAuthRoundTripper(bearer string, rt http.RoundTripper) http.RoundTripper {
return &bearerAuthRoundTripper{bearer, rt} return &bearerAuthRoundTripper{bearer, nil, rt}
}
// NewBearerAuthRoundTripper adds the provided bearer token to a request
// unless the authorization header has already been set.
// If tokenFile is non-empty, it is periodically read,
// and the last successfully read content is used as the bearer token.
// If tokenFile is non-empty and bearer is empty, the tokenFile is read
// immediately to populate the initial bearer token.
func NewBearerAuthWithRefreshRoundTripper(bearer string, tokenFile string, rt http.RoundTripper) (http.RoundTripper, error) {
if len(tokenFile) == 0 {
return &bearerAuthRoundTripper{bearer, nil, rt}, nil
}
source := NewCachedFileTokenSource(tokenFile)
if len(bearer) == 0 {
token, err := source.Token()
if err != nil {
return nil, err
}
bearer = token.AccessToken
}
return &bearerAuthRoundTripper{bearer, source, rt}, nil
} }
func (rt *bearerAuthRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { func (rt *bearerAuthRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
@ -280,7 +307,13 @@ func (rt *bearerAuthRoundTripper) RoundTrip(req *http.Request) (*http.Response,
} }
req = utilnet.CloneRequest(req) req = utilnet.CloneRequest(req)
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", rt.bearer)) token := rt.bearer
if rt.source != nil {
if refreshedToken, err := rt.source.Token(); err == nil {
token = refreshedToken.AccessToken
}
}
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
return rt.rt.RoundTrip(req) return rt.rt.RoundTrip(req)
} }

2
staging/src/k8s.io/client-go/rest/token_source.go → staging/src/k8s.io/client-go/transport/token_source.go
View File

@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/ */
package rest package transport
import ( import (
"fmt" "fmt"

2
staging/src/k8s.io/client-go/rest/token_source_test.go → staging/src/k8s.io/client-go/transport/token_source_test.go
View File

@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/ */
package rest package transport
import ( import (
"fmt" "fmt"