mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-06 10:43:56 +00:00
update token authn constructor
This commit is contained in:
zuoxiu.jm
parent
e4a8ad49ee
commit
38ddb4413a
@ -524,7 +524,7 @@ func buildGenericConfig(
|
|||||||
}
|
}
|
||||||
serviceResolver = aggregatorapiserver.NewLoopbackServiceResolver(serviceResolver, localHost)
|
serviceResolver = aggregatorapiserver.NewLoopbackServiceResolver(serviceResolver, localHost)
|
||||||
|
|
||||||
genericConfig.Authentication.Authenticator, genericConfig.OpenAPIConfig.SecurityDefinitions, err = BuildAuthenticator(s, clientgoExternalClient, sharedInformers)
|
genericConfig.Authentication.Authenticator, genericConfig.OpenAPIConfig.SecurityDefinitions, err = BuildAuthenticator(s, clientgoExternalClient, versionedInformers)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
lastErr = fmt.Errorf("invalid authentication config: %v", err)
|
lastErr = fmt.Errorf("invalid authentication config: %v", err)
|
||||||
return
|
return
|
||||||
@ -625,13 +625,13 @@ func BuildAdmissionPluginInitializers(
|
|||||||
}
|
}
|
||||||
|
|
||||||
// BuildAuthenticator constructs the authenticator
|
// BuildAuthenticator constructs the authenticator
|
||||||
func BuildAuthenticator(s *options.ServerRunOptions, extclient clientgoclientset.Interface, sharedInformers informers.SharedInformerFactory) (authenticator.Request, *spec.SecurityDefinitions, error) {
|
func BuildAuthenticator(s *options.ServerRunOptions, extclient clientgoclientset.Interface, versionedInformer clientgoinformers.SharedInformerFactory) (authenticator.Request, *spec.SecurityDefinitions, error) {
|
||||||
authenticatorConfig := s.Authentication.ToAuthenticationConfig()
|
authenticatorConfig := s.Authentication.ToAuthenticationConfig()
|
||||||
if s.Authentication.ServiceAccounts.Lookup {
|
if s.Authentication.ServiceAccounts.Lookup {
|
||||||
authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromClient(extclient)
|
authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromClient(extclient)
|
||||||
}
|
}
|
||||||
authenticatorConfig.BootstrapTokenAuthenticator = bootstrap.NewTokenAuthenticator(
|
authenticatorConfig.BootstrapTokenAuthenticator = bootstrap.NewTokenAuthenticator(
|
||||||
sharedInformers.Core().InternalVersion().Secrets().Lister().Secrets(v1.NamespaceSystem),
|
versionedInformer.Core().V1().Secrets().Lister().Secrets(v1.NamespaceSystem),
|
||||||
)
|
)
|
||||||
|
|
||||||
return authenticatorConfig.New()
|
return authenticatorConfig.New()
|
||||||
|
|||||||
@ -24,24 +24,24 @@ import (
|
|||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/labels"
|
"k8s.io/apimachinery/pkg/labels"
|
||||||
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
|
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
|
||||||
bootstrapapi "k8s.io/cluster-bootstrap/token/api"
|
bootstrapapi "k8s.io/cluster-bootstrap/token/api"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
|
||||||
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap"
|
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap"
|
||||||
bootstraputil "k8s.io/kubernetes/test/e2e/lifecycle/bootstrap"
|
bootstraputil "k8s.io/kubernetes/test/e2e/lifecycle/bootstrap"
|
||||||
"k8s.io/kubernetes/test/integration"
|
"k8s.io/kubernetes/test/integration"
|
||||||
"k8s.io/kubernetes/test/integration/framework"
|
"k8s.io/kubernetes/test/integration/framework"
|
||||||
)
|
)
|
||||||
|
|
||||||
type bootstrapSecrets []*api.Secret
|
type bootstrapSecrets []*corev1.Secret
|
||||||
|
|
||||||
func (b bootstrapSecrets) List(selector labels.Selector) (ret []*api.Secret, err error) {
|
func (b bootstrapSecrets) List(selector labels.Selector) (ret []*corev1.Secret, err error) {
|
||||||
return b, nil
|
return b, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (b bootstrapSecrets) Get(name string) (*api.Secret, error) {
|
func (b bootstrapSecrets) Get(name string) (*corev1.Secret, error) {
|
||||||
return b[0], nil
|
return b[0], nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -55,36 +55,36 @@ func TestBootstrapTokenAuth(t *testing.T) {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("unexpected error: %v", err)
|
t.Fatalf("unexpected error: %v", err)
|
||||||
}
|
}
|
||||||
var bootstrapSecretValid = &api.Secret{
|
var bootstrapSecretValid = &corev1.Secret{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: metav1.NamespaceSystem,
|
Namespace: metav1.NamespaceSystem,
|
||||||
Name: bootstrapapi.BootstrapTokenSecretPrefix,
|
Name: bootstrapapi.BootstrapTokenSecretPrefix,
|
||||||
},
|
},
|
||||||
Type: api.SecretTypeBootstrapToken,
|
Type: corev1.SecretTypeBootstrapToken,
|
||||||
Data: map[string][]byte{
|
Data: map[string][]byte{
|
||||||
bootstrapapi.BootstrapTokenIDKey: []byte(tokenId),
|
bootstrapapi.BootstrapTokenIDKey: []byte(tokenId),
|
||||||
bootstrapapi.BootstrapTokenSecretKey: []byte(secret),
|
bootstrapapi.BootstrapTokenSecretKey: []byte(secret),
|
||||||
bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
|
bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
var bootstrapSecretInvalid = &api.Secret{
|
var bootstrapSecretInvalid = &corev1.Secret{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: metav1.NamespaceSystem,
|
Namespace: metav1.NamespaceSystem,
|
||||||
Name: bootstrapapi.BootstrapTokenSecretPrefix,
|
Name: bootstrapapi.BootstrapTokenSecretPrefix,
|
||||||
},
|
},
|
||||||
Type: api.SecretTypeBootstrapToken,
|
Type: corev1.SecretTypeBootstrapToken,
|
||||||
Data: map[string][]byte{
|
Data: map[string][]byte{
|
||||||
bootstrapapi.BootstrapTokenIDKey: []byte(tokenId),
|
bootstrapapi.BootstrapTokenIDKey: []byte(tokenId),
|
||||||
bootstrapapi.BootstrapTokenSecretKey: []byte("invalid"),
|
bootstrapapi.BootstrapTokenSecretKey: []byte("invalid"),
|
||||||
bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
|
bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
var expiredBootstrapToken = &api.Secret{
|
var expiredBootstrapToken = &corev1.Secret{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: metav1.NamespaceSystem,
|
Namespace: metav1.NamespaceSystem,
|
||||||
Name: bootstrapapi.BootstrapTokenSecretPrefix,
|
Name: bootstrapapi.BootstrapTokenSecretPrefix,
|
||||||
},
|
},
|
||||||
Type: api.SecretTypeBootstrapToken,
|
Type: corev1.SecretTypeBootstrapToken,
|
||||||
Data: map[string][]byte{
|
Data: map[string][]byte{
|
||||||
bootstrapapi.BootstrapTokenIDKey: []byte(tokenId),
|
bootstrapapi.BootstrapTokenIDKey: []byte(tokenId),
|
||||||
bootstrapapi.BootstrapTokenSecretKey: []byte("invalid"),
|
bootstrapapi.BootstrapTokenSecretKey: []byte("invalid"),
|
||||||
@ -101,7 +101,7 @@ func TestBootstrapTokenAuth(t *testing.T) {
|
|||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
request request
|
request request
|
||||||
secret *api.Secret
|
secret *corev1.Secret
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
name: "valid token",
|
name: "valid token",
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user