add ca to token controller and all service accounts

2026-01-29 21:29:24 +00:00 · 2015-06-23 15:43:59 -07:00
parent befe545033
commit 56bde3342a
10 changed files with 55 additions and 17 deletions
--- a/pkg/api/types.go
+++ b/pkg/api/types.go
@@ -1998,6 +1998,8 @@ const (
 	ServiceAccountTokenKey = "token"
 	// ServiceAccountKubeconfigKey is the key of the optional kubeconfig data for SecretTypeServiceAccountToken secrets
 	ServiceAccountKubeconfigKey = "kubernetes.kubeconfig"
+	// ServiceAccountRootCAKey is the key of the optional root certificate authority for SecretTypeServiceAccountToken secrets
+	ServiceAccountRootCAKey = "ca.crt"

 	// SecretTypeDockercfg contains a dockercfg file that follows the same format rules as ~/.dockercfg
 	//
--- a/pkg/api/v1/types.go
+++ b/pkg/api/v1/types.go
@@ -1894,6 +1894,8 @@ const (
 	ServiceAccountTokenKey = "token"
 	// ServiceAccountKubeconfigKey is the key of the optional kubeconfig data for SecretTypeServiceAccountToken secrets
 	ServiceAccountKubeconfigKey = "kubernetes.kubeconfig"
+	// ServiceAccountRootCAKey is the key of the optional root certificate authority for SecretTypeServiceAccountToken secrets
+	ServiceAccountRootCAKey = "ca.crt"

 	// SecretTypeDockercfg contains a dockercfg file that follows the same format rules as ~/.dockercfg
 	//
--- a/pkg/api/v1beta3/types.go
+++ b/pkg/api/v1beta3/types.go
@@ -1900,6 +1900,8 @@ const (
 	ServiceAccountTokenKey = "token"
 	// ServiceAccountKubeconfigKey is the key of the optional kubeconfig data for SecretTypeServiceAccountToken secrets
 	ServiceAccountKubeconfigKey = "kubernetes.kubeconfig"
+	// ServiceAccountRootCAKey is the key of the optional root certificate authority for SecretTypeServiceAccountToken secrets
+	ServiceAccountRootCAKey = "ca.crt"

 	// SecretTypeDockercfg contains a dockercfg file that follows the same format rules as ~/.dockercfg
 	//
--- a/pkg/serviceaccount/tokens_controller.go
+++ b/pkg/serviceaccount/tokens_controller.go
@@ -44,11 +44,8 @@ type TokensControllerOptions struct {
 	// SecretResync is the time.Duration at which to fully re-list secrets.
 	// If zero, re-list will be delayed as long as possible
 	SecretResync time.Duration
-}
-
-// DefaultTokenControllerOptions returns
-func DefaultTokenControllerOptions(tokenGenerator TokenGenerator) TokensControllerOptions {
-	return TokensControllerOptions{TokenGenerator: tokenGenerator}
+	// This CA will be added in the secretes of service accounts
+	RootCA []byte
 }

 // NewTokensController returns a new *TokensController.
@@ -56,6 +53,7 @@ func NewTokensController(cl client.Interface, options TokensControllerOptions) *
 	e := &TokensController{
 		client: cl,
 		token:  options.TokenGenerator,
+		rootCA: options.RootCA,
 	}

 	e.serviceAccounts, e.serviceAccountController = framework.NewIndexerInformer(
@@ -110,6 +108,8 @@ type TokensController struct {
 	client client.Interface
 	token  TokenGenerator

+	rootCA []byte
+
 	serviceAccounts cache.Indexer
 	secrets         cache.Indexer

@@ -293,6 +293,9 @@ func (e *TokensController) createSecret(serviceAccount *api.ServiceAccount) erro
 		return err
 	}
 	secret.Data[api.ServiceAccountTokenKey] = []byte(token)
+	if e.rootCA != nil && len(e.rootCA) > 0 {
+		secret.Data[api.ServiceAccountRootCAKey] = e.rootCA
+	}

 	// Save the secret
 	if _, err := e.client.Secrets(serviceAccount.Namespace).Create(secret); err != nil {
@@ -337,6 +340,9 @@ func (e *TokensController) generateTokenIfNeeded(serviceAccount *api.ServiceAcco
 	if ok && len(tokenData) > 0 {
 		return nil
 	}
+	if e.rootCA != nil && len(e.rootCA) > 0 {
+		secret.Data[api.ServiceAccountRootCAKey] = e.rootCA
+	}

 	// Generate the token
 	token, err := e.token.GenerateToken(*serviceAccount, *secret)
--- a/pkg/serviceaccount/tokens_controller_test.go
+++ b/pkg/serviceaccount/tokens_controller_test.go
@@ -378,7 +378,7 @@ func TestTokenCreation(t *testing.T) {

 		client := testclient.NewSimpleFake(tc.ClientObjects...)

-		controller := NewTokensController(client, DefaultTokenControllerOptions(generator))
+		controller := NewTokensController(client, TokensControllerOptions{TokenGenerator: generator})

 		// Tell the token controller whether its stores have been synced
 		controller.serviceAccountsSynced = func() bool { return !tc.ServiceAccountsSyncPending }
--- a/pkg/util/crypto.go
+++ b/pkg/util/crypto.go
@@ -123,16 +123,16 @@ func certificatesFromFile(file string) ([]*x509.Certificate, error) {
 	if err != nil {
 		return nil, err
 	}
-	certs, err := certsFromPEM(pemBlock)
+	certs, err := CertsFromPEM(pemBlock)
 	if err != nil {
 		return nil, fmt.Errorf("error reading %s: %s", file, err)
 	}
 	return certs, nil
 }

-// certsFromPEM returns the x509.Certificates contained in the given PEM-encoded byte array
+// CertsFromPEM returns the x509.Certificates contained in the given PEM-encoded byte array
 // Returns an error if a certificate could not be parsed, or if the data does not contain any certificates
-func certsFromPEM(pemCerts []byte) ([]*x509.Certificate, error) {
+func CertsFromPEM(pemCerts []byte) ([]*x509.Certificate, error) {
 	ok := false
 	certs := []*x509.Certificate{}
 	for len(pemCerts) > 0 {