github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-09 12:07:47 +00:00
Code Issues Projects Releases Wiki Activity

Wire bootstrap token authn secret lister only when it is enabled

Browse Source 
Signed-off-by: Monis Khan <mok@microsoft.com>
This commit is contained in:
Monis Khan 2023-03-17 11:06:30 -04:00
parent 8b2dae57d4
commit 94f2d35164
No known key found for this signature in database
2 changed files with 9 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
pkg/kubeapiserver/authenticator/config.go
View File

@ -142,12 +142,11 @@ func (config Config) New() (authenticator.Request, *spec.SecurityDefinitions, er
}
tokenAuthenticators = append(tokenAuthenticators, serviceAccountAuth)
}
if config.BootstrapToken {
if config.BootstrapTokenAuthenticator != nil {
// TODO: This can sometimes be nil because of
if config.BootstrapToken && config.BootstrapTokenAuthenticator != nil {
tokenAuthenticators = append(tokenAuthenticators, authenticator.WrapAudienceAgnosticToken(config.APIAudiences, config.BootstrapTokenAuthenticator))
}
}
// NOTE(ericchiang): Keep the OpenID Connect after Service Accounts.
//
// Because both plugins verify JWTs whichever comes first in the union experiences

2
pkg/kubeapiserver/options/authentication.go
View File

@ -485,9 +485,11 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.Authen
)
authenticatorConfig.SecretsWriter = extclient.CoreV1()
if authenticatorConfig.BootstrapToken {
authenticatorConfig.BootstrapTokenAuthenticator = bootstrap.NewTokenAuthenticator(
versionedInformer.Core().V1().Secrets().Lister().Secrets(metav1.NamespaceSystem),
)
}
if egressSelector != nil {
egressDialer, err := egressSelector.Lookup(egressselector.ControlPlane.AsNetworkContext())