From a15b22cd9892388f59053c153668402875c95ded Mon Sep 17 00:00:00 2001 From: Mangirdas Judeikis Date: Mon, 1 Jul 2024 18:09:46 +0300 Subject: [PATCH] wire in optional tokenGetter provider --- pkg/kubeapiserver/options/authentication.go | 38 ++++++++++++++++----- 1 file changed, 30 insertions(+), 8 deletions(-) diff --git a/pkg/kubeapiserver/options/authentication.go b/pkg/kubeapiserver/options/authentication.go index 7e54bed46a1..a0e64fa3e45 100644 --- a/pkg/kubeapiserver/options/authentication.go +++ b/pkg/kubeapiserver/options/authentication.go @@ -132,6 +132,9 @@ type ServiceAccountAuthenticationOptions struct { JWKSURI string MaxExpiration time.Duration ExtendExpiration bool + // OptionalTokenGetter is a function that returns a service account token getter. + // If not set, the default token getter will be used. + OptionalTokenGetter func(factory informers.SharedInformerFactory) serviceaccount.ServiceAccountTokenGetter } // TokenFileAuthenticationOptions contains token file authentication options for API Server @@ -207,7 +210,20 @@ func (o *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticatio // WithServiceAccounts set default value for service account authentication func (o *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions { - o.ServiceAccounts = &ServiceAccountAuthenticationOptions{Lookup: true, ExtendExpiration: true} + if o.ServiceAccounts == nil { + o.ServiceAccounts = &ServiceAccountAuthenticationOptions{} + } + o.ServiceAccounts.Lookup = true + o.ServiceAccounts.ExtendExpiration = true + return o +} + +// WithTokenGetterFunction set optional service account token getter function +func (o *BuiltInAuthenticationOptions) WithTokenGetterFunction(f func(factory informers.SharedInformerFactory) serviceaccount.ServiceAccountTokenGetter) *BuiltInAuthenticationOptions { + if o.ServiceAccounts == nil { + o.ServiceAccounts = &ServiceAccountAuthenticationOptions{} + } + o.ServiceAccounts.OptionalTokenGetter = f return o } @@ -673,13 +689,19 @@ func (o *BuiltInAuthenticationOptions) ApplyTo( if utilfeature.DefaultFeatureGate.Enabled(features.ServiceAccountTokenNodeBindingValidation) { nodeLister = versionedInformer.Core().V1().Nodes().Lister() } - authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromClient( - extclient, - versionedInformer.Core().V1().Secrets().Lister(), - versionedInformer.Core().V1().ServiceAccounts().Lister(), - versionedInformer.Core().V1().Pods().Lister(), - nodeLister, - ) + + // If the optional token getter function is set, use it. Otherwise, use the default token getter. + if o.ServiceAccounts.OptionalTokenGetter != nil { + authenticatorConfig.ServiceAccountTokenGetter = o.ServiceAccounts.OptionalTokenGetter(versionedInformer) + } else { + authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromClient( + extclient, + versionedInformer.Core().V1().Secrets().Lister(), + versionedInformer.Core().V1().ServiceAccounts().Lister(), + versionedInformer.Core().V1().Pods().Lister(), + nodeLister, + ) + } authenticatorConfig.SecretsWriter = extclient.CoreV1() if authenticatorConfig.BootstrapToken {