github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-10 04:27:54 +00:00
Code Issues Projects Releases Wiki Activity

wire in optional tokenGetter provider

Browse Source
This commit is contained in:
Mangirdas Judeikis 2024-07-01 18:09:46 +03:00
parent d902351c99
commit a15b22cd98
1 changed files with 30 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
pkg/kubeapiserver/options/authentication.go
View File

@ -132,6 +132,9 @@ type ServiceAccountAuthenticationOptions struct {
JWKSURI string JWKSURI string
MaxExpiration time.Duration MaxExpiration time.Duration
ExtendExpiration bool ExtendExpiration bool
// OptionalTokenGetter is a function that returns a service account token getter.
// If not set, the default token getter will be used.
OptionalTokenGetter func(factory informers.SharedInformerFactory) serviceaccount.ServiceAccountTokenGetter
} }
// TokenFileAuthenticationOptions contains token file authentication options for API Server // TokenFileAuthenticationOptions contains token file authentication options for API Server
@ -207,7 +210,20 @@ func (o *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticatio
// WithServiceAccounts set default value for service account authentication // WithServiceAccounts set default value for service account authentication
func (o *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions { func (o *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions {
o.ServiceAccounts = &ServiceAccountAuthenticationOptions{Lookup: true, ExtendExpiration: true} if o.ServiceAccounts == nil {
o.ServiceAccounts = &ServiceAccountAuthenticationOptions{}
}
o.ServiceAccounts.Lookup = true
o.ServiceAccounts.ExtendExpiration = true
return o
}
// WithTokenGetterFunction set optional service account token getter function
func (o *BuiltInAuthenticationOptions) WithTokenGetterFunction(f func(factory informers.SharedInformerFactory) serviceaccount.ServiceAccountTokenGetter) *BuiltInAuthenticationOptions {
if o.ServiceAccounts == nil {
o.ServiceAccounts = &ServiceAccountAuthenticationOptions{}
}
o.ServiceAccounts.OptionalTokenGetter = f
return o return o
} }
@ -673,13 +689,19 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(
if utilfeature.DefaultFeatureGate.Enabled(features.ServiceAccountTokenNodeBindingValidation) { if utilfeature.DefaultFeatureGate.Enabled(features.ServiceAccountTokenNodeBindingValidation) {
nodeLister = versionedInformer.Core().V1().Nodes().Lister() nodeLister = versionedInformer.Core().V1().Nodes().Lister()
} }
authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromClient(
extclient, // If the optional token getter function is set, use it. Otherwise, use the default token getter.
versionedInformer.Core().V1().Secrets().Lister(), if o.ServiceAccounts.OptionalTokenGetter != nil {
versionedInformer.Core().V1().ServiceAccounts().Lister(), authenticatorConfig.ServiceAccountTokenGetter = o.ServiceAccounts.OptionalTokenGetter(versionedInformer)
versionedInformer.Core().V1().Pods().Lister(), } else {
nodeLister, authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromClient(
) extclient,
versionedInformer.Core().V1().Secrets().Lister(),
versionedInformer.Core().V1().ServiceAccounts().Lister(),
versionedInformer.Core().V1().Pods().Lister(),
nodeLister,
)
}
authenticatorConfig.SecretsWriter = extclient.CoreV1() authenticatorConfig.SecretsWriter = extclient.CoreV1()
if authenticatorConfig.BootstrapToken { if authenticatorConfig.BootstrapToken {