mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 04:33:26 +00:00
Merge pull request #70174 from yue9944882/chore/switch-token-authn-informer
Switch bootstrap token authenticator informer to external types
This commit is contained in:
commit
d5d8421e63
@ -524,7 +524,7 @@ func buildGenericConfig(
|
|||||||
}
|
}
|
||||||
serviceResolver = aggregatorapiserver.NewLoopbackServiceResolver(serviceResolver, localHost)
|
serviceResolver = aggregatorapiserver.NewLoopbackServiceResolver(serviceResolver, localHost)
|
||||||
|
|
||||||
genericConfig.Authentication.Authenticator, genericConfig.OpenAPIConfig.SecurityDefinitions, err = BuildAuthenticator(s, clientgoExternalClient, sharedInformers)
|
genericConfig.Authentication.Authenticator, genericConfig.OpenAPIConfig.SecurityDefinitions, err = BuildAuthenticator(s, clientgoExternalClient, versionedInformers)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
lastErr = fmt.Errorf("invalid authentication config: %v", err)
|
lastErr = fmt.Errorf("invalid authentication config: %v", err)
|
||||||
return
|
return
|
||||||
@ -625,13 +625,13 @@ func BuildAdmissionPluginInitializers(
|
|||||||
}
|
}
|
||||||
|
|
||||||
// BuildAuthenticator constructs the authenticator
|
// BuildAuthenticator constructs the authenticator
|
||||||
func BuildAuthenticator(s *options.ServerRunOptions, extclient clientgoclientset.Interface, sharedInformers informers.SharedInformerFactory) (authenticator.Request, *spec.SecurityDefinitions, error) {
|
func BuildAuthenticator(s *options.ServerRunOptions, extclient clientgoclientset.Interface, versionedInformer clientgoinformers.SharedInformerFactory) (authenticator.Request, *spec.SecurityDefinitions, error) {
|
||||||
authenticatorConfig := s.Authentication.ToAuthenticationConfig()
|
authenticatorConfig := s.Authentication.ToAuthenticationConfig()
|
||||||
if s.Authentication.ServiceAccounts.Lookup {
|
if s.Authentication.ServiceAccounts.Lookup {
|
||||||
authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromClient(extclient)
|
authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromClient(extclient)
|
||||||
}
|
}
|
||||||
authenticatorConfig.BootstrapTokenAuthenticator = bootstrap.NewTokenAuthenticator(
|
authenticatorConfig.BootstrapTokenAuthenticator = bootstrap.NewTokenAuthenticator(
|
||||||
sharedInformers.Core().InternalVersion().Secrets().Lister().Secrets(v1.NamespaceSystem),
|
versionedInformer.Core().V1().Secrets().Lister().Secrets(v1.NamespaceSystem),
|
||||||
)
|
)
|
||||||
|
|
||||||
return authenticatorConfig.New()
|
return authenticatorConfig.New()
|
||||||
|
@ -11,7 +11,7 @@ go_test(
|
|||||||
srcs = ["bootstrap_test.go"],
|
srcs = ["bootstrap_test.go"],
|
||||||
embed = [":go_default_library"],
|
embed = [":go_default_library"],
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/apis/core:go_default_library",
|
"//staging/src/k8s.io/api/core/v1:go_default_library",
|
||||||
"//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
|
"//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
|
||||||
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||||
"//staging/src/k8s.io/apimachinery/pkg/labels:go_default_library",
|
"//staging/src/k8s.io/apimachinery/pkg/labels:go_default_library",
|
||||||
@ -26,12 +26,12 @@ go_library(
|
|||||||
srcs = ["bootstrap.go"],
|
srcs = ["bootstrap.go"],
|
||||||
importpath = "k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap",
|
importpath = "k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap",
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/apis/core:go_default_library",
|
"//staging/src/k8s.io/api/core/v1:go_default_library",
|
||||||
"//pkg/client/listers/core/internalversion:go_default_library",
|
|
||||||
"//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
|
"//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
|
||||||
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
||||||
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
|
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
|
||||||
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
|
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
|
||||||
|
"//staging/src/k8s.io/client-go/listers/core/v1:go_default_library",
|
||||||
"//staging/src/k8s.io/cluster-bootstrap/token/api:go_default_library",
|
"//staging/src/k8s.io/cluster-bootstrap/token/api:go_default_library",
|
||||||
"//staging/src/k8s.io/cluster-bootstrap/token/util:go_default_library",
|
"//staging/src/k8s.io/cluster-bootstrap/token/util:go_default_library",
|
||||||
"//vendor/github.com/golang/glog:go_default_library",
|
"//vendor/github.com/golang/glog:go_default_library",
|
||||||
|
@ -29,14 +29,14 @@ import (
|
|||||||
|
|
||||||
"github.com/golang/glog"
|
"github.com/golang/glog"
|
||||||
|
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
"k8s.io/apimachinery/pkg/api/errors"
|
"k8s.io/apimachinery/pkg/api/errors"
|
||||||
"k8s.io/apimachinery/pkg/util/sets"
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||||
"k8s.io/apiserver/pkg/authentication/user"
|
"k8s.io/apiserver/pkg/authentication/user"
|
||||||
|
corev1listers "k8s.io/client-go/listers/core/v1"
|
||||||
bootstrapapi "k8s.io/cluster-bootstrap/token/api"
|
bootstrapapi "k8s.io/cluster-bootstrap/token/api"
|
||||||
bootstraputil "k8s.io/cluster-bootstrap/token/util"
|
bootstraputil "k8s.io/cluster-bootstrap/token/util"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
|
||||||
"k8s.io/kubernetes/pkg/client/listers/core/internalversion"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// TODO: A few methods in this package is copied from other sources. Either
|
// TODO: A few methods in this package is copied from other sources. Either
|
||||||
@ -46,13 +46,13 @@ import (
|
|||||||
// NewTokenAuthenticator initializes a bootstrap token authenticator.
|
// NewTokenAuthenticator initializes a bootstrap token authenticator.
|
||||||
//
|
//
|
||||||
// Lister is expected to be for the "kube-system" namespace.
|
// Lister is expected to be for the "kube-system" namespace.
|
||||||
func NewTokenAuthenticator(lister internalversion.SecretNamespaceLister) *TokenAuthenticator {
|
func NewTokenAuthenticator(lister corev1listers.SecretNamespaceLister) *TokenAuthenticator {
|
||||||
return &TokenAuthenticator{lister}
|
return &TokenAuthenticator{lister}
|
||||||
}
|
}
|
||||||
|
|
||||||
// TokenAuthenticator authenticates bootstrap tokens from secrets in the API server.
|
// TokenAuthenticator authenticates bootstrap tokens from secrets in the API server.
|
||||||
type TokenAuthenticator struct {
|
type TokenAuthenticator struct {
|
||||||
lister internalversion.SecretNamespaceLister
|
lister corev1listers.SecretNamespaceLister
|
||||||
}
|
}
|
||||||
|
|
||||||
// tokenErrorf prints a error message for a secret that has matched a bearer
|
// tokenErrorf prints a error message for a secret that has matched a bearer
|
||||||
@ -60,7 +60,7 @@ type TokenAuthenticator struct {
|
|||||||
//
|
//
|
||||||
// tokenErrorf(secret, "has invalid value for key %s", key)
|
// tokenErrorf(secret, "has invalid value for key %s", key)
|
||||||
//
|
//
|
||||||
func tokenErrorf(s *api.Secret, format string, i ...interface{}) {
|
func tokenErrorf(s *corev1.Secret, format string, i ...interface{}) {
|
||||||
format = fmt.Sprintf("Bootstrap secret %s/%s matching bearer token ", s.Namespace, s.Name) + format
|
format = fmt.Sprintf("Bootstrap secret %s/%s matching bearer token ", s.Namespace, s.Name) + format
|
||||||
glog.V(3).Infof(format, i...)
|
glog.V(3).Infof(format, i...)
|
||||||
}
|
}
|
||||||
@ -155,7 +155,7 @@ func (t *TokenAuthenticator) AuthenticateToken(ctx context.Context, token string
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Copied from k8s.io/cluster-bootstrap/token/api
|
// Copied from k8s.io/cluster-bootstrap/token/api
|
||||||
func getSecretString(secret *api.Secret, key string) string {
|
func getSecretString(secret *corev1.Secret, key string) string {
|
||||||
data, ok := secret.Data[key]
|
data, ok := secret.Data[key]
|
||||||
if !ok {
|
if !ok {
|
||||||
return ""
|
return ""
|
||||||
@ -165,7 +165,7 @@ func getSecretString(secret *api.Secret, key string) string {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Copied from k8s.io/cluster-bootstrap/token/api
|
// Copied from k8s.io/cluster-bootstrap/token/api
|
||||||
func isSecretExpired(secret *api.Secret) bool {
|
func isSecretExpired(secret *corev1.Secret) bool {
|
||||||
expiration := getSecretString(secret, bootstrapapi.BootstrapTokenExpirationKey)
|
expiration := getSecretString(secret, bootstrapapi.BootstrapTokenExpirationKey)
|
||||||
if len(expiration) > 0 {
|
if len(expiration) > 0 {
|
||||||
expTime, err2 := time.Parse(time.RFC3339, expiration)
|
expTime, err2 := time.Parse(time.RFC3339, expiration)
|
||||||
@ -205,7 +205,7 @@ func parseToken(s string) (string, string, error) {
|
|||||||
// getGroups loads and validates the bootstrapapi.BootstrapTokenExtraGroupsKey
|
// getGroups loads and validates the bootstrapapi.BootstrapTokenExtraGroupsKey
|
||||||
// key from the bootstrap token secret, returning a list of group names or an
|
// key from the bootstrap token secret, returning a list of group names or an
|
||||||
// error if any of the group names are invalid.
|
// error if any of the group names are invalid.
|
||||||
func getGroups(secret *api.Secret) ([]string, error) {
|
func getGroups(secret *corev1.Secret) ([]string, error) {
|
||||||
// always include the default group
|
// always include the default group
|
||||||
groups := sets.NewString(bootstrapapi.BootstrapDefaultGroup)
|
groups := sets.NewString(bootstrapapi.BootstrapDefaultGroup)
|
||||||
|
|
||||||
|
@ -21,24 +21,24 @@ import (
|
|||||||
"reflect"
|
"reflect"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
"k8s.io/apimachinery/pkg/api/errors"
|
"k8s.io/apimachinery/pkg/api/errors"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/labels"
|
"k8s.io/apimachinery/pkg/labels"
|
||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
"k8s.io/apiserver/pkg/authentication/user"
|
"k8s.io/apiserver/pkg/authentication/user"
|
||||||
bootstrapapi "k8s.io/cluster-bootstrap/token/api"
|
bootstrapapi "k8s.io/cluster-bootstrap/token/api"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
type lister struct {
|
type lister struct {
|
||||||
secrets []*api.Secret
|
secrets []*corev1.Secret
|
||||||
}
|
}
|
||||||
|
|
||||||
func (l *lister) List(selector labels.Selector) (ret []*api.Secret, err error) {
|
func (l *lister) List(selector labels.Selector) (ret []*corev1.Secret, err error) {
|
||||||
return l.secrets, nil
|
return l.secrets, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (l *lister) Get(name string) (*api.Secret, error) {
|
func (l *lister) Get(name string) (*corev1.Secret, error) {
|
||||||
for _, s := range l.secrets {
|
for _, s := range l.secrets {
|
||||||
if s.Name == name {
|
if s.Name == name {
|
||||||
return s, nil
|
return s, nil
|
||||||
@ -58,7 +58,7 @@ func TestTokenAuthenticator(t *testing.T) {
|
|||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
|
|
||||||
secrets []*api.Secret
|
secrets []*corev1.Secret
|
||||||
token string
|
token string
|
||||||
|
|
||||||
wantNotFound bool
|
wantNotFound bool
|
||||||
@ -66,7 +66,7 @@ func TestTokenAuthenticator(t *testing.T) {
|
|||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
name: "valid token",
|
name: "valid token",
|
||||||
secrets: []*api.Secret{
|
secrets: []*corev1.Secret{
|
||||||
{
|
{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
|
Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
|
||||||
@ -87,7 +87,7 @@ func TestTokenAuthenticator(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "valid token with extra group",
|
name: "valid token with extra group",
|
||||||
secrets: []*api.Secret{
|
secrets: []*corev1.Secret{
|
||||||
{
|
{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
|
Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
|
||||||
@ -109,7 +109,7 @@ func TestTokenAuthenticator(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "invalid group",
|
name: "invalid group",
|
||||||
secrets: []*api.Secret{
|
secrets: []*corev1.Secret{
|
||||||
{
|
{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
|
Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
|
||||||
@ -128,7 +128,7 @@ func TestTokenAuthenticator(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "invalid secret name",
|
name: "invalid secret name",
|
||||||
secrets: []*api.Secret{
|
secrets: []*corev1.Secret{
|
||||||
{
|
{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: "bad-name",
|
Name: "bad-name",
|
||||||
@ -146,7 +146,7 @@ func TestTokenAuthenticator(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "no usage",
|
name: "no usage",
|
||||||
secrets: []*api.Secret{
|
secrets: []*corev1.Secret{
|
||||||
{
|
{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
|
Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
|
||||||
@ -163,7 +163,7 @@ func TestTokenAuthenticator(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "wrong token",
|
name: "wrong token",
|
||||||
secrets: []*api.Secret{
|
secrets: []*corev1.Secret{
|
||||||
{
|
{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
|
Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
|
||||||
@ -181,7 +181,7 @@ func TestTokenAuthenticator(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "deleted token",
|
name: "deleted token",
|
||||||
secrets: []*api.Secret{
|
secrets: []*corev1.Secret{
|
||||||
{
|
{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
|
Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
|
||||||
@ -200,7 +200,7 @@ func TestTokenAuthenticator(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "expired token",
|
name: "expired token",
|
||||||
secrets: []*api.Secret{
|
secrets: []*corev1.Secret{
|
||||||
{
|
{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
|
Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
|
||||||
@ -219,7 +219,7 @@ func TestTokenAuthenticator(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "not expired token",
|
name: "not expired token",
|
||||||
secrets: []*api.Secret{
|
secrets: []*corev1.Secret{
|
||||||
{
|
{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
|
Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
|
||||||
@ -241,7 +241,7 @@ func TestTokenAuthenticator(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "token id wrong length",
|
name: "token id wrong length",
|
||||||
secrets: []*api.Secret{
|
secrets: []*corev1.Secret{
|
||||||
{
|
{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: bootstrapapi.BootstrapTokenSecretPrefix + "foo",
|
Name: bootstrapapi.BootstrapTokenSecretPrefix + "foo",
|
||||||
@ -292,13 +292,13 @@ func TestTokenAuthenticator(t *testing.T) {
|
|||||||
func TestGetGroups(t *testing.T) {
|
func TestGetGroups(t *testing.T) {
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
secret *api.Secret
|
secret *corev1.Secret
|
||||||
expectResult []string
|
expectResult []string
|
||||||
expectError bool
|
expectError bool
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
name: "not set",
|
name: "not set",
|
||||||
secret: &api.Secret{
|
secret: &corev1.Secret{
|
||||||
ObjectMeta: metav1.ObjectMeta{Name: "test"},
|
ObjectMeta: metav1.ObjectMeta{Name: "test"},
|
||||||
Data: map[string][]byte{},
|
Data: map[string][]byte{},
|
||||||
},
|
},
|
||||||
@ -306,7 +306,7 @@ func TestGetGroups(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "set to empty value",
|
name: "set to empty value",
|
||||||
secret: &api.Secret{
|
secret: &corev1.Secret{
|
||||||
ObjectMeta: metav1.ObjectMeta{Name: "test"},
|
ObjectMeta: metav1.ObjectMeta{Name: "test"},
|
||||||
Data: map[string][]byte{
|
Data: map[string][]byte{
|
||||||
bootstrapapi.BootstrapTokenExtraGroupsKey: []byte(""),
|
bootstrapapi.BootstrapTokenExtraGroupsKey: []byte(""),
|
||||||
@ -316,7 +316,7 @@ func TestGetGroups(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "invalid prefix",
|
name: "invalid prefix",
|
||||||
secret: &api.Secret{
|
secret: &corev1.Secret{
|
||||||
ObjectMeta: metav1.ObjectMeta{Name: "test"},
|
ObjectMeta: metav1.ObjectMeta{Name: "test"},
|
||||||
Data: map[string][]byte{
|
Data: map[string][]byte{
|
||||||
bootstrapapi.BootstrapTokenExtraGroupsKey: []byte("foo"),
|
bootstrapapi.BootstrapTokenExtraGroupsKey: []byte("foo"),
|
||||||
@ -326,7 +326,7 @@ func TestGetGroups(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "valid",
|
name: "valid",
|
||||||
secret: &api.Secret{
|
secret: &corev1.Secret{
|
||||||
ObjectMeta: metav1.ObjectMeta{Name: "test"},
|
ObjectMeta: metav1.ObjectMeta{Name: "test"},
|
||||||
Data: map[string][]byte{
|
Data: map[string][]byte{
|
||||||
bootstrapapi.BootstrapTokenExtraGroupsKey: []byte("system:bootstrappers:foo,system:bootstrappers:bar,system:bootstrappers:bar"),
|
bootstrapapi.BootstrapTokenExtraGroupsKey: []byte("system:bootstrappers:foo,system:bootstrappers:bar,system:bootstrappers:bar"),
|
||||||
|
@ -4996,6 +4996,10 @@ const (
|
|||||||
TLSCertKey = "tls.crt"
|
TLSCertKey = "tls.crt"
|
||||||
// TLSPrivateKeyKey is the key for the private key field in a TLS secret.
|
// TLSPrivateKeyKey is the key for the private key field in a TLS secret.
|
||||||
TLSPrivateKeyKey = "tls.key"
|
TLSPrivateKeyKey = "tls.key"
|
||||||
|
// SecretTypeBootstrapToken is used during the automated bootstrap process (first
|
||||||
|
// implemented by kubeadm). It stores tokens that are used to sign well known
|
||||||
|
// ConfigMaps. They are used for authn.
|
||||||
|
SecretTypeBootstrapToken SecretType = "bootstrap.kubernetes.io/token"
|
||||||
)
|
)
|
||||||
|
|
||||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||||
|
@ -24,24 +24,24 @@ import (
|
|||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/labels"
|
"k8s.io/apimachinery/pkg/labels"
|
||||||
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
|
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
|
||||||
bootstrapapi "k8s.io/cluster-bootstrap/token/api"
|
bootstrapapi "k8s.io/cluster-bootstrap/token/api"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
|
||||||
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap"
|
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap"
|
||||||
bootstraputil "k8s.io/kubernetes/test/e2e/lifecycle/bootstrap"
|
bootstraputil "k8s.io/kubernetes/test/e2e/lifecycle/bootstrap"
|
||||||
"k8s.io/kubernetes/test/integration"
|
"k8s.io/kubernetes/test/integration"
|
||||||
"k8s.io/kubernetes/test/integration/framework"
|
"k8s.io/kubernetes/test/integration/framework"
|
||||||
)
|
)
|
||||||
|
|
||||||
type bootstrapSecrets []*api.Secret
|
type bootstrapSecrets []*corev1.Secret
|
||||||
|
|
||||||
func (b bootstrapSecrets) List(selector labels.Selector) (ret []*api.Secret, err error) {
|
func (b bootstrapSecrets) List(selector labels.Selector) (ret []*corev1.Secret, err error) {
|
||||||
return b, nil
|
return b, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (b bootstrapSecrets) Get(name string) (*api.Secret, error) {
|
func (b bootstrapSecrets) Get(name string) (*corev1.Secret, error) {
|
||||||
return b[0], nil
|
return b[0], nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -55,36 +55,36 @@ func TestBootstrapTokenAuth(t *testing.T) {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("unexpected error: %v", err)
|
t.Fatalf("unexpected error: %v", err)
|
||||||
}
|
}
|
||||||
var bootstrapSecretValid = &api.Secret{
|
var bootstrapSecretValid = &corev1.Secret{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: metav1.NamespaceSystem,
|
Namespace: metav1.NamespaceSystem,
|
||||||
Name: bootstrapapi.BootstrapTokenSecretPrefix,
|
Name: bootstrapapi.BootstrapTokenSecretPrefix,
|
||||||
},
|
},
|
||||||
Type: api.SecretTypeBootstrapToken,
|
Type: corev1.SecretTypeBootstrapToken,
|
||||||
Data: map[string][]byte{
|
Data: map[string][]byte{
|
||||||
bootstrapapi.BootstrapTokenIDKey: []byte(tokenId),
|
bootstrapapi.BootstrapTokenIDKey: []byte(tokenId),
|
||||||
bootstrapapi.BootstrapTokenSecretKey: []byte(secret),
|
bootstrapapi.BootstrapTokenSecretKey: []byte(secret),
|
||||||
bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
|
bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
var bootstrapSecretInvalid = &api.Secret{
|
var bootstrapSecretInvalid = &corev1.Secret{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: metav1.NamespaceSystem,
|
Namespace: metav1.NamespaceSystem,
|
||||||
Name: bootstrapapi.BootstrapTokenSecretPrefix,
|
Name: bootstrapapi.BootstrapTokenSecretPrefix,
|
||||||
},
|
},
|
||||||
Type: api.SecretTypeBootstrapToken,
|
Type: corev1.SecretTypeBootstrapToken,
|
||||||
Data: map[string][]byte{
|
Data: map[string][]byte{
|
||||||
bootstrapapi.BootstrapTokenIDKey: []byte(tokenId),
|
bootstrapapi.BootstrapTokenIDKey: []byte(tokenId),
|
||||||
bootstrapapi.BootstrapTokenSecretKey: []byte("invalid"),
|
bootstrapapi.BootstrapTokenSecretKey: []byte("invalid"),
|
||||||
bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
|
bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
var expiredBootstrapToken = &api.Secret{
|
var expiredBootstrapToken = &corev1.Secret{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: metav1.NamespaceSystem,
|
Namespace: metav1.NamespaceSystem,
|
||||||
Name: bootstrapapi.BootstrapTokenSecretPrefix,
|
Name: bootstrapapi.BootstrapTokenSecretPrefix,
|
||||||
},
|
},
|
||||||
Type: api.SecretTypeBootstrapToken,
|
Type: corev1.SecretTypeBootstrapToken,
|
||||||
Data: map[string][]byte{
|
Data: map[string][]byte{
|
||||||
bootstrapapi.BootstrapTokenIDKey: []byte(tokenId),
|
bootstrapapi.BootstrapTokenIDKey: []byte(tokenId),
|
||||||
bootstrapapi.BootstrapTokenSecretKey: []byte("invalid"),
|
bootstrapapi.BootstrapTokenSecretKey: []byte("invalid"),
|
||||||
@ -101,7 +101,7 @@ func TestBootstrapTokenAuth(t *testing.T) {
|
|||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
request request
|
request request
|
||||||
secret *api.Secret
|
secret *corev1.Secret
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
name: "valid token",
|
name: "valid token",
|
||||||
|
Loading…
Reference in New Issue
Block a user