github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 13:37:30 +00:00
Code Issues Projects Releases Wiki Activity

Add service account token and annotation to v1 CredentialProviderRequest

Browse Source 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
This commit is contained in:
Anish Ramasekar 2024-10-25 12:59:51 -07:00
parent ba2eecca0d
commit dd7b9f6171
No known key found for this signature in database
GPG Key ID: E96F745A34A409C2
9 changed files with 109 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/types.go
View File

@ -32,6 +32,17 @@ type CredentialProviderRequest struct {
// credential provider plugin request. Plugins may optionally parse the image
// to extract any information required to fetch credentials.
Image string
// serviceAccountToken is the service account token bound to the pod for which
// the image is being pulled. This token is only sent to the plugin if the
// tokenAttributes.serviceAccountTokenAudience field is configured in the kubelet's credential provider configuration.
ServiceAccountToken string
// serviceAccountAnnotations is a map of annotations on the service account bound to the
// pod for which the image is being pulled. The list of annotations in the service account
// that need to be passed to the plugin is configured in the kubelet's credential provider
// configuration.
ServiceAccountAnnotations map[string]string
}
type PluginCacheKeyType string

12
staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/types.go
View File

@ -32,6 +32,18 @@ type CredentialProviderRequest struct {
// credential provider plugin request. Plugins may optionally parse the image
// to extract any information required to fetch credentials.
Image string `json:"image"`
// serviceAccountToken is the service account token bound to the pod for which
// the image is being pulled. This token is only sent to the plugin if the
// tokenAttributes.serviceAccountTokenAudience field is configured in the kubelet's credential
// provider configuration.
ServiceAccountToken string `json:"serviceAccountToken,omitempty" datapolicy:"token"`
// serviceAccountAnnotations is a map of annotations on the service account bound to the
// pod for which the image is being pulled. The list of annotations in the service account
// that need to be passed to the plugin is configured in the kubelet's credential provider
// configuration.
ServiceAccountAnnotations map[string]string `json:"serviceAccountAnnotations,omitempty"`
}
type PluginCacheKeyType string

4
staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.conversion.go generated
View File

@ -94,6 +94,8 @@ func Convert_credentialprovider_AuthConfig_To_v1_AuthConfig(in *credentialprovid
func autoConvert_v1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(in *CredentialProviderRequest, out *credentialprovider.CredentialProviderRequest, s conversion.Scope) error {
out.Image = in.Image
out.ServiceAccountToken = in.ServiceAccountToken
out.ServiceAccountAnnotations = *(*map[string]string)(unsafe.Pointer(&in.ServiceAccountAnnotations))
return nil
}
@ -104,6 +106,8 @@ func Convert_v1_CredentialProviderRequest_To_credentialprovider_CredentialProvid
func autoConvert_credentialprovider_CredentialProviderRequest_To_v1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
out.Image = in.Image
out.ServiceAccountToken = in.ServiceAccountToken
out.ServiceAccountAnnotations = *(*map[string]string)(unsafe.Pointer(&in.ServiceAccountAnnotations))
return nil
}

7
staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.deepcopy.go generated
View File

@ -46,6 +46,13 @@ func (in *AuthConfig) DeepCopy() *AuthConfig {
func (in *CredentialProviderRequest) DeepCopyInto(out *CredentialProviderRequest) {
*out = *in
out.TypeMeta = in.TypeMeta
if in.ServiceAccountAnnotations != nil {
in, out := &in.ServiceAccountAnnotations, &out.ServiceAccountAnnotations
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
return
}

27
staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1/conversion.go Normal file
View File

@ -0,0 +1,27 @@
/*
Copyright 2025 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha1
import (
"k8s.io/apimachinery/pkg/conversion"
"k8s.io/kubelet/pkg/apis/credentialprovider"
)
func Convert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
// This conversion intentionally omits the serviceAccountToken and serviceAccountAnnotations fields which are only supported in v1 CredentialProviderRequest.
return autoConvert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in, out, s)
}

17
staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1alpha1/zz_generated.conversion.go generated
View File

@ -52,11 +52,6 @@ func RegisterConversions(s *runtime.Scheme) error {
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*credentialprovider.CredentialProviderRequest)(nil), (*CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(a.(*credentialprovider.CredentialProviderRequest), b.(*CredentialProviderRequest), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*CredentialProviderResponse)(nil), (*credentialprovider.CredentialProviderResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1alpha1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(a.(*CredentialProviderResponse), b.(*credentialprovider.CredentialProviderResponse), scope)
}); err != nil {
@ -67,6 +62,11 @@ func RegisterConversions(s *runtime.Scheme) error {
}); err != nil {
return err
}
if err := s.AddConversionFunc((*credentialprovider.CredentialProviderRequest)(nil), (*CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(a.(*credentialprovider.CredentialProviderRequest), b.(*CredentialProviderRequest), scope)
}); err != nil {
return err
}
return nil
}
@ -104,14 +104,11 @@ func Convert_v1alpha1_CredentialProviderRequest_To_credentialprovider_Credential
func autoConvert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
out.Image = in.Image
// WARNING: in.ServiceAccountToken requires manual conversion: does not exist in peer-type
// WARNING: in.ServiceAccountAnnotations requires manual conversion: does not exist in peer-type
return nil
}
// Convert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest is an autogenerated conversion function.
func Convert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
return autoConvert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in, out, s)
}
func autoConvert_v1alpha1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in *CredentialProviderResponse, out *credentialprovider.CredentialProviderResponse, s conversion.Scope) error {
out.CacheKeyType = credentialprovider.PluginCacheKeyType(in.CacheKeyType)
out.CacheDuration = (*v1.Duration)(unsafe.Pointer(in.CacheDuration))

27
staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1/conversion.go Normal file
View File

@ -0,0 +1,27 @@
/*
Copyright 2025 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
"k8s.io/apimachinery/pkg/conversion"
"k8s.io/kubelet/pkg/apis/credentialprovider"
)
func Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
// This conversion intentionally omits the serviceAccountToken and serviceAccountAnnotations fields which are only supported in v1 CredentialProviderRequest.
return autoConvert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in, out, s)
}

17
staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1/zz_generated.conversion.go generated
View File

@ -52,11 +52,6 @@ func RegisterConversions(s *runtime.Scheme) error {
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*credentialprovider.CredentialProviderRequest)(nil), (*CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(a.(*credentialprovider.CredentialProviderRequest), b.(*CredentialProviderRequest), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*CredentialProviderResponse)(nil), (*credentialprovider.CredentialProviderResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(a.(*CredentialProviderResponse), b.(*credentialprovider.CredentialProviderResponse), scope)
}); err != nil {
@ -67,6 +62,11 @@ func RegisterConversions(s *runtime.Scheme) error {
}); err != nil {
return err
}
if err := s.AddConversionFunc((*credentialprovider.CredentialProviderRequest)(nil), (*CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(a.(*credentialprovider.CredentialProviderRequest), b.(*CredentialProviderRequest), scope)
}); err != nil {
return err
}
return nil
}
@ -104,14 +104,11 @@ func Convert_v1beta1_CredentialProviderRequest_To_credentialprovider_CredentialP
func autoConvert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
out.Image = in.Image
// WARNING: in.ServiceAccountToken requires manual conversion: does not exist in peer-type
// WARNING: in.ServiceAccountAnnotations requires manual conversion: does not exist in peer-type
return nil
}
// Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest is an autogenerated conversion function.
func Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
return autoConvert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in, out, s)
}
func autoConvert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in *CredentialProviderResponse, out *credentialprovider.CredentialProviderResponse, s conversion.Scope) error {
out.CacheKeyType = credentialprovider.PluginCacheKeyType(in.CacheKeyType)
out.CacheDuration = (*v1.Duration)(unsafe.Pointer(in.CacheDuration))

7
staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/zz_generated.deepcopy.go generated
View File

@ -46,6 +46,13 @@ func (in *AuthConfig) DeepCopy() *AuthConfig {
func (in *CredentialProviderRequest) DeepCopyInto(out *CredentialProviderRequest) {
*out = *in
out.TypeMeta = in.TypeMeta
if in.ServiceAccountAnnotations != nil {
in, out := &in.ServiceAccountAnnotations, &out.ServiceAccountAnnotations
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
return
}