Switch bootstrap token authenticator informer to external types

cmd/kube-apiserver/app/server.go

@@ -524,7 +524,7 @@ func buildGenericConfig(
 	}
 	serviceResolver = aggregatorapiserver.NewLoopbackServiceResolver(serviceResolver, localHost)
 
-	genericConfig.Authentication.Authenticator, genericConfig.OpenAPIConfig.SecurityDefinitions, err = BuildAuthenticator(s, clientgoExternalClient, sharedInformers)
+	genericConfig.Authentication.Authenticator, genericConfig.OpenAPIConfig.SecurityDefinitions, err = BuildAuthenticator(s, clientgoExternalClient, versionedInformers)
 	if err != nil {
 		lastErr = fmt.Errorf("invalid authentication config: %v", err)
 		return
@@ -625,13 +625,13 @@ func BuildAdmissionPluginInitializers(
 }
 
 // BuildAuthenticator constructs the authenticator
-func BuildAuthenticator(s *options.ServerRunOptions, extclient clientgoclientset.Interface, sharedInformers informers.SharedInformerFactory) (authenticator.Request, *spec.SecurityDefinitions, error) {
+func BuildAuthenticator(s *options.ServerRunOptions, extclient clientgoclientset.Interface, versionedInformer clientgoinformers.SharedInformerFactory) (authenticator.Request, *spec.SecurityDefinitions, error) {
 	authenticatorConfig := s.Authentication.ToAuthenticationConfig()
 	if s.Authentication.ServiceAccounts.Lookup {
 		authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromClient(extclient)
 	}
 	authenticatorConfig.BootstrapTokenAuthenticator = bootstrap.NewTokenAuthenticator(
-		sharedInformers.Core().InternalVersion().Secrets().Lister().Secrets(v1.NamespaceSystem),
+		versionedInformer.Core().V1().Secrets().Lister().Secrets(v1.NamespaceSystem),
 	)
 
 	return authenticatorConfig.New()

plugin/pkg/auth/authenticator/token/bootstrap/BUILD

@@ -11,7 +11,7 @@ go_test(
     srcs = ["bootstrap_test.go"],
     embed = [":go_default_library"],
     deps = [
-        "//pkg/apis/core:go_default_library",
+        "//staging/src/k8s.io/api/core/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/labels:go_default_library",
@@ -26,12 +26,12 @@ go_library(
     srcs = ["bootstrap.go"],
     importpath = "k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap",
     deps = [
-        "//pkg/apis/core:go_default_library",
-        "//pkg/client/listers/core/internalversion:go_default_library",
+        "//staging/src/k8s.io/api/core/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
+        "//staging/src/k8s.io/client-go/listers/core/v1:go_default_library",
         "//staging/src/k8s.io/cluster-bootstrap/token/api:go_default_library",
         "//staging/src/k8s.io/cluster-bootstrap/token/util:go_default_library",
         "//vendor/github.com/golang/glog:go_default_library",

plugin/pkg/auth/authenticator/token/bootstrap/bootstrap.go

@@ -29,14 +29,14 @@ import (
 
 	"github.com/golang/glog"
 
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
+	corev1listers "k8s.io/client-go/listers/core/v1"
 	bootstrapapi "k8s.io/cluster-bootstrap/token/api"
 	bootstraputil "k8s.io/cluster-bootstrap/token/util"
-	api "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/client/listers/core/internalversion"
 )
 
 // TODO: A few methods in this package is copied from other sources. Either
@@ -46,21 +46,21 @@ import (
 // NewTokenAuthenticator initializes a bootstrap token authenticator.
 //
 // Lister is expected to be for the "kube-system" namespace.
-func NewTokenAuthenticator(lister internalversion.SecretNamespaceLister) *TokenAuthenticator {
+func NewTokenAuthenticator(lister corev1listers.SecretNamespaceLister) *TokenAuthenticator {
 	return &TokenAuthenticator{lister}
 }
 
 // TokenAuthenticator authenticates bootstrap tokens from secrets in the API server.
 type TokenAuthenticator struct {
-	lister internalversion.SecretNamespaceLister
+	lister corev1listers.SecretNamespaceLister
 }
 
 // tokenErrorf prints a error message for a secret that has matched a bearer
 // token but fails to meet some other criteria.
 //
 //    tokenErrorf(secret, "has invalid value for key %s", key)
 //
-func tokenErrorf(s *api.Secret, format string, i ...interface{}) {
+func tokenErrorf(s *corev1.Secret, format string, i ...interface{}) {
 	format = fmt.Sprintf("Bootstrap secret %s/%s matching bearer token ", s.Namespace, s.Name) + format
 	glog.V(3).Infof(format, i...)
 }
@@ -155,7 +155,7 @@ func (t *TokenAuthenticator) AuthenticateToken(ctx context.Context, token string
 }
 
 // Copied from k8s.io/cluster-bootstrap/token/api
-func getSecretString(secret *api.Secret, key string) string {
+func getSecretString(secret *corev1.Secret, key string) string {
 	data, ok := secret.Data[key]
 	if !ok {
 		return ""
@@ -165,7 +165,7 @@ func getSecretString(secret *api.Secret, key string) string {
 }
 
 // Copied from k8s.io/cluster-bootstrap/token/api
-func isSecretExpired(secret *api.Secret) bool {
+func isSecretExpired(secret *corev1.Secret) bool {
 	expiration := getSecretString(secret, bootstrapapi.BootstrapTokenExpirationKey)
 	if len(expiration) > 0 {
 		expTime, err2 := time.Parse(time.RFC3339, expiration)
@@ -205,7 +205,7 @@ func parseToken(s string) (string, string, error) {
 // getGroups loads and validates the bootstrapapi.BootstrapTokenExtraGroupsKey
 // key from the bootstrap token secret, returning a list of group names or an
 // error if any of the group names are invalid.
-func getGroups(secret *api.Secret) ([]string, error) {
+func getGroups(secret *corev1.Secret) ([]string, error) {
 	// always include the default group
 	groups := sets.NewString(bootstrapapi.BootstrapDefaultGroup)
 

plugin/pkg/auth/authenticator/token/bootstrap/bootstrap_test.go

@@ -21,24 +21,24 @@ import (
 	"reflect"
 	"testing"
 
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apiserver/pkg/authentication/user"
 	bootstrapapi "k8s.io/cluster-bootstrap/token/api"
-	api "k8s.io/kubernetes/pkg/apis/core"
 )
 
 type lister struct {
-	secrets []*api.Secret
+	secrets []*corev1.Secret
 }
 
-func (l *lister) List(selector labels.Selector) (ret []*api.Secret, err error) {
+func (l *lister) List(selector labels.Selector) (ret []*corev1.Secret, err error) {
 	return l.secrets, nil
 }
 
-func (l *lister) Get(name string) (*api.Secret, error) {
+func (l *lister) Get(name string) (*corev1.Secret, error) {
 	for _, s := range l.secrets {
 		if s.Name == name {
 			return s, nil
@@ -58,15 +58,15 @@ func TestTokenAuthenticator(t *testing.T) {
 	tests := []struct {
 		name string
 
-		secrets []*api.Secret
+		secrets []*corev1.Secret
 		token   string
 
 		wantNotFound bool
 		wantUser     *user.DefaultInfo
 	}{
 		{
 			name: "valid token",
-			secrets: []*api.Secret{
+			secrets: []*corev1.Secret{
 				{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
@@ -87,7 +87,7 @@ func TestTokenAuthenticator(t *testing.T) {
 		},
 		{
 			name: "valid token with extra group",
-			secrets: []*api.Secret{
+			secrets: []*corev1.Secret{
 				{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
@@ -109,7 +109,7 @@ func TestTokenAuthenticator(t *testing.T) {
 		},
 		{
 			name: "invalid group",
-			secrets: []*api.Secret{
+			secrets: []*corev1.Secret{
 				{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
@@ -128,7 +128,7 @@ func TestTokenAuthenticator(t *testing.T) {
 		},
 		{
 			name: "invalid secret name",
-			secrets: []*api.Secret{
+			secrets: []*corev1.Secret{
 				{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "bad-name",
@@ -146,7 +146,7 @@ func TestTokenAuthenticator(t *testing.T) {
 		},
 		{
 			name: "no usage",
-			secrets: []*api.Secret{
+			secrets: []*corev1.Secret{
 				{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
@@ -163,7 +163,7 @@ func TestTokenAuthenticator(t *testing.T) {
 		},
 		{
 			name: "wrong token",
-			secrets: []*api.Secret{
+			secrets: []*corev1.Secret{
 				{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
@@ -181,7 +181,7 @@ func TestTokenAuthenticator(t *testing.T) {
 		},
 		{
 			name: "deleted token",
-			secrets: []*api.Secret{
+			secrets: []*corev1.Secret{
 				{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:              bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
@@ -200,7 +200,7 @@ func TestTokenAuthenticator(t *testing.T) {
 		},
 		{
 			name: "expired token",
-			secrets: []*api.Secret{
+			secrets: []*corev1.Secret{
 				{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
@@ -219,7 +219,7 @@ func TestTokenAuthenticator(t *testing.T) {
 		},
 		{
 			name: "not expired token",
-			secrets: []*api.Secret{
+			secrets: []*corev1.Secret{
 				{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
@@ -241,7 +241,7 @@ func TestTokenAuthenticator(t *testing.T) {
 		},
 		{
 			name: "token id wrong length",
-			secrets: []*api.Secret{
+			secrets: []*corev1.Secret{
 				{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: bootstrapapi.BootstrapTokenSecretPrefix + "foo",
@@ -292,21 +292,21 @@ func TestTokenAuthenticator(t *testing.T) {
 func TestGetGroups(t *testing.T) {
 	tests := []struct {
 		name         string
-		secret       *api.Secret
+		secret       *corev1.Secret
 		expectResult []string
 		expectError  bool
 	}{
 		{
 			name: "not set",
-			secret: &api.Secret{
+			secret: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{Name: "test"},
 				Data:       map[string][]byte{},
 			},
 			expectResult: []string{"system:bootstrappers"},
 		},
 		{
 			name: "set to empty value",
-			secret: &api.Secret{
+			secret: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{Name: "test"},
 				Data: map[string][]byte{
 					bootstrapapi.BootstrapTokenExtraGroupsKey: []byte(""),
@@ -316,7 +316,7 @@ func TestGetGroups(t *testing.T) {
 		},
 		{
 			name: "invalid prefix",
-			secret: &api.Secret{
+			secret: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{Name: "test"},
 				Data: map[string][]byte{
 					bootstrapapi.BootstrapTokenExtraGroupsKey: []byte("foo"),
@@ -326,7 +326,7 @@ func TestGetGroups(t *testing.T) {
 		},
 		{
 			name: "valid",
-			secret: &api.Secret{
+			secret: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{Name: "test"},
 				Data: map[string][]byte{
 					bootstrapapi.BootstrapTokenExtraGroupsKey: []byte("system:bootstrappers:foo,system:bootstrappers:bar,system:bootstrappers:bar"),

staging/src/k8s.io/api/core/v1/types.go

@@ -4996,6 +4996,10 @@ const (
 	TLSCertKey = "tls.crt"
 	// TLSPrivateKeyKey is the key for the private key field in a TLS secret.
 	TLSPrivateKeyKey = "tls.key"
+	// SecretTypeBootstrapToken is used during the automated bootstrap process (first
+	// implemented by kubeadm). It stores tokens that are used to sign well known
+	// ConfigMaps. They are used for authn.
+	SecretTypeBootstrapToken SecretType = "bootstrap.kubernetes.io/token"
 )
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

test/integration/auth/bootstraptoken_test.go

@@ -24,24 +24,24 @@ import (
 	"testing"
 	"time"
 
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apiserver/pkg/authentication/request/bearertoken"
 	bootstrapapi "k8s.io/cluster-bootstrap/token/api"
-	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap"
 	bootstraputil "k8s.io/kubernetes/test/e2e/lifecycle/bootstrap"
 	"k8s.io/kubernetes/test/integration"
 	"k8s.io/kubernetes/test/integration/framework"
 )
 
-type bootstrapSecrets []*api.Secret
+type bootstrapSecrets []*corev1.Secret
 
-func (b bootstrapSecrets) List(selector labels.Selector) (ret []*api.Secret, err error) {
+func (b bootstrapSecrets) List(selector labels.Selector) (ret []*corev1.Secret, err error) {
 	return b, nil
 }
 
-func (b bootstrapSecrets) Get(name string) (*api.Secret, error) {
+func (b bootstrapSecrets) Get(name string) (*corev1.Secret, error) {
 	return b[0], nil
 }
 
@@ -55,36 +55,36 @@ func TestBootstrapTokenAuth(t *testing.T) {
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
-	var bootstrapSecretValid = &api.Secret{
+	var bootstrapSecretValid = &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: metav1.NamespaceSystem,
 			Name:      bootstrapapi.BootstrapTokenSecretPrefix,
 		},
-		Type: api.SecretTypeBootstrapToken,
+		Type: corev1.SecretTypeBootstrapToken,
 		Data: map[string][]byte{
 			bootstrapapi.BootstrapTokenIDKey:               []byte(tokenId),
 			bootstrapapi.BootstrapTokenSecretKey:           []byte(secret),
 			bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
 		},
 	}
-	var bootstrapSecretInvalid = &api.Secret{
+	var bootstrapSecretInvalid = &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: metav1.NamespaceSystem,
 			Name:      bootstrapapi.BootstrapTokenSecretPrefix,
 		},
-		Type: api.SecretTypeBootstrapToken,
+		Type: corev1.SecretTypeBootstrapToken,
 		Data: map[string][]byte{
 			bootstrapapi.BootstrapTokenIDKey:               []byte(tokenId),
 			bootstrapapi.BootstrapTokenSecretKey:           []byte("invalid"),
 			bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
 		},
 	}
-	var expiredBootstrapToken = &api.Secret{
+	var expiredBootstrapToken = &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: metav1.NamespaceSystem,
 			Name:      bootstrapapi.BootstrapTokenSecretPrefix,
 		},
-		Type: api.SecretTypeBootstrapToken,
+		Type: corev1.SecretTypeBootstrapToken,
 		Data: map[string][]byte{
 			bootstrapapi.BootstrapTokenIDKey:               []byte(tokenId),
 			bootstrapapi.BootstrapTokenSecretKey:           []byte("invalid"),
@@ -101,7 +101,7 @@ func TestBootstrapTokenAuth(t *testing.T) {
 	tests := []struct {
 		name    string
 		request request
-		secret  *api.Secret
+		secret  *corev1.Secret
 	}{
 		{
 			name:    "valid token",