-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BoundServiceAccountTokenVolume: fix InClusterConfig #77613
BoundServiceAccountTokenVolume: fix InClusterConfig #77613
Conversation
/lgtm /hold |
I think we also need these to ensure the overridden command line diff --git a/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go b/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go
index fb6a7fa3ba..dda51b60d2 100644
--- a/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go
+++ b/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go
@@ -171,6 +171,7 @@ func restConfigFromKubeconfig(configAuthInfo *clientcmdapi.AuthInfo) (*rest.Conf
// blindly overwrite existing values based on precedence
if len(configAuthInfo.Token) > 0 {
config.BearerToken = configAuthInfo.Token
+ config.BearerTokenFile = configAuthInfo.TokenFile
} else if len(configAuthInfo.TokenFile) > 0 {
tokenBytes, err := ioutil.ReadFile(configAuthInfo.TokenFile)
if err != nil {
diff --git a/staging/src/k8s.io/client-go/tools/clientcmd/client_config.go b/staging/src/k8s.io/client-go/tools/clientcmd/client_config.go
index 878e0df79f..c62ee03c77 100644
--- a/staging/src/k8s.io/client-go/tools/clientcmd/client_config.go
+++ b/staging/src/k8s.io/client-go/tools/clientcmd/client_config.go
@@ -228,6 +228,7 @@ func (config *DirectClientConfig) getUserIdentificationPartialConfig(configAuthI
// blindly overwrite existing values based on precedence
if len(configAuthInfo.Token) > 0 {
mergedConfig.BearerToken = configAuthInfo.Token
+ mergedConfig.BearerTokenFile = configAuthInfo.TokenFile
} else if len(configAuthInfo.TokenFile) > 0 {
tokenBytes, err := ioutil.ReadFile(configAuthInfo.TokenFile)
if err != nil {
@@ -491,6 +492,7 @@ func (config *inClusterClientConfig) ClientConfig() (*restclient.Config, error)
}
if token := config.overrides.AuthInfo.Token; len(token) > 0 {
icc.BearerToken = token
+ icc.BearerTokenFile = ""
}
if certificateAuthorityFile := config.overrides.ClusterInfo.CertificateAuthority; len(certificateAuthorityFile) > 0 {
icc.TLSClientConfig.CAFile = certificateAuthorityFile |
d669c3e
to
6e945d6
Compare
I'm headed down the path of creating a new test image and e2e for in cluster config. Feel free to stop me if you have any bright ideas. |
6e945d6
to
659e579
Compare
31a3472
to
809c5c3
Compare
a4ba57a
to
d4c676f
Compare
test/e2e/auth/service_accounts.go
Outdated
@@ -410,4 +415,143 @@ var _ = SIGDescribe("ServiceAccounts", func() { | |||
} | |||
} | |||
}) | |||
|
|||
//It("should support InClusterConfig with token rotation [Slow]", func() { | |||
It("should support InClusterConfig with token rotation", func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This test works now but its slow (~10 minutes). It's pretty gross because I want it to run on non-alpha clusters. I could drop a bunch of stuff if we are ok with this only running in the alpha test suite.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also it will still be slow even if we only run it in the alpha suite, just way smaller.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we check feature gates in the e2e process (it's not even the same process as the apiserver)... typically we indicate non-default features with feature tags in the test description
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ya, fixed.
would it make sense to split the e2e test into its own commit? were you planning to pick the test back to 1.12/1.13/1.14 as well? |
d4c676f
to
dbd33cf
Compare
dbd33cf
to
e345522
Compare
e345522
to
96ed93d
Compare
the test is ugly, but I want coverage more than beauty at the moment. with the [Slow] and [Feature] tags, do we know what suite this will run in so we can monitor it? /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, mikedanese The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold cancel |
/retest |
2 similar comments
/retest |
/retest |
…7613-upstream-release-1.12 Automated cherry pick of #77613 upstream release 1.12
…7613-upstream-release-1.14 Automated cherry pick of #77613 upstream release 1.14
…7613-upstream-release-1.13 Automated cherry pick of #77613 upstream release 1.13
Missed this in dba85e58deba and rest.Config is dropping BearerTokenFile path before the token source is created. This is causing InClusterConfig to not refresh tokens from disk.
😢 😭
I'm thinking about how to get some test coverage here.
/kind bug
/sig auth
Fixes #77651