fix(pkg/utils): look for all secrets bound to a sa

Signed-off-by: Massimiliano Giovagnoli <me@maxgio.it>
maxgio92 · Jun 10, 2023 · a92a4e0 · a92a4e0
1 parent c02e725
commit a92a4e0
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 14 deletions.
diff --git a/pkg/generator/generator.go b/pkg/generator/generator.go
@@ -34,7 +34,7 @@ const (
 // the specified Secret.
 func GenerateProxyKubeconfigFromSA(clientset *kubernetes.Clientset, serviceAccountName string, namespace string, server string, serverTLSSecretName string, serverTLSSecretCAKey string, serverTLSSecretNamespace string, kubeconfigSecretKey string) (*clientcmdapi.Config, error) {
 	// Get Tenant Service Account token
-	saSecret, err := utils.GetServiceAccountSecret(clientset, serviceAccountName, namespace)
+	saSecret, err := utils.GetServiceAccountTokenSecret(clientset, serviceAccountName, namespace)
 	if err != nil {
 		return nil, err
 	}

diff --git a/pkg/utils/errors.go b/pkg/utils/errors.go
@@ -5,5 +5,6 @@ import (
 )
 
 var (
-	ErrSecretTypeNotServiceAccountToken = errors.New("the secret is not of type service-account-token")
+	ErrSecretTypeNotServiceAccountToken  = errors.New("the secret is not of type service-account-token")
+	ErrServiceAccountTokenSecretNotFound = errors.New("secret of type service-account-token not found")
 )
diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go
@@ -46,7 +46,7 @@ func BuildClientConfig() (*rest.Config, error) {
 	return config, nil
 }
 
-func GetServiceAccountSecret(clientSet *kubernetes.Clientset, serviceAccountName string, namespace string) (*corev1.Secret, error) {
+func GetServiceAccountTokenSecret(clientSet *kubernetes.Clientset, serviceAccountName string, namespace string) (*corev1.Secret, error) {
 	serviceAccount, err := clientSet.CoreV1().ServiceAccounts(namespace).Get(
 		context.Background(),
 		serviceAccountName,
@@ -60,20 +60,22 @@ func GetServiceAccountSecret(clientSet *kubernetes.Clientset, serviceAccountName
 		return nil, fmt.Errorf("no secret found for the service account %s in namepsace %s", serviceAccount.Name, serviceAccount.Namespace)
 	}
 
-	saSecret, err := clientSet.CoreV1().Secrets(namespace).Get(
-		context.Background(),
-		serviceAccount.Secrets[0].Name,
-		metav1.GetOptions{},
-	)
-	if err != nil {
-		return nil, err
-	}
+	for _, secret := range serviceAccount.Secrets {
+		saSecret, err := clientSet.CoreV1().Secrets(namespace).Get(
+			context.Background(),
+			secret.Name,
+			metav1.GetOptions{},
+		)
+		if err != nil {
+			continue
+		}
 
-	if saSecret.Type != corev1.SecretTypeServiceAccountToken {
-		return nil, ErrSecretTypeNotServiceAccountToken
+		if saSecret.Type == corev1.SecretTypeServiceAccountToken {
+			return saSecret, nil
+		}
 	}
 
-	return saSecret, nil
+	return nil, ErrServiceAccountTokenSecretNotFound
 }
 
 func BuildKubeconfigFromToken(token []byte, CACertificate []byte, server string, namespace string) (*clientcmdapi.Config, error) {