Merge pull request #1330 from nocalhost/fix/gen-token-for-sa

fix(api): gen sa secret token
nocalhost · Jul 6, 2022 · 771f780 · 771f780
2 parents e466a04 + 7f72057
commit 771f780
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 11 deletions.
diff --git a/internal/nocalhost-api/global/static.go b/internal/nocalhost-api/global/static.go
@@ -24,6 +24,7 @@ const (
 	NocalhostCreateByLabel                    = "app.kubernetes.io/created-by"
 	NocalhostRegistry                         = "nocalhost-docker.pkg.coding.net"
 	Nocalhostrepository                       = "nocalhost/public/nocalhost-api"
+	NocalhostSaTokenSuffix                    = "-token-gen-by-nocalhost"
 )
 
 var (

diff --git a/pkg/nocalhost-api/app/api/v1/service_account/service_account.go b/pkg/nocalhost-api/app/api/v1/service_account/service_account.go
@@ -16,6 +16,7 @@ import (
 	clientcmdapiv1 "k8s.io/client-go/tools/clientcmd/api/v1"
 
 	_const "nocalhost/internal/nhctl/const"
+	"nocalhost/internal/nocalhost-api/global"
 	"nocalhost/internal/nocalhost-api/model"
 	"nocalhost/internal/nocalhost-api/service"
 	"nocalhost/internal/nocalhost-api/service/cooperator/cluster_scope"
@@ -126,11 +127,11 @@ func GenKubeconfig(
 	// nocalhost provide every user a service account each cluster
 	// first check if config valid
 	var reader setupcluster.DevKubeConfigReader
-	if reader = getServiceAccountKubeConfigReader(
+	if reader, err = getServiceAccountKubeConfigReader(
 		clientGo, saName,
 		_const.NocalhostDefaultSaNs, cp.GetClusterServer(),
-	); reader == nil {
-		return
+	); err != nil || reader == nil {
+		log.Error(err, "failed to get service account kubeconfig reader")
 	}
 
 	var kubeConfig string
@@ -289,22 +290,30 @@ func GenKubeconfig(
 func getServiceAccountKubeConfigReader(
 	clientGo *clientgo.GoClient,
 	saName, saNs, serverAddr string,
-) setupcluster.DevKubeConfigReader {
+) (setupcluster.DevKubeConfigReader, error) {
 	sa, err := clientGo.GetServiceAccount(saName, saNs)
-	if err != nil || len(sa.Secrets) == 0 {
-		return nil
+	if err != nil {
+		return nil, err
+	}
+
+	// https://github.com/nocalhost/nocalhost/issues/1327
+	secretName := ""
+	if len(sa.Secrets) == 0 {
+		secretName = sa.Name + global.NocalhostSaTokenSuffix
+	} else {
+		secretName = sa.Secrets[0].Name
 	}
 
-	secret, err := clientGo.GetSecret(_const.NocalhostDefaultSaNs, sa.Secrets[0].Name)
+	secret, err := clientGo.GetSecret(_const.NocalhostDefaultSaNs, secretName)
 	if err != nil {
-		return nil
+		return nil, err
 	}
 	cr := setupcluster.NewDevKubeConfigReader(
 		secret, serverAddr, saNs,
 	)
 
 	cr.GetCA().GetToken().AssembleDevKubeConfig()
-	return cr
+	return cr, nil
 }
 
 type ServiceAccountModel struct {

diff --git a/pkg/nocalhost-api/pkg/clientgo/client.go b/pkg/nocalhost-api/pkg/clientgo/client.go
@@ -417,8 +417,7 @@ func (c *GoClient) DeleteServiceAccount(name, namespace string) error {
 	return nil
 }
 
-// create serviceAccount for namespace(Authorization cluster for developer)
-// default name is nocalhost
+// CreateServiceAccount for namespace(Authorization cluster for developer)
 func (c *GoClient) CreateServiceAccount(name, namespace string) (bool, error) {
 	if name == "" {
 		name = global.NocalhostDevServiceAccountName
@@ -434,6 +433,24 @@ func (c *GoClient) CreateServiceAccount(name, namespace string) (bool, error) {
 	if err != nil {
 		return false, err
 	}
+
+	// https://github.com/nocalhost/nocalhost/issues/1327
+	// create secret for service account
+	secretName := name + global.NocalhostSaTokenSuffix
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   secretName,
+			Labels: m,
+			Annotations: map[string]string{
+				corev1.ServiceAccountNameKey: name,
+			},
+		},
+		Type: corev1.SecretTypeServiceAccountToken,
+	}
+	_, err = c.CreateSecret(namespace, secret)
+	if err != nil {
+		return false, err
+	}
 	return true, nil
 }