diff --git a/internal/nocalhost-api/global/static.go b/internal/nocalhost-api/global/static.go index ab0c9304f..1c01f1a2e 100644 --- a/internal/nocalhost-api/global/static.go +++ b/internal/nocalhost-api/global/static.go @@ -24,6 +24,7 @@ const ( NocalhostCreateByLabel = "app.kubernetes.io/created-by" NocalhostRegistry = "nocalhost-docker.pkg.coding.net" Nocalhostrepository = "nocalhost/public/nocalhost-api" + NocalhostSaTokenSuffix = "-token-gen-by-nocalhost" ) var ( diff --git a/pkg/nocalhost-api/app/api/v1/service_account/service_account.go b/pkg/nocalhost-api/app/api/v1/service_account/service_account.go index dc9b7686a..a2e05ab4c 100644 --- a/pkg/nocalhost-api/app/api/v1/service_account/service_account.go +++ b/pkg/nocalhost-api/app/api/v1/service_account/service_account.go @@ -16,6 +16,7 @@ import ( clientcmdapiv1 "k8s.io/client-go/tools/clientcmd/api/v1" _const "nocalhost/internal/nhctl/const" + "nocalhost/internal/nocalhost-api/global" "nocalhost/internal/nocalhost-api/model" "nocalhost/internal/nocalhost-api/service" "nocalhost/internal/nocalhost-api/service/cooperator/cluster_scope" @@ -126,11 +127,11 @@ func GenKubeconfig( // nocalhost provide every user a service account each cluster // first check if config valid var reader setupcluster.DevKubeConfigReader - if reader = getServiceAccountKubeConfigReader( + if reader, err = getServiceAccountKubeConfigReader( clientGo, saName, _const.NocalhostDefaultSaNs, cp.GetClusterServer(), - ); reader == nil { - return + ); err != nil || reader == nil { + log.Error(err, "failed to get service account kubeconfig reader") } var kubeConfig string @@ -289,22 +290,30 @@ func GenKubeconfig( func getServiceAccountKubeConfigReader( clientGo *clientgo.GoClient, saName, saNs, serverAddr string, -) setupcluster.DevKubeConfigReader { +) (setupcluster.DevKubeConfigReader, error) { sa, err := clientGo.GetServiceAccount(saName, saNs) - if err != nil || len(sa.Secrets) == 0 { - return nil + if err != nil { + return nil, err + } + + // https://github.com/nocalhost/nocalhost/issues/1327 + secretName := "" + if len(sa.Secrets) == 0 { + secretName = sa.Name + global.NocalhostSaTokenSuffix + } else { + secretName = sa.Secrets[0].Name } - secret, err := clientGo.GetSecret(_const.NocalhostDefaultSaNs, sa.Secrets[0].Name) + secret, err := clientGo.GetSecret(_const.NocalhostDefaultSaNs, secretName) if err != nil { - return nil + return nil, err } cr := setupcluster.NewDevKubeConfigReader( secret, serverAddr, saNs, ) cr.GetCA().GetToken().AssembleDevKubeConfig() - return cr + return cr, nil } type ServiceAccountModel struct { diff --git a/pkg/nocalhost-api/pkg/clientgo/client.go b/pkg/nocalhost-api/pkg/clientgo/client.go index 45bb00f0e..f4e0f07e9 100644 --- a/pkg/nocalhost-api/pkg/clientgo/client.go +++ b/pkg/nocalhost-api/pkg/clientgo/client.go @@ -417,8 +417,7 @@ func (c *GoClient) DeleteServiceAccount(name, namespace string) error { return nil } -// create serviceAccount for namespace(Authorization cluster for developer) -// default name is nocalhost +// CreateServiceAccount for namespace(Authorization cluster for developer) func (c *GoClient) CreateServiceAccount(name, namespace string) (bool, error) { if name == "" { name = global.NocalhostDevServiceAccountName @@ -434,6 +433,24 @@ func (c *GoClient) CreateServiceAccount(name, namespace string) (bool, error) { if err != nil { return false, err } + + // https://github.com/nocalhost/nocalhost/issues/1327 + // create secret for service account + secretName := name + global.NocalhostSaTokenSuffix + secret := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: secretName, + Labels: m, + Annotations: map[string]string{ + corev1.ServiceAccountNameKey: name, + }, + }, + Type: corev1.SecretTypeServiceAccountToken, + } + _, err = c.CreateSecret(namespace, secret) + if err != nil { + return false, err + } return true, nil }