Create k8s API secret/token manually to support Kubernetes 1.24+. (#60)

rancher-plugins · Nov 23, 2022 · 89ecf1f · 89ecf1f
1 parent a35d2bb
commit 89ecf1f
Showing 1 changed file with 62 additions and 19 deletions.
diff --git a/oke/oke_driver.go b/oke/oke_driver.go
@@ -23,22 +23,23 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
-	"os"
-	"strings"
-
 	"github.com/oracle/oci-go-sdk/v38/common"
 	"github.com/pkg/errors"
 	"github.com/rancher/kontainer-engine/drivers/options"
 	"github.com/rancher/kontainer-engine/types"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/net/context"
 	"gopkg.in/yaml.v2"
+	"io/ioutil"
 	v1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
+	apierror "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
+	"os"
+	"strings"
+	"time"
 )
 
 const (
@@ -1190,28 +1191,59 @@ func generateServiceAccountToken(clientset kubernetes.Interface) (string, error)
 	namespace := "default"
 	name := "kontainer-engine"
 
-	// Create new service account, if it does not exist already
+	serverVersion, err := clientset.Discovery().ServerVersion()
+	if err != nil {
+		return "", err
+	}
+	logrus.Debugf("Kubernetes server version: %s", serverVersion)
 
 	serviceAccount := &v1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: name}}
 
-	_, _ = clientset.CoreV1().ServiceAccounts(namespace).Create(serviceAccount)
+	// Create new service account, if it does not exist already
+	_, err = clientset.CoreV1().ServiceAccounts(namespace).Create(serviceAccount)
+	if err != nil {
+		if !apierror.IsAlreadyExists(err) {
+			return "", err
+		}
+	}
 
-	// Look up service account
-	serviceAccount, err := clientset.CoreV1().ServiceAccounts(namespace).Get(serviceAccount.Name, metav1.GetOptions{})
+	serviceAccount, err = clientset.CoreV1().ServiceAccounts(namespace).Get(name, metav1.GetOptions{})
 	if err != nil {
 		return "", err
 	}
 
-	if len(serviceAccount.Secrets) > 0 {
-		secret := serviceAccount.Secrets[0]
-		secretObj, err := clientset.CoreV1().Secrets(namespace).Get(secret.Name, metav1.GetOptions{})
-		if err != nil {
-			return "", fmt.Errorf("error getting secret: %v", err)
-		}
-		if byteToken, ok := secretObj.Data["token"]; ok {
-			token = string(byteToken)
+	// Template for an authentication token secret bound to the service account
+	secretTemplate := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: serviceAccount.Name + "-token",
+			OwnerReferences: []metav1.OwnerReference{
+				{
+					APIVersion: "v1",
+					Kind:       "ServiceAccount",
+					Name:       serviceAccount.Name,
+					UID:        serviceAccount.UID,
+				},
+			},
+			Annotations: map[string]string{
+				v1.ServiceAccountNameKey: serviceAccount.Name,
+			},
+		},
+		Type: v1.SecretTypeServiceAccountToken,
+	}
+
+	_, err = clientset.CoreV1().Secrets(namespace).Create(secretTemplate)
+	if err != nil {
+		if !apierror.IsAlreadyExists(err) {
+			return "", err
 		}
 	}
+	// wait a few seconds for authentication token to populate
+	time.Sleep(10 * time.Second)
+
+	secretObj, err := clientset.CoreV1().Secrets(namespace).Get(serviceAccount.Name+"-token", metav1.GetOptions{})
+	if err != nil {
+		return "", err
+	}
 
 	// Create new cluster-role-bindings, if it does not exist already
 	clusterRoleBinding := &rbacv1.ClusterRoleBinding{
@@ -1225,15 +1257,26 @@ func generateServiceAccountToken(clientset kubernetes.Interface) (string, error)
 		},
 	}
 
-	_, _ = clientset.RbacV1().ClusterRoleBindings().Create(clusterRoleBinding)
+	_, err = clientset.RbacV1().ClusterRoleBindings().Create(clusterRoleBinding)
+	if err != nil {
+		if !apierror.IsAlreadyExists(err) {
+			return "", err
+		}
+	}
 
 	// Look up cluster role binding
-	clusterRoleBinding, err = clientset.RbacV1().ClusterRoleBindings().Get(clusterRoleBinding.Name, metav1.GetOptions{})
+	_, err = clientset.RbacV1().ClusterRoleBindings().Get(clusterRoleBinding.Name, metav1.GetOptions{})
 	if err != nil {
 		return "", fmt.Errorf("error getting cluster role binding: %v", err)
 	}
 
-	return token, nil
+	// get the bearer token from the token-secret
+	if byteToken, ok := secretObj.Data[v1.ServiceAccountTokenKey]; ok {
+		token = string(byteToken)
+		return token, nil
+	}
+
+	return "", fmt.Errorf("error getting authentication token from secret: %s", secretObj.Name)
 }
 
 func isBase64Encoded(data []byte) bool {