add support for /token subresource in serviceaccount registry #58111
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-github-robot
added
kind/api-change
mikedanese
force-pushed
the
id-registry
branch
3 times, most recently
from
926c2c6
to
31e072f
Compare
k8s-ci-robot
added
size/XXL
k8s-github-robot
added
the
needs-rebase
mikedanese
force-pushed
the
id-registry
branch
from
31e072f
to
bf0dd17
Compare
k8s-ci-robot
added
size/L
mikedanese
force-pushed
the
id-registry
branch
from
bf0dd17
to
1fa8c7d
Compare
k8s-github-robot
removed
the
needs-rebase
mikedanese
force-pushed
the
id-registry
branch
from
1fa8c7d
to
6313fb9
Compare
k8s-github-robot
removed
kind/api-change
mikedanese
force-pushed
the
id-registry
branch
3 times, most recently
from
9c2abbe
to
bdfe771
Compare
mikedanese
changed the title
k8s-ci-robot
added
release-note-none
mikedanese
force-pushed
the
id-registry
branch
2 times, most recently
from
092dcb9
to
07729d4
Compare
| @@ -224,6 +230,9 @@ func (c LegacyRESTStorageProvider) NewLegacyRESTStorage(restOptionsGetter generi | |||
| if legacyscheme.Registry.IsEnabledVersion(schema.GroupVersion{Group: "policy", Version: "v1beta1"}) { | |||
| restStorageMap["pods/eviction"] = podStorage.Eviction | |||
| } | |||
| if c.IDTokenIssuer != nil && utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) { | |||
There was a problem hiding this comment.
would prefer checking if serviceAccountStorage.Token is non-nil here (and making it be nil if you pass in a nil IDTokenIssuer to REST construction)
mikedanese
force-pushed
the
id-registry
branch
from
511d960
to
443c2c4
Compare
k8s-ci-robot
added
the
needs-rebase
| @@ -228,6 +229,10 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { | |||
|
|
|||
| fs.BoolVar(&s.ServiceAccounts.Lookup, "service-account-lookup", s.ServiceAccounts.Lookup, | |||
| "If true, validate ServiceAccount tokens exist in etcd as part of authentication.") | |||
|
|
|||
| fs.StringVar(&s.ServiceAccounts.IssuerID, "service-account-issuer-id", s.ServiceAccounts.IssuerID, ""+ | |||
There was a problem hiding this comment.
probably just call this service-account-issuer, and apply StringOrURI validation (if contains :, require to be a valid URI, otherwise any value is allowed)
| @@ -231,4 +233,7 @@ func (s *ServerRunOptions) AddFlags(fs *pflag.FlagSet) { | |||
| fs.BoolVar(&s.EnableAggregatorRouting, "enable-aggregator-routing", s.EnableAggregatorRouting, | |||
| "Turns on aggregator routing requests to endoints IP rather than cluster IP.") | |||
|
|
|||
| fs.StringVar(&s.ServiceAccountSigningKeyFile, "service-account-signing-key-file", s.ServiceAccountSigningKeyFile, ""+ | |||
| "Path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this private key. (Ignored unless alpha TokenRequest is enabled") | |||
There was a problem hiding this comment.
do we want to ignore this unless the feature gate is on, or require the feature gate to be on to specify this (I'd prefer the latter... it's confusing to set flags that have no effect)
There was a problem hiding this comment.
How do you want this to work? The feature gates are passed as flags, and at this point we haven't called flag.Parse. We could error if these are passed but the feature is not enabled. Note this is already mentioned in the flag doc.
There was a problem hiding this comment.
Yeah, check at point of use against feature enablement. I think I commented there as well
cmd/kube-apiserver/app/server.go
Outdated
| @@ -319,6 +322,18 @@ func CreateKubeAPIServerConfig(s *options.ServerRunOptions, nodeTunneler tunnele | |||
| return nil, nil, nil, nil, nil, err | |||
| } | |||
|
|
|||
| var issuer serviceaccount.TokenGenerator | |||
| if s.ServiceAccountSigningKeyFile != "" && s.Authentication.ServiceAccounts.IssuerID != "" { | |||
There was a problem hiding this comment.
setting either of these without enabling TokenRequest should be an error, and when the feature gate is enabled, setting one without the other should be an error
| @@ -70,6 +70,7 @@ type PasswordFileAuthenticationOptions struct { | |||
| type ServiceAccountAuthenticationOptions struct { | |||
| KeyFiles []string | |||
| Lookup bool | |||
| IssuerID string | |||
mikedanese
force-pushed
the
id-registry
branch
from
443c2c4
to
6662692
Compare
k8s-ci-robot
removed
the
needs-rebase
|
@liggitt fixed. |
ericchiang
added
the
sig/auth
|
|
||
| func TestServiceAccountTokenCreate(t *testing.T) { | ||
| defer utilfeaturetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.TokenRequest, true)() | ||
| // Start the server so we know the address |
There was a problem hiding this comment.
might be able to drop most of this MasterHolder/custom authenticator stuff and just use:
... set feature gate
masterConfig := framework.NewIntegrationTestMasterConfig()
... set signing key, issuer id
master, s, closeFn := framework.RunAMaster(masterConfig)
defer closeFn()
c, err := clientset.NewForConfig(master.GenericAPIServer.LoopbackClientConfig)
|
just the suggestion for simplifying the integration test, needs squash, lgtm |
mikedanese
force-pushed
the
id-registry
branch
from
6662692
to
8ad1c66
Compare
|
@liggitt done. |
|
For approval: /assign @smarterclayton |
|
@mikedanese: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest |
|
/approve SIG sign off |
k8s-ci-robot
added
the
approved
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cjcullen, liggitt, mikedanese, smarterclayton The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue (batch tested with PRs 60158, 60156, 58111, 57583, 60055). If you want to cherry-pick this change to another branch, please follow the instructions here. |
I'm planning on implementing the registry bits (this) in one PR and followup with an authenticator that supports new id tokens.
#58790
@kubernetes/sig-auth-pr-reviews