Skip to content

Commit

Permalink
Update ServiceAccount token lookup logic
Browse files Browse the repository at this point in the history
Co-authored-by: Ryan Emerson <[email protected]>
  • Loading branch information
Crumby and ryanemerson committed Nov 2, 2023
1 parent 4598134 commit 24b5dda
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 44 deletions.
37 changes: 0 additions & 37 deletions pkg/kubernetes/controllerutil.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,43 +47,6 @@ func LookupResource(name, namespace string, resource, caller client.Object, clie
return nil, nil
}

func LookupServiceAccountTokenSecret(name, namespace string, client client.Client, ctx context.Context) (*corev1.Secret, error) {
serviceAccount := &corev1.ServiceAccount{}
if err := client.Get(ctx, types.NamespacedName{Namespace: namespace, Name: name}, serviceAccount); err != nil {
return nil, err
}
for _, secretReference := range serviceAccount.Secrets {
secret := &corev1.Secret{}
if err := client.Get(ctx, types.NamespacedName{Namespace: namespace, Name: secretReference.Name}, secret); err != nil {
continue
}
if isServiceAccountToken(secret, serviceAccount) {
return secret, nil
}
}
return nil, fmt.Errorf("could not find a service account token secret for service account %q", serviceAccount.Name)
}

// isServiceAccountToken returns true if the secret is a valid api token for the service account
func isServiceAccountToken(secret *corev1.Secret, sa *corev1.ServiceAccount) bool {
if secret.Type != corev1.SecretTypeServiceAccountToken {
return false
}

name := secret.Annotations[corev1.ServiceAccountNameKey]
uid := secret.Annotations[corev1.ServiceAccountUIDKey]
if name != sa.Name {
// Name must match
return false
}
if len(uid) > 0 && uid != string(sa.UID) {
// If UID is specified, it must match
return false
}

return true
}

func IsControlledByGVK(refs []metav1.OwnerReference, gvk schema.GroupVersionKind) bool {
for _, ref := range refs {
if ref.Controller != nil && *ref.Controller && ref.APIVersion == gvk.GroupVersion().String() && ref.Kind == gvk.Kind {
Expand Down
29 changes: 22 additions & 7 deletions test/e2e/xsite/xsite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,12 @@ import (
tutils "github.com/infinispan/infinispan-operator/test/e2e/utils"
routev1 "github.com/openshift/api/route/v1"
"github.com/stretchr/testify/assert"
authenticationv1 "k8s.io/api/authentication/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/types"
corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
"k8s.io/client-go/tools/clientcmd"
"k8s.io/client-go/tools/clientcmd/api"
"k8s.io/utils/pointer"
Expand Down Expand Up @@ -460,16 +462,13 @@ func testCrossSiteView(t *testing.T, isMultiCluster bool, schemeType ispnv1.Cros
defer tesKubes["xsite1"].kube.DeleteSecret(crossSiteCertificateSecret("xsite2", tesKubes["xsite1"].namespace, clientConfig, tesKubes["xsite2"].context))
defer tesKubes["xsite2"].kube.DeleteSecret(crossSiteCertificateSecret("xsite1", tesKubes["xsite2"].namespace, clientConfig, tesKubes["xsite1"].context))
} else if schemeType == ispnv1.CrossSiteSchemeTypeOpenShift {
serviceAccount := tutils.OperatorSAName
operatorNamespaceSite1 := constants.GetWithDefault(tutils.OperatorNamespace, tesKubes["xsite1"].namespace)
tokenSecretXsite1, err := kube.LookupServiceAccountTokenSecret(serviceAccount, operatorNamespaceSite1, tesKubes["xsite1"].kube.Kubernetes.Client, context.TODO())
tutils.ExpectNoError(err)
operatorNamespaceSite2 := constants.GetWithDefault(tutils.OperatorNamespace, tesKubes["xsite2"].namespace)
tokenSecretXsite2, err := kube.LookupServiceAccountTokenSecret(serviceAccount, operatorNamespaceSite2, tesKubes["xsite2"].kube.Kubernetes.Client, context.TODO())
tutils.ExpectNoError(err)
xsite1Token := getServiceAccountToken(operatorNamespaceSite1, tesKubes["xsite1"].kube)
xsite2Token := getServiceAccountToken(operatorNamespaceSite2, tesKubes["xsite2"].kube)

tesKubes["xsite1"].kube.CreateSecret(crossSiteTokenSecret("xsite2", tesKubes["xsite1"].namespace, tokenSecretXsite2.Data["token"]))
tesKubes["xsite2"].kube.CreateSecret(crossSiteTokenSecret("xsite1", tesKubes["xsite2"].namespace, tokenSecretXsite1.Data["token"]))
tesKubes["xsite1"].kube.CreateSecret(crossSiteTokenSecret("xsite2", tesKubes["xsite1"].namespace, xsite2Token))
tesKubes["xsite2"].kube.CreateSecret(crossSiteTokenSecret("xsite1", tesKubes["xsite2"].namespace, xsite1Token))

defer tesKubes["xsite1"].kube.DeleteSecret(crossSiteTokenSecret("xsite2", tesKubes["xsite1"].namespace, []byte("")))
defer tesKubes["xsite2"].kube.DeleteSecret(crossSiteTokenSecret("xsite1", tesKubes["xsite2"].namespace, []byte("")))
Expand Down Expand Up @@ -647,3 +646,19 @@ func expectHeartBeatConfiguration(t *testing.T, siteKube *crossSiteKubernetes, e
assert.False(t, strings.Contains(data, "heartbeat_timeout"), "TUNNEL hearbeat configuration not expected")
}
}

func getServiceAccountToken(namespace string, k8s *tutils.TestKubernetes) []byte {
response, err := corev1client.New(k8s.Kubernetes.RestClient).
ServiceAccounts(namespace).
CreateToken(
context.TODO(),
tutils.OperatorSAName,
&authenticationv1.TokenRequest{},
metav1.CreateOptions{},
)
tutils.ExpectNoError(err)
if len(response.Status.Token) == 0 {
panic(fmt.Errorf("failed to create token: no token in server response"))
}
return []byte(response.Status.Token)
}

0 comments on commit 24b5dda

Please sign in to comment.