Merge pull request #20473 from alvaroaleman/projected-token-file

Use projected token source to dynamically refresh SA token
kubernetes · Jan 13, 2021 · 0ec2e79 · 0ec2e79
2 parents 271f5b6 + a30793b
commit 0ec2e79
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 17 deletions.
diff --git a/prow/cmd/pipeline/main.go b/prow/cmd/pipeline/main.go
@@ -120,7 +120,7 @@ func main() {
 		logrus.WithError(err).Fatal("failed to load prow config")
 	}
 
-	configs, err := kube.LoadClusterConfigs(o.kubeconfig)
+	configs, err := kube.LoadClusterConfigs(o.kubeconfig, "")
 	if err != nil {
 		logrus.WithError(err).Fatal("Error building client configs")
 	}

diff --git a/prow/flagutil/kubernetes_cluster_clients.go b/prow/flagutil/kubernetes_cluster_clients.go
@@ -52,7 +52,8 @@ func init() {
 // and other resources on the infrastructure cluster, as well as Pods
 // on build clusters.
 type KubernetesOptions struct {
-	kubeconfig string
+	kubeconfig         string
+	projectedTokenFile string
 
 	DeckURI string
 
@@ -101,14 +102,6 @@ func (o *KubernetesOptions) AddKubeconfigChangeCallback(callback func()) error {
 				}
 			}
 		}
-
-		if _, statErr := os.Stat(inCluderTokenPath); statErr == nil {
-			err = watcher.Add(inCluderTokenPath)
-			if err != nil {
-				err = fmt.Errorf("faild to watch %s: %w", inCluderTokenPath, err)
-				return
-			}
-		}
 		o.kubeconfigWatchEvents = watcher.Events
 
 		go func() {
@@ -142,6 +135,7 @@ func (o *KubernetesOptions) AddKubeconfigChangeCallback(callback func()) error {
 func (o *KubernetesOptions) AddFlags(fs *flag.FlagSet) {
 	fs.StringVar(&o.kubeconfig, "kubeconfig", "", "Path to .kube/config file. If empty, uses the local cluster. All contexts other than the default are used as build clusters.")
 	fs.StringVar(&o.DeckURI, "deck-url", "", "Deck URI for read-only access to the infrastructure cluster.")
+	fs.StringVar(&o.projectedTokenFile, "projected-token-file", "", "A projected serviceaccount token file. If set, this will be configured as token file in the in-cluster config.")
 }
 
 // Validate validates Kubernetes options.
@@ -173,7 +167,7 @@ func (o *KubernetesOptions) resolve(dryRun bool) error {
 
 	o.kubeconfigWach = &sync.Once{}
 
-	clusterConfigs, err := kube.LoadClusterConfigs(o.kubeconfig)
+	clusterConfigs, err := kube.LoadClusterConfigs(o.kubeconfig, o.projectedTokenFile)
 	if err != nil {
 		return fmt.Errorf("load --kubeconfig=%q configs: %v", o.kubeconfig, err)
 	}

diff --git a/prow/kube/config.go b/prow/kube/config.go
@@ -25,10 +25,6 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 )
 
-func localConfig() (*rest.Config, error) {
-	return rest.InClusterConfig()
-}
-
 func kubeConfigs(kubeconfig string) (map[string]rest.Config, string, error) {
 	// Attempt to load external clusters too
 	var loader clientcmd.ClientConfigLoader
@@ -83,14 +79,19 @@ func mergeConfigs(local *rest.Config, foreign map[string]rest.Config, currentCon
 // .kube/config file. The configs are returned in a mapping of context --> config. The default
 // context is included in this mapping and specified as a return vaule. Errors are returned if
 // .kube/config is specified and invalid or if no valid contexts are found.
-func LoadClusterConfigs(kubeconfig string) (map[string]rest.Config, error) {
+func LoadClusterConfigs(kubeconfig, projectedTokenFile string) (map[string]rest.Config, error) {
 
 	logrus.Infof("Loading cluster contexts...")
 	// This will work if we are running inside kubernetes
-	localCfg, err := localConfig()
+	localCfg, err := rest.InClusterConfig()
 	if err != nil {
 		logrus.WithError(err).Warn("Could not create in-cluster config (expected when running outside the cluster).")
 	}
+	if localCfg != nil && projectedTokenFile != "" {
+		localCfg.BearerToken = ""
+		localCfg.BearerTokenFile = projectedTokenFile
+		logrus.WithField("tokenfile", projectedTokenFile).Info("Using projected token file")
+	}
 
 	kubeCfgs, currentContext, err := kubeConfigs(kubeconfig)
 	if err != nil {