Merge pull request #4940 from xyz-li/sa_token

create default token for service account
2022-06-09 11:32:40 +08:00
parent bc00b67a6e 098b77fb4c
commit ac36ff5752
2 changed files with 64 additions and 19 deletions
--- a/pkg/controller/cluster/cluster_controller.go
+++ b/pkg/controller/cluster/cluster_controller.go
@@ -297,10 +297,10 @@ func (c *clusterController) resyncClusters() error {
 	}

 	for _, cluster := range clusters {
-		if err = c.syncCluster(cluster.Name); err != nil {
-			klog.Warningf("failed to sync cluster %s: %s", cluster.Name, err)
-		}
+		key, _ := cache.MetaNamespaceKeyFunc(cluster)
+		c.queue.Add(key)
 	}
+
 	return nil
 }

--- a/pkg/controller/cluster/join.go
+++ b/pkg/controller/cluster/join.go
@@ -18,6 +18,7 @@ package cluster

 import (
 	"context"
+	"fmt"
 	"reflect"
 	"time"

@@ -268,7 +269,7 @@ func createAuthorizedServiceAccount(joiningClusterClientset kubeclient.Interface

 	klog.V(2).Infof("Creating service account in joining cluster: %s", joiningClusterName)

-	saName, err := createServiceAccount(joiningClusterClientset, namespace,
+	saName, err := createServiceAccountWithSecret(joiningClusterClientset, namespace,
 		joiningClusterName, hostClusterName, dryRun, errorOnExisting)
 	if err != nil {
 		klog.V(2).Infof("Error creating service account: %s in joining cluster: %s due to: %v",
@@ -320,25 +321,31 @@ func createAuthorizedServiceAccount(joiningClusterClientset kubeclient.Interface
 	return saName, nil
 }

-// createServiceAccount creates a service account in the cluster associated
+// createServiceAccountWithSecret creates a service account and secret in the cluster associated
 // with clusterClientset with credentials that will be used by the host cluster
 // to access its API server.
-func createServiceAccount(clusterClientset kubeclient.Interface, namespace,
+func createServiceAccountWithSecret(clusterClientset kubeclient.Interface, namespace,
 	joiningClusterName, hostClusterName string, dryRun, errorOnExisting bool) (string, error) {
 	saName := util.ClusterServiceAccountName(joiningClusterName, hostClusterName)
-	sa := &corev1.ServiceAccount{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      saName,
-			Namespace: namespace,
-		},
-	}

 	if dryRun {
 		return saName, nil
 	}

-	// Create a new service account.
-	_, err := clusterClientset.CoreV1().ServiceAccounts(namespace).Create(context.Background(), sa, metav1.CreateOptions{})
+	ctx := context.Background()
+	sa, err := clusterClientset.CoreV1().ServiceAccounts(namespace).Get(ctx, saName, metav1.GetOptions{})
+
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			sa = &corev1.ServiceAccount{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      saName,
+					Namespace: namespace,
+				},
+			}
+			// We must create the sa first, then create the associated secret, and update the sa at last.
+			// Or the kube-controller-manager will delete the secret.
+			sa, err = clusterClientset.CoreV1().ServiceAccounts(namespace).Create(ctx, sa, metav1.CreateOptions{})
 			switch {
 			case apierrors.IsAlreadyExists(err) && errorOnExisting:
 				klog.V(2).Infof("Service account %s/%s already exists in target cluster %s", namespace, saName, joiningClusterName)
@@ -346,6 +353,44 @@ func createServiceAccount(clusterClientset kubeclient.Interface, namespace,
 			case err != nil && !apierrors.IsAlreadyExists(err):
 				klog.V(2).Infof("Could not create service account %s/%s in target cluster %s due to: %v", namespace, saName, joiningClusterName, err)
 				return "", err
+			}
+		} else {
+			return "", err
+		}
+	}
+
+	if len(sa.Secrets) > 0 {
+		return saName, nil
+	}
+
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: fmt.Sprintf("%s-token-", saName),
+			Namespace:    namespace,
+			Annotations: map[string]string{
+				corev1.ServiceAccountNameKey: saName,
+			},
+		},
+		Type: corev1.SecretTypeServiceAccountToken,
+	}
+
+	// After kubernetes v1.24, kube-controller-manger will not create the default secret for
+	// service account. http://kep.k8s.io/2800
+	// Create a default secret.
+	secret, err = clusterClientset.CoreV1().Secrets(namespace).Create(ctx, secret, metav1.CreateOptions{})
+
+	if err != nil && !apierrors.IsAlreadyExists(err) {
+		klog.V(2).Infof("Could not create secret for service account %s/%s in target cluster %s due to: %v", namespace, saName, joiningClusterName, err)
+		return "", err
+	}
+
+	// At last, update the service account.
+	sa.Secrets = append(sa.Secrets, corev1.ObjectReference{Name: secret.Name})
+	_, err = clusterClientset.CoreV1().ServiceAccounts(namespace).Update(ctx, sa, metav1.UpdateOptions{})
+	switch {
+	case err != nil:
+		klog.Infof("Could not update service account %s/%s in target cluster %s due to: %v", namespace, saName, joiningClusterName, err)
+		return "", err
 	default:
 		return saName, nil
 	}