feat: support service account token auth mode

Signed-off-by: hongming <coder.scala@gmail.com>
2025-03-19 11:40:42 +08:00
parent 2660e60209
commit d064ef67c7
14 changed files with 294 additions and 31 deletions
--- a/pkg/models/iam/am/am.go
+++ b/pkg/models/iam/am/am.go
@@ -23,6 +23,8 @@ import (

 	"kubesphere.io/kubesphere/pkg/api"
 	"kubesphere.io/kubesphere/pkg/apiserver/query"
+	"kubesphere.io/kubesphere/pkg/constants"
+	"kubesphere.io/kubesphere/pkg/models/kubeconfig"
 	resourcev1beta1 "kubesphere.io/kubesphere/pkg/models/resources/v1beta1"
 	"kubesphere.io/kubesphere/pkg/utils/sliceutil"
 )
@@ -588,6 +590,11 @@ func (am *amOperator) CreateOrUpdateNamespaceRoleBinding(username string, namesp
 				APIGroup: iamv1beta1.SchemeGroupVersion.Group,
 				Name:     username,
 			},
+			{
+				Kind:      rbacv1.ServiceAccountKind,
+				Name:      fmt.Sprintf(kubeconfig.UserKubeConfigServiceAccountNameFormat, username),
+				Namespace: constants.KubeSphereNamespace,
+			},
 		},
 		RoleRef: rbacv1.RoleRef{
 			APIGroup: iamv1beta1.SchemeGroupVersion.Group,
@@ -637,6 +644,11 @@ func (am *amOperator) CreateOrUpdateClusterRoleBinding(username string, role str
 				APIGroup: iamv1beta1.SchemeGroupVersion.Group,
 				Name:     username,
 			},
+			{
+				Kind:      rbacv1.ServiceAccountKind,
+				Name:      fmt.Sprintf(kubeconfig.UserKubeConfigServiceAccountNameFormat, username),
+				Namespace: constants.KubeSphereNamespace,
+			},
 		},
 		RoleRef: rbacv1.RoleRef{
 			APIGroup: iamv1beta1.SchemeGroupVersion.Group,
--- a/pkg/models/kubeconfig/kubeconfig.go
+++ b/pkg/models/kubeconfig/kubeconfig.go
@@ -18,14 +18,15 @@ import (
 )

 const (
-	ConfigTypeKubeConfig           = "kubeconfig"
-	SecretTypeKubeConfig           = "config.kubesphere.io/" + ConfigTypeKubeConfig
-	FileName                       = "config"
-	DefaultClusterName             = "local"
-	DefaultNamespace               = "default"
-	InClusterCAFilePath            = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
-	PrivateKeyAnnotation           = "kubesphere.io/private-key"
-	UserKubeConfigSecretNameFormat = "kubeconfig-%s"
+	ConfigTypeKubeConfig                   = "kubeconfig"
+	SecretTypeKubeConfig                   = "config.kubesphere.io/" + ConfigTypeKubeConfig
+	FileName                               = "config"
+	DefaultClusterName                     = "local"
+	DefaultNamespace                       = "default"
+	InClusterCAFilePath                    = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+	PrivateKeyAnnotation                   = "kubesphere.io/private-key"
+	UserKubeConfigSecretNameFormat         = "kubeconfig-%s"
+	UserKubeConfigServiceAccountNameFormat = "kubesphere.users.%s"
 )

 type Interface interface {
--- a/pkg/models/kubeconfig/options.go
+++ b/pkg/models/kubeconfig/options.go
@@ -0,0 +1,18 @@
+package kubeconfig
+
+const (
+	AuthModeServiceAccountToken AuthMode = "service-account-token"
+	AuthModeClientCertificate   AuthMode = "client-certificate"
+	AuthModeOIDCToken           AuthMode = "oidc-token"
+	AuthModeWebhookToken        AuthMode = "webhook-token"
+)
+
+type AuthMode string
+
+type Options struct {
+	AuthMode AuthMode `json:"authMode" yaml:"authMode" mapstructure:"authMode"`
+}
+
+func NewOptions() *Options {
+	return &Options{AuthMode: AuthModeClientCertificate}
+}