Skip to content

Commit

Permalink
Only create token secrets for broker ServiceAccounts
Browse files Browse the repository at this point in the history
We don't need them created for the pod ServiceAccounts.

Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
  • Loading branch information
tpantelis committed Aug 25, 2023
1 parent ccdc7f5 commit 95c5c0c
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 39 deletions.
9 changes: 7 additions & 2 deletions pkg/broker/ensure.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ import (

"github.com/pkg/errors"
"github.com/submariner-io/subctl/internal/component"
"github.com/submariner-io/subctl/internal/rbac"
"github.com/submariner-io/subctl/internal/constants"
"github.com/submariner-io/subctl/pkg/gateway"
"github.com/submariner-io/subctl/pkg/namespace"
"github.com/submariner-io/subctl/pkg/role"
Expand Down Expand Up @@ -102,7 +102,7 @@ func CreateSAForCluster(ctx context.Context, kubeClient kubernetes.Interface, cl
return nil, errors.Wrap(err, "error binding sa to cluster role")
}

clientToken, err := rbac.GetClientTokenSecret(ctx, kubeClient, inNamespace, saName)
clientToken, err := serviceaccount.EnsureTokenSecret(ctx, kubeClient, inNamespace, saName)
if err != nil {
return nil, errors.Wrap(err, "error getting cluster sa token")
}
Expand Down Expand Up @@ -168,6 +168,11 @@ func CreateNewBrokerSA(ctx context.Context, kubeClient kubernetes.Interface, sub
//nolint:wrapcheck // No need to wrap here
func CreateNewBrokerAdminSA(ctx context.Context, kubeClient kubernetes.Interface, inNamespace string) (err error) {
_, err = serviceaccount.EnsureFromYAML(ctx, kubeClient, inNamespace, embeddedyamls.Config_broker_broker_admin_service_account_yaml)
if err != nil {
return err
}

_, err = serviceaccount.EnsureTokenSecret(ctx, kubeClient, inNamespace, constants.SubmarinerBrokerAdminSA)

return err
}
47 changes: 10 additions & 37 deletions pkg/serviceaccount/ensure.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,67 +42,40 @@ const (
creatorName = "subctl"
)

// ensureFromYAML creates the given service account.
func ensureFromYAML(ctx context.Context, kubeClient kubernetes.Interface, namespace, yaml string) (*corev1.ServiceAccount, error) {
sa := &corev1.ServiceAccount{}

err := embeddedyamls.GetObject(yaml, sa)
if err != nil {
return nil, err //nolint:wrapcheck // No need to wrap errors here.
}

err = ensure(ctx, kubeClient, namespace, sa)
if err != nil {
return nil, err
}

return sa, err
}

//nolint:wrapcheck // No need to wrap errors here.
func ensure(ctx context.Context, kubeClient kubernetes.Interface, namespace string, sa *corev1.ServiceAccount) error {
_, err := util.CreateOrUpdate(ctx, resource.ForServiceAccount(kubeClient, namespace), sa,
func ensure(ctx context.Context, kubeClient kubernetes.Interface, namespace string, sa *corev1.ServiceAccount) (bool, error) {
result, err := util.CreateOrUpdate(ctx, resource.ForServiceAccount(kubeClient, namespace), sa,
func(existing runtime.Object) (runtime.Object, error) {
existing.(*corev1.ServiceAccount).Secrets = nil
return existing, nil
})

return err
return result == util.OperationResultCreated, errors.Wrapf(err, "error creating or updating ServiceAccount %q", sa.Name)
}

//nolint:wrapcheck // No need to wrap errors here.
func Ensure(ctx context.Context, kubeClient kubernetes.Interface, namespace string, sa *corev1.ServiceAccount,
) (*corev1.ServiceAccount, error) {
err := ensure(ctx, kubeClient, namespace, sa)
_, err := ensure(ctx, kubeClient, namespace, sa)
if err != nil {
return nil, err
}

_, err = EnsureSecretFromSA(ctx, kubeClient, sa.Name, namespace)

if err != nil {
return nil, errors.Wrap(err, "failed to get secret for broker SA")
}

return kubeClient.CoreV1().ServiceAccounts(namespace).Get(ctx, sa.Name, metav1.GetOptions{})
}

// EnsureFromYAML creates the given service account and secret for it.
// EnsureFromYAML creates the given service account from the YAML representation.
func EnsureFromYAML(ctx context.Context, kubeClient kubernetes.Interface, namespace, yaml string) (bool, error) {
sa, err := ensureFromYAML(ctx, kubeClient, namespace, yaml)
if err != nil {
return false, errors.Wrap(err, "error provisioning the ServiceAccount resource")
}
sa := &corev1.ServiceAccount{}

saSecret, err := EnsureSecretFromSA(ctx, kubeClient, sa.Name, namespace)
err := embeddedyamls.GetObject(yaml, sa)
if err != nil {
return false, errors.Wrap(err, "error creating secret for ServiceAccount resource")
return false, errors.Wrap(err, "error extracting ServiceAccount resource from YAML")
}

return sa != nil && saSecret != nil, nil
return ensure(ctx, kubeClient, namespace, sa)
}

func EnsureSecretFromSA(ctx context.Context, client kubernetes.Interface, saName, namespace string) (*corev1.Secret, error) {
func EnsureTokenSecret(ctx context.Context, client kubernetes.Interface, saName, namespace string) (*corev1.Secret, error) {
saSecret, err := rbac.GetClientTokenSecret(ctx, client, namespace, saName)
if err == nil {
return saSecret, nil
Expand Down

0 comments on commit 95c5c0c

Please sign in to comment.