fix: issue service account tokens via tokenrequest api

loft-sh · Sep 22, 2021 · f9e2517 · f9e2517
1 parent ae84a93
commit f9e2517
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 10 deletions.
diff --git a/devspace.yaml b/devspace.yaml
@@ -14,7 +14,6 @@ images:
     rebuildStrategy: ignoreContextChanges
     build:
       buildKit:
-        skipPush: true
         options:
           target: builder
 deployments:

diff --git a/devspace_start.sh b/devspace_start.sh
@@ -15,7 +15,8 @@ ${COLOR_RESET}
 Welcome to your development container!
 This is how you can work with it:
 - Run \`${COLOR_CYAN}go run -mod vendor cmd/vcluster/main.go${COLOR_RESET}\` to start vcluster
-- Run \`devspace enter -n vcluster --pod ${HOSTNAME} -c syncer\` to create another shell into this container
+- Run \`${COLOR_CYAN}devspace enter -n vcluster --pod ${HOSTNAME} -c syncer${COLOR_RESET}\` to create another shell into this container
+- Run \`${COLOR_CYAN}kubectl ...${COLOR_RESET}\` from within the container to access the vcluster if its started
 - ${COLOR_CYAN}Files will be synchronized${COLOR_RESET} between your local machine and this container
 "
 

diff --git a/pkg/controllers/resources/pods/translate/translator.go b/pkg/controllers/resources/pods/translate/translator.go
@@ -11,9 +11,11 @@ import (
 	"github.com/loft-sh/vcluster/pkg/util/translate"
 	"github.com/pkg/errors"
 	appsv1 "k8s.io/api/apps/v1"
+	authenticationv1 "k8s.io/api/authentication/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/util/keyutil"
 	"k8s.io/utils/pointer"
 	"regexp"
@@ -63,6 +65,7 @@ func NewTranslator(ctx *context2.ControllerContext) (Translator, error) {
 	}
 
 	return &translator{
+		vClientConfig:   ctx.VirtualManager.GetConfig(),
 		vClient:         ctx.VirtualManager.GetClient(),
 		imageTranslator: imageTranslator,
 		tokenGenerator:  tokenGenerator,
@@ -77,6 +80,7 @@ func NewTranslator(ctx *context2.ControllerContext) (Translator, error) {
 }
 
 type translator struct {
+	vClientConfig   *rest.Config
 	vClient         client.Client
 	tokenGenerator  serviceaccount.TokenGenerator
 	imageTranslator ImageTranslator
@@ -478,21 +482,34 @@ func (t *translator) translateProjectedVolume(projectedVolume *corev1.ProjectedV
 				serviceAccountName = vPod.Spec.DeprecatedServiceAccount
 			}
 
-			serviceAccount := corev1.ServiceAccount{}
-			err := t.vClient.Get(context.Background(), types.NamespacedName{Namespace: vPod.Namespace, Name: serviceAccountName}, &serviceAccount)
+			// create new client
+			vClient, err := kubernetes.NewForConfig(t.vClientConfig)
 			if err != nil {
-				return errors.Wrapf(err, "get service account "+serviceAccountName)
+				return errors.Wrap(err, "create client")
 			}
 
 			audience := "https://kubernetes.default.svc." + t.clusterDomain
 			if projectedVolume.Sources[i].ServiceAccountToken.Audience != "" {
 				audience = projectedVolume.Sources[i].ServiceAccountToken.Audience
 			}
 
-			public, private := serviceaccount.Claims(serviceAccount, vPod, nil, 10*365*24*60*60, 0, []string{audience})
-			serviceAccountToken, err := t.tokenGenerator.GenerateToken(public, private)
+			expirationSeconds := int64(10 * 365 * 24 * 60 * 60)
+			token, err := vClient.CoreV1().ServiceAccounts(vPod.Namespace).CreateToken(context.Background(), serviceAccountName, &authenticationv1.TokenRequest{
+				Spec: authenticationv1.TokenRequestSpec{
+					Audiences: []string{audience},
+					BoundObjectRef: &authenticationv1.BoundObjectReference{
+						APIVersion: corev1.SchemeGroupVersion.String(),
+						Kind:       "Pod",
+						Name:       vPod.Name,
+						UID:        vPod.UID,
+					},
+					ExpirationSeconds: &expirationSeconds,
+				},
+			}, metav1.CreateOptions{})
 			if err != nil {
-				return errors.Wrap(err, "generate token")
+				return errors.Wrap(err, "create token")
+			} else if token.Status.Token == "" {
+				return errors.New("received empty token")
 			}
 
 			// set the token as annotation
@@ -503,7 +520,7 @@ func (t *translator) translateProjectedVolume(projectedVolume *corev1.ProjectedV
 			for {
 				annotation = ServiceAccountTokenAnnotation + random.RandomString(8)
 				if pPod.Annotations[annotation] == "" {
-					pPod.Annotations[annotation] = serviceAccountToken
+					pPod.Annotations[annotation] = token.Status.Token
 					break
 				}
 			}