Split the serviceaccount package into two parts

Public utility methods and JWT parsing, and controller specific logic. Also remove the coupling between ServiceAccountTokenGetter and the authenticator class.
2015-12-24 16:54:40 -05:00
parent 3d5ed379b0
commit 9dad7e624c
12 changed files with 84 additions and 74 deletions
--- a/cmd/kube-apiserver/app/server.go
+++ b/cmd/kube-apiserver/app/server.go
@@ -45,10 +45,12 @@ import (
 	"k8s.io/kubernetes/pkg/capabilities"
 	client "k8s.io/kubernetes/pkg/client/unversioned"
 	"k8s.io/kubernetes/pkg/cloudprovider"
+	serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount"
 	"k8s.io/kubernetes/pkg/genericapiserver"
 	kubeletclient "k8s.io/kubernetes/pkg/kubelet/client"
 	"k8s.io/kubernetes/pkg/master"
 	"k8s.io/kubernetes/pkg/master/ports"
+	"k8s.io/kubernetes/pkg/serviceaccount"
 	"k8s.io/kubernetes/pkg/storage"
 	etcdstorage "k8s.io/kubernetes/pkg/storage/etcd"
 	"k8s.io/kubernetes/pkg/util"
@@ -492,18 +494,26 @@ func (s *APIServer) Run(_ []string) error {
 			glog.Warning("No RSA key provided, service account token authentication disabled")
 		}
 	}
+
+	var serviceAccountGetter serviceaccount.ServiceAccountTokenGetter
+	if s.ServiceAccountLookup {
+		// If we need to look up service accounts and tokens,
+		// go directly to etcd to avoid recursive auth insanity
+		serviceAccountGetter = serviceaccountcontroller.NewGetterFromStorageInterface(etcdStorage)
+	}
+
 	authenticator, err := authenticator.New(authenticator.AuthenticatorConfig{
-		BasicAuthFile:         s.BasicAuthFile,
-		ClientCAFile:          s.ClientCAFile,
-		TokenAuthFile:         s.TokenAuthFile,
-		OIDCIssuerURL:         s.OIDCIssuerURL,
-		OIDCClientID:          s.OIDCClientID,
-		OIDCCAFile:            s.OIDCCAFile,
-		OIDCUsernameClaim:     s.OIDCUsernameClaim,
-		ServiceAccountKeyFile: s.ServiceAccountKeyFile,
-		ServiceAccountLookup:  s.ServiceAccountLookup,
-		Storage:               etcdStorage,
-		KeystoneURL:           s.KeystoneURL,
+		BasicAuthFile:             s.BasicAuthFile,
+		ClientCAFile:              s.ClientCAFile,
+		TokenAuthFile:             s.TokenAuthFile,
+		OIDCIssuerURL:             s.OIDCIssuerURL,
+		OIDCClientID:              s.OIDCClientID,
+		OIDCCAFile:                s.OIDCCAFile,
+		OIDCUsernameClaim:         s.OIDCUsernameClaim,
+		ServiceAccountKeyFile:     s.ServiceAccountKeyFile,
+		ServiceAccountLookup:      s.ServiceAccountLookup,
+		ServiceAccountTokenGetter: serviceAccountGetter,
+		KeystoneURL:               s.KeystoneURL,
 	})

 	if err != nil {