diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go index 2825ecdf74..87aa529e6a 100644 --- a/cmd/kube-apiserver/app/server.go +++ b/cmd/kube-apiserver/app/server.go @@ -471,7 +471,7 @@ func BuildGenericConfig(s *options.ServerRunOptions, proxyTransport *http.Transp ) } - genericConfig.Authentication.Authenticator, genericConfig.OpenAPIConfig.SecurityDefinitions, err = BuildAuthenticator(s, storageFactory, client, sharedInformers) + genericConfig.Authentication.Authenticator, genericConfig.OpenAPIConfig.SecurityDefinitions, err = BuildAuthenticator(s, storageFactory, client, clientgoExternalClient, sharedInformers) if err != nil { return nil, nil, nil, nil, nil, fmt.Errorf("invalid authentication config: %v", err) } @@ -555,25 +555,10 @@ func BuildAdmissionPluginInitializers(s *options.ServerRunOptions, client intern } // BuildAuthenticator constructs the authenticator -func BuildAuthenticator(s *options.ServerRunOptions, storageFactory serverstorage.StorageFactory, client internalclientset.Interface, sharedInformers informers.SharedInformerFactory) (authenticator.Request, *spec.SecurityDefinitions, error) { +func BuildAuthenticator(s *options.ServerRunOptions, storageFactory serverstorage.StorageFactory, client internalclientset.Interface, extclient clientgoclientset.Interface, sharedInformers informers.SharedInformerFactory) (authenticator.Request, *spec.SecurityDefinitions, error) { authenticatorConfig := s.Authentication.ToAuthenticationConfig() if s.Authentication.ServiceAccounts.Lookup { - // we have to go direct to storage because the clientsets fail when they're initialized with some API versions excluded - // we should stop trying to control them like that. - storageConfigServiceAccounts, err := storageFactory.NewConfig(api.Resource("serviceaccounts")) - if err != nil { - return nil, nil, fmt.Errorf("unable to get serviceaccounts storage: %v", err) - } - storageConfigSecrets, err := storageFactory.NewConfig(api.Resource("secrets")) - if err != nil { - return nil, nil, fmt.Errorf("unable to get secrets storage: %v", err) - } - authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromStorageInterface( - storageConfigServiceAccounts, - storageFactory.ResourcePrefix(api.Resource("serviceaccounts")), - storageConfigSecrets, - storageFactory.ResourcePrefix(api.Resource("secrets")), - ) + authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromClient(extclient) } if client == nil || reflect.ValueOf(client).IsNil() { // TODO: Remove check once client can never be nil. diff --git a/pkg/controller/serviceaccount/BUILD b/pkg/controller/serviceaccount/BUILD index e892621662..f1da2dc72a 100644 --- a/pkg/controller/serviceaccount/BUILD +++ b/pkg/controller/serviceaccount/BUILD @@ -16,12 +16,8 @@ go_library( ], importpath = "k8s.io/kubernetes/pkg/controller/serviceaccount", deps = [ - "//pkg/apis/core/v1:go_default_library", "//pkg/controller:go_default_library", "//pkg/registry/core/secret:go_default_library", - "//pkg/registry/core/secret/storage:go_default_library", - "//pkg/registry/core/serviceaccount:go_default_library", - "//pkg/registry/core/serviceaccount/storage:go_default_library", "//pkg/serviceaccount:go_default_library", "//pkg/util/metrics:go_default_library", "//vendor/github.com/golang/glog:go_default_library", @@ -33,9 +29,6 @@ go_library( "//vendor/k8s.io/apimachinery/pkg/util/runtime:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library", - "//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library", - "//vendor/k8s.io/apiserver/pkg/registry/generic:go_default_library", - "//vendor/k8s.io/apiserver/pkg/storage/storagebackend:go_default_library", "//vendor/k8s.io/client-go/informers/core/v1:go_default_library", "//vendor/k8s.io/client-go/kubernetes:go_default_library", "//vendor/k8s.io/client-go/listers/core/v1:go_default_library", diff --git a/pkg/controller/serviceaccount/tokengetter.go b/pkg/controller/serviceaccount/tokengetter.go index b965ae9d3e..2243d0f00b 100644 --- a/pkg/controller/serviceaccount/tokengetter.go +++ b/pkg/controller/serviceaccount/tokengetter.go @@ -19,15 +19,7 @@ package serviceaccount import ( "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - genericapirequest "k8s.io/apiserver/pkg/endpoints/request" - "k8s.io/apiserver/pkg/registry/generic" - "k8s.io/apiserver/pkg/storage/storagebackend" clientset "k8s.io/client-go/kubernetes" - apiv1 "k8s.io/kubernetes/pkg/apis/core/v1" - "k8s.io/kubernetes/pkg/registry/core/secret" - secretstore "k8s.io/kubernetes/pkg/registry/core/secret/storage" - serviceaccountregistry "k8s.io/kubernetes/pkg/registry/core/serviceaccount" - serviceaccountstore "k8s.io/kubernetes/pkg/registry/core/serviceaccount/storage" "k8s.io/kubernetes/pkg/serviceaccount" ) @@ -49,53 +41,3 @@ func (c clientGetter) GetServiceAccount(namespace, name string) (*v1.ServiceAcco func (c clientGetter) GetSecret(namespace, name string) (*v1.Secret, error) { return c.client.CoreV1().Secrets(namespace).Get(name, metav1.GetOptions{}) } - -// registryGetter implements ServiceAccountTokenGetter using a service account and secret registry -type registryGetter struct { - serviceAccounts serviceaccountregistry.Registry - secrets secret.Registry -} - -// NewGetterFromRegistries returns a ServiceAccountTokenGetter that -// uses the specified registries to retrieve service accounts and secrets. -func NewGetterFromRegistries(serviceAccounts serviceaccountregistry.Registry, secrets secret.Registry) serviceaccount.ServiceAccountTokenGetter { - return ®istryGetter{serviceAccounts, secrets} -} -func (r *registryGetter) GetServiceAccount(namespace, name string) (*v1.ServiceAccount, error) { - ctx := genericapirequest.WithNamespace(genericapirequest.NewContext(), namespace) - internalServiceAccount, err := r.serviceAccounts.GetServiceAccount(ctx, name, &metav1.GetOptions{}) - if err != nil { - return nil, err - } - v1ServiceAccount := v1.ServiceAccount{} - err = apiv1.Convert_core_ServiceAccount_To_v1_ServiceAccount(internalServiceAccount, &v1ServiceAccount, nil) - return &v1ServiceAccount, err - -} -func (r *registryGetter) GetSecret(namespace, name string) (*v1.Secret, error) { - ctx := genericapirequest.WithNamespace(genericapirequest.NewContext(), namespace) - internalSecret, err := r.secrets.GetSecret(ctx, name, &metav1.GetOptions{}) - if err != nil { - return nil, err - } - v1Secret := v1.Secret{} - err = apiv1.Convert_core_Secret_To_v1_Secret(internalSecret, &v1Secret, nil) - return &v1Secret, err - -} - -// NewGetterFromStorageInterface returns a ServiceAccountTokenGetter that -// uses the specified storage to retrieve service accounts and secrets. -func NewGetterFromStorageInterface( - saConfig *storagebackend.Config, - saPrefix string, - secretConfig *storagebackend.Config, - secretPrefix string) serviceaccount.ServiceAccountTokenGetter { - - saOpts := generic.RESTOptions{StorageConfig: saConfig, Decorator: generic.UndecoratedStorage, ResourcePrefix: saPrefix} - secretOpts := generic.RESTOptions{StorageConfig: secretConfig, Decorator: generic.UndecoratedStorage, ResourcePrefix: secretPrefix} - return NewGetterFromRegistries( - serviceaccountregistry.NewRegistry(serviceaccountstore.NewREST(saOpts, nil, nil, nil)), - secret.NewRegistry(secretstore.NewREST(secretOpts)), - ) -} diff --git a/pkg/registry/core/secret/BUILD b/pkg/registry/core/secret/BUILD index 0cf89ec67a..2626c3cec8 100644 --- a/pkg/registry/core/secret/BUILD +++ b/pkg/registry/core/secret/BUILD @@ -10,7 +10,6 @@ go_library( name = "go_default_library", srcs = [ "doc.go", - "registry.go", "strategy.go", ], importpath = "k8s.io/kubernetes/pkg/registry/core/secret", @@ -19,13 +18,10 @@ go_library( "//pkg/apis/core:go_default_library", "//pkg/apis/core/validation:go_default_library", "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library", - "//vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion:go_default_library", - "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/fields:go_default_library", "//vendor/k8s.io/apimachinery/pkg/labels:go_default_library", "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", - "//vendor/k8s.io/apimachinery/pkg/watch:go_default_library", "//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library", "//vendor/k8s.io/apiserver/pkg/registry/generic:go_default_library", "//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library", diff --git a/pkg/registry/core/secret/registry.go b/pkg/registry/core/secret/registry.go deleted file mode 100644 index 8d214d4f1f..0000000000 --- a/pkg/registry/core/secret/registry.go +++ /dev/null @@ -1,82 +0,0 @@ -/* -Copyright 2015 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package secret - -import ( - metainternalversion "k8s.io/apimachinery/pkg/apis/meta/internalversion" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/watch" - genericapirequest "k8s.io/apiserver/pkg/endpoints/request" - "k8s.io/apiserver/pkg/registry/rest" - api "k8s.io/kubernetes/pkg/apis/core" -) - -// Registry is an interface implemented by things that know how to store Secret objects. -type Registry interface { - ListSecrets(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (*api.SecretList, error) - WatchSecrets(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (watch.Interface, error) - GetSecret(ctx genericapirequest.Context, name string, options *metav1.GetOptions) (*api.Secret, error) - CreateSecret(ctx genericapirequest.Context, Secret *api.Secret, createValidation rest.ValidateObjectFunc) (*api.Secret, error) - UpdateSecret(ctx genericapirequest.Context, Secret *api.Secret, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) (*api.Secret, error) - DeleteSecret(ctx genericapirequest.Context, name string) error -} - -// storage puts strong typing around storage calls -type storage struct { - rest.StandardStorage -} - -// NewRegistry returns a new Registry interface for the given Storage. Any mismatched -// types will panic. -func NewRegistry(s rest.StandardStorage) Registry { - return &storage{s} -} - -func (s *storage) ListSecrets(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (*api.SecretList, error) { - obj, err := s.List(ctx, options) - if err != nil { - return nil, err - } - return obj.(*api.SecretList), nil -} - -func (s *storage) WatchSecrets(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (watch.Interface, error) { - return s.Watch(ctx, options) -} - -func (s *storage) GetSecret(ctx genericapirequest.Context, name string, options *metav1.GetOptions) (*api.Secret, error) { - obj, err := s.Get(ctx, name, options) - if err != nil { - return nil, err - } - return obj.(*api.Secret), nil -} - -func (s *storage) CreateSecret(ctx genericapirequest.Context, secret *api.Secret, createValidation rest.ValidateObjectFunc) (*api.Secret, error) { - obj, err := s.Create(ctx, secret, createValidation, false) - return obj.(*api.Secret), err -} - -func (s *storage) UpdateSecret(ctx genericapirequest.Context, secret *api.Secret, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) (*api.Secret, error) { - obj, _, err := s.Update(ctx, secret.Name, rest.DefaultUpdatedObjectInfo(secret), createValidation, updateValidation) - return obj.(*api.Secret), err -} - -func (s *storage) DeleteSecret(ctx genericapirequest.Context, name string) error { - _, _, err := s.Delete(ctx, name, nil) - return err -} diff --git a/pkg/registry/core/serviceaccount/BUILD b/pkg/registry/core/serviceaccount/BUILD index 956de50f0d..076f7f734f 100644 --- a/pkg/registry/core/serviceaccount/BUILD +++ b/pkg/registry/core/serviceaccount/BUILD @@ -9,7 +9,6 @@ go_library( name = "go_default_library", srcs = [ "doc.go", - "registry.go", "strategy.go", ], importpath = "k8s.io/kubernetes/pkg/registry/core/serviceaccount", @@ -17,13 +16,9 @@ go_library( "//pkg/api/legacyscheme:go_default_library", "//pkg/apis/core:go_default_library", "//pkg/apis/core/validation:go_default_library", - "//vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion:go_default_library", - "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", - "//vendor/k8s.io/apimachinery/pkg/watch:go_default_library", "//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library", - "//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library", "//vendor/k8s.io/apiserver/pkg/storage/names:go_default_library", ], ) diff --git a/pkg/registry/core/serviceaccount/registry.go b/pkg/registry/core/serviceaccount/registry.go deleted file mode 100644 index 8d13600577..0000000000 --- a/pkg/registry/core/serviceaccount/registry.go +++ /dev/null @@ -1,82 +0,0 @@ -/* -Copyright 2014 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package serviceaccount - -import ( - metainternalversion "k8s.io/apimachinery/pkg/apis/meta/internalversion" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/watch" - genericapirequest "k8s.io/apiserver/pkg/endpoints/request" - "k8s.io/apiserver/pkg/registry/rest" - api "k8s.io/kubernetes/pkg/apis/core" -) - -// Registry is an interface implemented by things that know how to store ServiceAccount objects. -type Registry interface { - ListServiceAccounts(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (*api.ServiceAccountList, error) - WatchServiceAccounts(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (watch.Interface, error) - GetServiceAccount(ctx genericapirequest.Context, name string, options *metav1.GetOptions) (*api.ServiceAccount, error) - CreateServiceAccount(ctx genericapirequest.Context, ServiceAccount *api.ServiceAccount, createValidation rest.ValidateObjectFunc) error - UpdateServiceAccount(ctx genericapirequest.Context, ServiceAccount *api.ServiceAccount, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) error - DeleteServiceAccount(ctx genericapirequest.Context, name string) error -} - -// storage puts strong typing around storage calls -type storage struct { - rest.StandardStorage -} - -// NewRegistry returns a new Registry interface for the given Storage. Any mismatched -// types will panic. -func NewRegistry(s rest.StandardStorage) Registry { - return &storage{s} -} - -func (s *storage) ListServiceAccounts(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (*api.ServiceAccountList, error) { - obj, err := s.List(ctx, options) - if err != nil { - return nil, err - } - return obj.(*api.ServiceAccountList), nil -} - -func (s *storage) WatchServiceAccounts(ctx genericapirequest.Context, options *metainternalversion.ListOptions) (watch.Interface, error) { - return s.Watch(ctx, options) -} - -func (s *storage) GetServiceAccount(ctx genericapirequest.Context, name string, options *metav1.GetOptions) (*api.ServiceAccount, error) { - obj, err := s.Get(ctx, name, options) - if err != nil { - return nil, err - } - return obj.(*api.ServiceAccount), nil -} - -func (s *storage) CreateServiceAccount(ctx genericapirequest.Context, serviceAccount *api.ServiceAccount, createValidation rest.ValidateObjectFunc) error { - _, err := s.Create(ctx, serviceAccount, createValidation, false) - return err -} - -func (s *storage) UpdateServiceAccount(ctx genericapirequest.Context, serviceAccount *api.ServiceAccount, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc) error { - _, _, err := s.Update(ctx, serviceAccount.Name, rest.DefaultUpdatedObjectInfo(serviceAccount), createValidation, updateValidation) - return err -} - -func (s *storage) DeleteServiceAccount(ctx genericapirequest.Context, name string) error { - _, _, err := s.Delete(ctx, name, nil) - return err -}