Merge pull request #50288 from liggitt/service-account-warning

Automatic merge from submit-queue (batch tested with PRs 50173, 50324, 50288, 50263, 50333)

Honor --use-service-account-credentials and warn when missing private key

Fixes #50275 by logging a warning and failing to start rather than continue to run ignoring the user's specified config

cmd/kube-controller-manager/app/controllermanager.go

@@ -163,7 +163,12 @@ func Run(s *options.CMServer) error {
 			ClientConfig: kubeconfig,
 		}
 		var clientBuilder controller.ControllerClientBuilder
-		if len(s.ServiceAccountKeyFile) > 0 && s.UseServiceAccountCredentials {
+		if s.UseServiceAccountCredentials {
+			if len(s.ServiceAccountKeyFile) > 0 {
+				// It's possible another controller process is creating the tokens for us.
+				// If one isn't, we'll timeout and exit when our client builder is unable to create the tokens.
+				glog.Warningf("--use-service-account-credentials was specified without providing a --service-account-private-key-file")
+			}
 			clientBuilder = controller.SAControllerClientBuilder{
 				ClientConfig:         restclient.AnonymousClientConfig(kubeconfig),
 				CoreClient:           kubeClient.CoreV1(),