fix(k8s/user): remove username part from service account (#4147)

2020-08-04 16:01:15 +12:00 · 2020-08-04 16:01:15 +12:00 · 909e1ef02c
parent bd7d7dcef5
commit 909e1ef02c
5 changed files with 14 additions and 14 deletions
--- a/api/http/proxy/factory/kubernetes/token.go
+++ b/api/http/proxy/factory/kubernetes/token.go
@ -45,7 +45,7 @@ func (manager *tokenManager) getAdminServiceAccountToken() string {
 	return manager.adminToken
 }

-func (manager *tokenManager) getUserServiceAccountToken(userID int, username string) (string, error) {
+func (manager *tokenManager) getUserServiceAccountToken(userID int) (string, error) {
 	manager.mutex.Lock()
 	defer manager.mutex.Unlock()

@ -61,12 +61,12 @@ func (manager *tokenManager) getUserServiceAccountToken(userID int, username str
 			teamIds = append(teamIds, int(membership.TeamID))
 		}

-		err = manager.kubecli.SetupUserServiceAccount(userID, username, teamIds)
+		err = manager.kubecli.SetupUserServiceAccount(userID, teamIds)
 		if err != nil {
 			return "", err
 		}

-		serviceAccountToken, err := manager.kubecli.GetServiceAccountBearerToken(userID, username)
+		serviceAccountToken, err := manager.kubecli.GetServiceAccountBearerToken(userID)
 		if err != nil {
 			return "", err
 		}
--- a/api/http/proxy/factory/kubernetes/transport.go
+++ b/api/http/proxy/factory/kubernetes/transport.go
@ -59,7 +59,7 @@ func (transport *localTransport) RoundTrip(request *http.Request) (*http.Respons
 	if tokenData.Role == portainer.AdministratorRole {
 		token = transport.tokenManager.getAdminServiceAccountToken()
 	} else {
-		token, err = transport.tokenManager.getUserServiceAccountToken(int(tokenData.ID), tokenData.Username)
+		token, err = transport.tokenManager.getUserServiceAccountToken(int(tokenData.ID))
 		if err != nil {
 			return nil, err
 		}
@ -94,7 +94,7 @@ func (transport *agentTransport) RoundTrip(request *http.Request) (*http.Respons
 	if tokenData.Role == portainer.AdministratorRole {
 		token = transport.tokenManager.getAdminServiceAccountToken()
 	} else {
-		token, err = transport.tokenManager.getUserServiceAccountToken(int(tokenData.ID), tokenData.Username)
+		token, err = transport.tokenManager.getUserServiceAccountToken(int(tokenData.ID))
 		if err != nil {
 			return nil, err
 		}
@ -136,7 +136,7 @@ func (transport *edgeTransport) RoundTrip(request *http.Request) (*http.Response
 	if tokenData.Role == portainer.AdministratorRole {
 		token = transport.tokenManager.getAdminServiceAccountToken()
 	} else {
-		token, err = transport.tokenManager.getUserServiceAccountToken(int(tokenData.ID), tokenData.Username)
+		token, err = transport.tokenManager.getUserServiceAccountToken(int(tokenData.ID))
 		if err != nil {
 			return nil, err
 		}
--- a/api/kubernetes/cli/naming.go
+++ b/api/kubernetes/cli/naming.go
@ -13,8 +13,8 @@ const (
 	portainerConfigMapAccessPoliciesKey = "NamespaceAccessPolicies"
 )

-func userServiceAccountName(userID int, username string) string {
-	return fmt.Sprintf("%s-%d-%s", portainerUserServiceAccountPrefix, userID, username)
+func userServiceAccountName(userID int) string {
+	return fmt.Sprintf("%s-%d", portainerUserServiceAccountPrefix, userID)
 }

 func userServiceAccountTokenSecretName(serviceAccountName string) string {
--- a/api/kubernetes/cli/service_account.go
+++ b/api/kubernetes/cli/service_account.go
@ -8,8 +8,8 @@ import (
 )

 // GetServiceAccountBearerToken returns the ServiceAccountToken associated to the specified user.
-func (kcl *KubeClient) GetServiceAccountBearerToken(userID int, username string) (string, error) {
-	serviceAccountName := userServiceAccountName(userID, username)
+func (kcl *KubeClient) GetServiceAccountBearerToken(userID int) (string, error) {
+	serviceAccountName := userServiceAccountName(userID)

 	return kcl.getServiceAccountToken(serviceAccountName)
 }
@ -17,8 +17,8 @@ func (kcl *KubeClient) GetServiceAccountBearerToken(userID int, username string)
 // SetupUserServiceAccount will make sure that all the required resources are created inside the Kubernetes
 // cluster before creating a ServiceAccount and a ServiceAccountToken for the specified Portainer user.
 //It will also create required default RoleBinding and ClusterRoleBinding rules.
-func (kcl *KubeClient) SetupUserServiceAccount(userID int, username string, teamIDs []int) error {
-	serviceAccountName := userServiceAccountName(userID, username)
+func (kcl *KubeClient) SetupUserServiceAccount(userID int, teamIDs []int) error {
+	serviceAccountName := userServiceAccountName(userID)

 	err := kcl.ensureRequiredResourcesExist()
 	if err != nil {
--- a/api/portainer.go
+++ b/api/portainer.go
@ -961,8 +961,8 @@ type (

 	// KubeClient represents a service used to query a Kubernetes environment
 	KubeClient interface {
-		SetupUserServiceAccount(userID int, username string, teamIDs []int) error
-		GetServiceAccountBearerToken(userID int, username string) (string, error)
+		SetupUserServiceAccount(userID int, teamIDs []int) error
+		GetServiceAccountBearerToken(userID int) (string, error)
 		StartExecProcess(namespace, podName, containerName string, command []string, stdin io.Reader, stdout io.Writer) error
 	}