Pull SA token

pkg/descheduler/descheduler.go

@@ -44,6 +44,7 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	fakeclientset "k8s.io/client-go/kubernetes/fake"
 	corev1listers "k8s.io/client-go/listers/core/v1"
+	"k8s.io/client-go/rest"
 	core "k8s.io/client-go/testing"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/events"
@@ -93,6 +94,7 @@ type descheduler struct {
 	metricsCollector        *metricscollector.MetricsCollector
 	prometheusClient        promapi.Client
 	queue                   workqueue.RateLimitingInterface
+	currentAuthToken        string
 }
 
 type informerResources struct {
@@ -199,6 +201,27 @@ func newDescheduler(rs *options.DeschedulerServer, deschedulerPolicy *api.Desche
 	return desch, nil
 }
 
+func (d *descheduler) reconcileInClusterSAToken() error {
+	// Read the sa token and assume it has the sufficient permissions to authenticate
+	cfg, err := rest.InClusterConfig()
+	if err == nil {
+		if d.currentAuthToken != cfg.BearerToken {
+			klog.V(2).Infof("Creating Prometheus client (with SA token)")
+			prometheusClient, err := client.CreatePrometheusClient(d.deschedulerPolicy.Prometheus.URL, cfg.BearerToken, d.deschedulerPolicy.Prometheus.InsecureSkipVerify)
+			if err != nil {
+				return fmt.Errorf("unable to create a prometheus client: %v", err)
+			}
+			d.prometheusClient = prometheusClient
+			d.currentAuthToken = cfg.BearerToken
+		}
+		return nil
+	}
+	if err == rest.ErrNotInCluster {
+		return nil
+	}
+	return fmt.Errorf("unexpected error when reading in cluster config: %v", err)
+}
+
 func (d *descheduler) run(workers int, ctx context.Context) {
 	defer utilruntime.HandleCrash()
 	defer d.queue.ShutDown()
@@ -510,11 +533,12 @@ func RunDeschedulerStrategies(ctx context.Context, rs *options.DeschedulerServer
 	defer eventBroadcaster.Shutdown()
 
 	var namespacedSharedInformerFactory informers.SharedInformerFactory
+	reconcileInClusterSAToken := false
 	if deschedulerPolicy.Prometheus.URL != "" {
 		promConfig := deschedulerPolicy.Prometheus
 		// Raw auth token takes precedence
 		if len(promConfig.AuthToken.Raw) > 0 {
-			klog.V(2).Infof("Creating Prometheus client")
+			klog.V(2).Infof("Creating Prometheus client (with raw token)")
 			prometheusClient, err := client.CreatePrometheusClient(deschedulerPolicy.Prometheus.URL, promConfig.AuthToken.Raw, deschedulerPolicy.Prometheus.InsecureSkipVerify)
 			if err != nil {
 				return fmt.Errorf("unable to create a prometheus client: %v", err)
@@ -523,6 +547,9 @@ func RunDeschedulerStrategies(ctx context.Context, rs *options.DeschedulerServer
 		} else if promConfig.AuthToken.SecretReference.Name != "" {
 			// Will get reconciled
 			namespacedSharedInformerFactory = informers.NewSharedInformerFactoryWithOptions(rs.Client, 0, informers.WithTransform(trimManagedFields), informers.WithNamespace(deschedulerPolicy.Prometheus.AuthToken.SecretReference.Namespace))
+		} else {
+			// Use the sa token and assume it has the sufficient permissions to authenticate
+			reconcileInClusterSAToken = true
 		}
 	}
 
@@ -558,6 +585,14 @@ func RunDeschedulerStrategies(ctx context.Context, rs *options.DeschedulerServer
 	}
 
 	wait.NonSlidingUntil(func() {
+		if reconcileInClusterSAToken {
+			// Read the sa token and assume it has the sufficient permissions to authenticate
+			if err := descheduler.reconcileInClusterSAToken(); err != nil {
+				klog.ErrorS(err, "unable to reconcile an in cluster SA token")
+				return
+			}
+		}
+
 		// A next context is created here intentionally to avoid nesting the spans via context.
 		sCtx, sSpan := tracing.Tracer().Start(ctx, "NonSlidingUntil")
 		defer sSpan.End()