From 4a211805980034da8033cf3d76b574ad395460a7 Mon Sep 17 00:00:00 2001 From: Jan Chaloupka Date: Mon, 18 Nov 2024 19:21:03 +0100 Subject: [PATCH] Pull SA token --- pkg/descheduler/descheduler.go | 37 +++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/pkg/descheduler/descheduler.go b/pkg/descheduler/descheduler.go index 704f66eb49..5b5e1a97ed 100644 --- a/pkg/descheduler/descheduler.go +++ b/pkg/descheduler/descheduler.go @@ -44,6 +44,7 @@ import ( clientset "k8s.io/client-go/kubernetes" fakeclientset "k8s.io/client-go/kubernetes/fake" corev1listers "k8s.io/client-go/listers/core/v1" + "k8s.io/client-go/rest" core "k8s.io/client-go/testing" "k8s.io/client-go/tools/cache" "k8s.io/client-go/tools/events" @@ -93,6 +94,7 @@ type descheduler struct { metricsCollector *metricscollector.MetricsCollector prometheusClient promapi.Client queue workqueue.RateLimitingInterface + currentAuthToken string } type informerResources struct { @@ -199,6 +201,27 @@ func newDescheduler(rs *options.DeschedulerServer, deschedulerPolicy *api.Desche return desch, nil } +func (d *descheduler) reconcileInClusterSAToken() error { + // Read the sa token and assume it has the sufficient permissions to authenticate + cfg, err := rest.InClusterConfig() + if err == nil { + if d.currentAuthToken != cfg.BearerToken { + klog.V(2).Infof("Creating Prometheus client (with SA token)") + prometheusClient, err := client.CreatePrometheusClient(d.deschedulerPolicy.Prometheus.URL, cfg.BearerToken, d.deschedulerPolicy.Prometheus.InsecureSkipVerify) + if err != nil { + return fmt.Errorf("unable to create a prometheus client: %v", err) + } + d.prometheusClient = prometheusClient + d.currentAuthToken = cfg.BearerToken + } + return nil + } + if err == rest.ErrNotInCluster { + return nil + } + return fmt.Errorf("unexpected error when reading in cluster config: %v", err) +} + func (d *descheduler) run(workers int, ctx context.Context) { defer utilruntime.HandleCrash() defer d.queue.ShutDown() @@ -510,11 +533,12 @@ func RunDeschedulerStrategies(ctx context.Context, rs *options.DeschedulerServer defer eventBroadcaster.Shutdown() var namespacedSharedInformerFactory informers.SharedInformerFactory + reconcileInClusterSAToken := false if deschedulerPolicy.Prometheus.URL != "" { promConfig := deschedulerPolicy.Prometheus // Raw auth token takes precedence if len(promConfig.AuthToken.Raw) > 0 { - klog.V(2).Infof("Creating Prometheus client") + klog.V(2).Infof("Creating Prometheus client (with raw token)") prometheusClient, err := client.CreatePrometheusClient(deschedulerPolicy.Prometheus.URL, promConfig.AuthToken.Raw, deschedulerPolicy.Prometheus.InsecureSkipVerify) if err != nil { return fmt.Errorf("unable to create a prometheus client: %v", err) @@ -523,6 +547,9 @@ func RunDeschedulerStrategies(ctx context.Context, rs *options.DeschedulerServer } else if promConfig.AuthToken.SecretReference.Name != "" { // Will get reconciled namespacedSharedInformerFactory = informers.NewSharedInformerFactoryWithOptions(rs.Client, 0, informers.WithTransform(trimManagedFields), informers.WithNamespace(deschedulerPolicy.Prometheus.AuthToken.SecretReference.Namespace)) + } else { + // Use the sa token and assume it has the sufficient permissions to authenticate + reconcileInClusterSAToken = true } } @@ -558,6 +585,14 @@ func RunDeschedulerStrategies(ctx context.Context, rs *options.DeschedulerServer } wait.NonSlidingUntil(func() { + if reconcileInClusterSAToken { + // Read the sa token and assume it has the sufficient permissions to authenticate + if err := descheduler.reconcileInClusterSAToken(); err != nil { + klog.ErrorS(err, "unable to reconcile an in cluster SA token") + return + } + } + // A next context is created here intentionally to avoid nesting the spans via context. sCtx, sSpan := tracing.Tracer().Start(ctx, "NonSlidingUntil") defer sSpan.End()