Skip to content

Commit

Permalink
Merge pull request #166 from fiaas/boundserviceaccounttoken-refresh-s…
Browse files Browse the repository at this point in the history 
…erviceaccount-token

Use fiaas/k8s built-in in-cluster configuration to support time-based/refreshing service account tokens (BoundServiceAccountTokenVolume)
  • Loading branch information
@oyvindio
oyvindio committed Dec 13, 2021
2 parents 7d90d31 + cfb1dca commit 5f81b65
Show file tree
Hide file tree
Showing 4 changed files with 22 additions and 25 deletions.
27 changes: 20 additions & 7 deletions fiaas_deploy_daemon/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,15 +98,28 @@ def run(self):
self._webapp.run("0.0.0.0", self._config.port)


def init_k8s_client(config):
k8s_config.api_server = config.api_server
k8s_config.api_token = config.api_token
def init_k8s_client(config, log):
if config.client_cert:
k8s_config.cert = (config.client_cert, config.client_key)

if config.api_token:
k8s_config.api_token = config.api_token
else:
# use default in-cluster config if api_token is not explicitly set
try:
# sets api_token_source and verify_ssl
k8s_config.use_in_cluster_config()
except IOError as e:
if not config.client_cert:
log.warn("No apiserver auth config was specified, and in-cluster config could not be set up: " + str(e))

# if api_cert or debug is explicitly set, override in-cluster config setting (if used)
if config.api_cert:
k8s_config.verify_ssl = config.api_cert
else:
elif config.debug:
k8s_config.verify_ssl = not config.debug
if config.client_cert:
k8s_config.cert = (config.client_cert, config.client_key)

k8s_config.api_server = config.api_server
k8s_config.debug = config.debug


Expand Down Expand Up @@ -182,8 +195,8 @@ def expose_fdd_version(config):
def main():
cfg = Configuration()
init_logging(cfg)
init_k8s_client(cfg)
log = logging.getLogger(__name__)
init_k8s_client(cfg, log)
warn_if_env_variable_config(cfg, log)
expose_fdd_version(cfg)
signal.signal(signal.SIGUSR2, thread_dump_logger(log))
Expand Down
2 changes: 1 addition & 1 deletion fiaas_deploy_daemon/bootstrap/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,8 +71,8 @@ def run(self):
def main():
cfg = Configuration()
init_logging(cfg)
init_k8s_client(cfg)
log = logging.getLogger(__name__)
init_k8s_client(cfg, log)
try:
log.info("fiaas-deploy-daemon starting with configuration {!r}".format(cfg))
binding_specs = [
Expand Down
16 changes: 0 additions & 16 deletions fiaas_deploy_daemon/config.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,6 @@ def __init__(self, args=None, **kwargs):
self.image = ""
self.version = ""
self._parse_args(args)
self._resolve_api_config()
self._resolve_env()
self.namespace = self._resolve_namespace()

Expand Down Expand Up @@ -275,13 +274,6 @@ def _parse_args(self, args):
self.tls_certificate_issuer_type_overrides = {issuer_type.key: issuer_type.value
for issuer_type in self.tls_certificate_issuer_type_overrides}

def _resolve_api_config(self):
token_file = "/var/run/secrets/kubernetes.io/serviceaccount/token"
if os.path.exists(token_file):
with open(token_file) as fobj:
self.api_token = fobj.read().strip()
self.api_cert = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"

def _resolve_env(self):
image = os.getenv("IMAGE")
if not image:
Expand All @@ -295,14 +287,6 @@ def _resolve_env(self):
if version:
self.version = version

@staticmethod
def _resolve_required_variable(key, service_name):
value = os.getenv(key)
if not value:
raise InvalidConfigurationException(
"{} is not set in environment, unable to resolve service {}".format(key, service_name))
return value

@staticmethod
def _resolve_namespace():
namespace_file_path = "/var/run/secrets/kubernetes.io/serviceaccount/namespace"
Expand Down
2 changes: 1 addition & 1 deletion setup.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ def read(filename):
"decorator < 5.0.0", # 5.0.0 and later drops py2 support (transitive dep from pinject)
"six == 1.12.0",
"dnspython == 1.16.0",
"k8s == 0.17.0",
"k8s == 0.20.0",
"monotonic == 1.5",
"appdirs == 1.4.3",
"requests-toolbelt == 0.9.1",
Expand Down

0 comments on commit 5f81b65

Please sign in to comment.