From f53e2165bfb8a5096c43dc0552831cdea942d83b Mon Sep 17 00:00:00 2001 From: mgianluc Date: Mon, 7 Oct 2024 11:43:48 +0200 Subject: [PATCH] Token renewal: specify ServiceAccount When renewing the token, Sveltos can be passed the namespace/name of the ServiceAccount to renew the token for. --- api/v1alpha1/sveltoscluster_type.go | 12 ++++++++++ api/v1alpha1/zz_generated.conversion.go | 4 ++++ api/v1alpha1/zz_generated.deepcopy.go | 2 +- api/v1beta1/sveltoscluster_type.go | 12 ++++++++++ api/v1beta1/zz_generated.deepcopy.go | 2 +- ...lib.projectsveltos.io_sveltosclusters.yaml | 24 +++++++++++++++++++ lib/crd/sveltosclusters.go | 24 +++++++++++++++++++ ...sveltosclusters.lib.projectsveltos.io.yaml | 24 +++++++++++++++++++ 8 files changed, 102 insertions(+), 2 deletions(-) diff --git a/api/v1alpha1/sveltoscluster_type.go b/api/v1alpha1/sveltoscluster_type.go index c93154b..19a4f45 100644 --- a/api/v1alpha1/sveltoscluster_type.go +++ b/api/v1alpha1/sveltoscluster_type.go @@ -51,6 +51,18 @@ const ( type TokenRequestRenewalOption struct { // RenewTokenRequestInterval is the interval at which to renew the TokenRequest RenewTokenRequestInterval metav1.Duration `json:"renewTokenRequestInterval"` + + // SANamespace is the namespace of the ServiceAccount to renew the token for. + // If specified, ServiceAccount must exist in the managed cluster. + // If not specified, sveltos will try to deduce it from current kubeconfig + // +optional + SANamespace string `json:"saNamespace,omitempty"` + + // SAName is name of the ServiceAccount to renew the token for. + // If specified, ServiceAccount must exist in the managed cluster. + // If not specified, sveltos will try to deduce it from current kubeconfig + // +optional + SAName string `json:"saName,omitempty"` } // SveltosClusterSpec defines the desired state of SveltosCluster diff --git a/api/v1alpha1/zz_generated.conversion.go b/api/v1alpha1/zz_generated.conversion.go index 640599a..52fd2cb 100644 --- a/api/v1alpha1/zz_generated.conversion.go +++ b/api/v1alpha1/zz_generated.conversion.go @@ -2951,6 +2951,8 @@ func Convert_v1beta1_SveltosClusterStatus_To_v1alpha1_SveltosClusterStatus(in *v func autoConvert_v1alpha1_TokenRequestRenewalOption_To_v1beta1_TokenRequestRenewalOption(in *TokenRequestRenewalOption, out *v1beta1.TokenRequestRenewalOption, s conversion.Scope) error { out.RenewTokenRequestInterval = in.RenewTokenRequestInterval + out.SANamespace = in.SANamespace + out.SAName = in.SAName return nil } @@ -2961,6 +2963,8 @@ func Convert_v1alpha1_TokenRequestRenewalOption_To_v1beta1_TokenRequestRenewalOp func autoConvert_v1beta1_TokenRequestRenewalOption_To_v1alpha1_TokenRequestRenewalOption(in *v1beta1.TokenRequestRenewalOption, out *TokenRequestRenewalOption, s conversion.Scope) error { out.RenewTokenRequestInterval = in.RenewTokenRequestInterval + out.SANamespace = in.SANamespace + out.SAName = in.SAName return nil } diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 07900a8..f0752d8 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -21,7 +21,7 @@ limitations under the License. package v1alpha1 import ( - v1 "k8s.io/api/core/v1" + "k8s.io/api/core/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) diff --git a/api/v1beta1/sveltoscluster_type.go b/api/v1beta1/sveltoscluster_type.go index 706ff4a..e4cc593 100644 --- a/api/v1beta1/sveltoscluster_type.go +++ b/api/v1beta1/sveltoscluster_type.go @@ -51,6 +51,18 @@ const ( type TokenRequestRenewalOption struct { // RenewTokenRequestInterval is the interval at which to renew the TokenRequest RenewTokenRequestInterval metav1.Duration `json:"renewTokenRequestInterval"` + + // SANamespace is the namespace of the ServiceAccount to renew the token for. + // If specified, ServiceAccount must exist in the managed cluster. + // If not specified, sveltos will try to deduce it from current kubeconfig + // +optional + SANamespace string `json:"saNamespace,omitempty"` + + // SAName is name of the ServiceAccount to renew the token for. + // If specified, ServiceAccount must exist in the managed cluster. + // If not specified, sveltos will try to deduce it from current kubeconfig + // +optional + SAName string `json:"saName,omitempty"` } // SveltosClusterSpec defines the desired state of SveltosCluster diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 9ba7046..7c62653 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -21,7 +21,7 @@ limitations under the License. package v1beta1 import ( - v1 "k8s.io/api/core/v1" + "k8s.io/api/core/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) diff --git a/config/crd/bases/lib.projectsveltos.io_sveltosclusters.yaml b/config/crd/bases/lib.projectsveltos.io_sveltosclusters.yaml index fcbbc30..9006459 100644 --- a/config/crd/bases/lib.projectsveltos.io_sveltosclusters.yaml +++ b/config/crd/bases/lib.projectsveltos.io_sveltosclusters.yaml @@ -102,6 +102,18 @@ spec: description: RenewTokenRequestInterval is the interval at which to renew the TokenRequest type: string + saName: + description: |- + SAName is name of the ServiceAccount to renew the token for. + If specified, ServiceAccount must exist in the managed cluster. + If not specified, sveltos will try to deduce it from current kubeconfig + type: string + saNamespace: + description: |- + SANamespace is the namespace of the ServiceAccount to renew the token for. + If specified, ServiceAccount must exist in the managed cluster. + If not specified, sveltos will try to deduce it from current kubeconfig + type: string required: - renewTokenRequestInterval type: object @@ -240,6 +252,18 @@ spec: description: RenewTokenRequestInterval is the interval at which to renew the TokenRequest type: string + saName: + description: |- + SAName is name of the ServiceAccount to renew the token for. + If specified, ServiceAccount must exist in the managed cluster. + If not specified, sveltos will try to deduce it from current kubeconfig + type: string + saNamespace: + description: |- + SANamespace is the namespace of the ServiceAccount to renew the token for. + If specified, ServiceAccount must exist in the managed cluster. + If not specified, sveltos will try to deduce it from current kubeconfig + type: string required: - renewTokenRequestInterval type: object diff --git a/lib/crd/sveltosclusters.go b/lib/crd/sveltosclusters.go index 70c4124..f6837c0 100644 --- a/lib/crd/sveltosclusters.go +++ b/lib/crd/sveltosclusters.go @@ -120,6 +120,18 @@ spec: description: RenewTokenRequestInterval is the interval at which to renew the TokenRequest type: string + saName: + description: |- + SAName is name of the ServiceAccount to renew the token for. + If specified, ServiceAccount must exist in the managed cluster. + If not specified, sveltos will try to deduce it from current kubeconfig + type: string + saNamespace: + description: |- + SANamespace is the namespace of the ServiceAccount to renew the token for. + If specified, ServiceAccount must exist in the managed cluster. + If not specified, sveltos will try to deduce it from current kubeconfig + type: string required: - renewTokenRequestInterval type: object @@ -258,6 +270,18 @@ spec: description: RenewTokenRequestInterval is the interval at which to renew the TokenRequest type: string + saName: + description: |- + SAName is name of the ServiceAccount to renew the token for. + If specified, ServiceAccount must exist in the managed cluster. + If not specified, sveltos will try to deduce it from current kubeconfig + type: string + saNamespace: + description: |- + SANamespace is the namespace of the ServiceAccount to renew the token for. + If specified, ServiceAccount must exist in the managed cluster. + If not specified, sveltos will try to deduce it from current kubeconfig + type: string required: - renewTokenRequestInterval type: object diff --git a/manifests/apiextensions.k8s.io_v1_customresourcedefinition_sveltosclusters.lib.projectsveltos.io.yaml b/manifests/apiextensions.k8s.io_v1_customresourcedefinition_sveltosclusters.lib.projectsveltos.io.yaml index 5b8d565..87a2b9d 100644 --- a/manifests/apiextensions.k8s.io_v1_customresourcedefinition_sveltosclusters.lib.projectsveltos.io.yaml +++ b/manifests/apiextensions.k8s.io_v1_customresourcedefinition_sveltosclusters.lib.projectsveltos.io.yaml @@ -101,6 +101,18 @@ spec: description: RenewTokenRequestInterval is the interval at which to renew the TokenRequest type: string + saName: + description: |- + SAName is name of the ServiceAccount to renew the token for. + If specified, ServiceAccount must exist in the managed cluster. + If not specified, sveltos will try to deduce it from current kubeconfig + type: string + saNamespace: + description: |- + SANamespace is the namespace of the ServiceAccount to renew the token for. + If specified, ServiceAccount must exist in the managed cluster. + If not specified, sveltos will try to deduce it from current kubeconfig + type: string required: - renewTokenRequestInterval type: object @@ -239,6 +251,18 @@ spec: description: RenewTokenRequestInterval is the interval at which to renew the TokenRequest type: string + saName: + description: |- + SAName is name of the ServiceAccount to renew the token for. + If specified, ServiceAccount must exist in the managed cluster. + If not specified, sveltos will try to deduce it from current kubeconfig + type: string + saNamespace: + description: |- + SANamespace is the namespace of the ServiceAccount to renew the token for. + If specified, ServiceAccount must exist in the managed cluster. + If not specified, sveltos will try to deduce it from current kubeconfig + type: string required: - renewTokenRequestInterval type: object