mirror of
https://github.com/optim-enterprises-bv/kubernetes.git
synced 2025-11-04 04:08:16 +00:00
Add service account token and annotation to v1 CredentialProviderRequest
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
This commit is contained in:
Anish Ramasekar
@@ -32,6 +32,17 @@ type CredentialProviderRequest struct {
|
|||||||
// credential provider plugin request. Plugins may optionally parse the image
|
// credential provider plugin request. Plugins may optionally parse the image
|
||||||
// to extract any information required to fetch credentials.
|
// to extract any information required to fetch credentials.
|
||||||
Image string
|
Image string
|
||||||
|
|
||||||
|
// serviceAccountToken is the service account token bound to the pod for which
|
||||||
|
// the image is being pulled. This token is only sent to the plugin if the
|
||||||
|
// tokenAttributes.serviceAccountTokenAudience field is configured in the kubelet's credential provider configuration.
|
||||||
|
ServiceAccountToken string
|
||||||
|
|
||||||
|
// serviceAccountAnnotations is a map of annotations on the service account bound to the
|
||||||
|
// pod for which the image is being pulled. The list of annotations in the service account
|
||||||
|
// that need to be passed to the plugin is configured in the kubelet's credential provider
|
||||||
|
// configuration.
|
||||||
|
ServiceAccountAnnotations map[string]string
|
||||||
}
|
}
|
||||||
|
|
||||||
type PluginCacheKeyType string
|
type PluginCacheKeyType string
|
||||||
|
|||||||
@@ -32,6 +32,18 @@ type CredentialProviderRequest struct {
|
|||||||
// credential provider plugin request. Plugins may optionally parse the image
|
// credential provider plugin request. Plugins may optionally parse the image
|
||||||
// to extract any information required to fetch credentials.
|
// to extract any information required to fetch credentials.
|
||||||
Image string `json:"image"`
|
Image string `json:"image"`
|
||||||
|
|
||||||
|
// serviceAccountToken is the service account token bound to the pod for which
|
||||||
|
// the image is being pulled. This token is only sent to the plugin if the
|
||||||
|
// tokenAttributes.serviceAccountTokenAudience field is configured in the kubelet's credential
|
||||||
|
// provider configuration.
|
||||||
|
ServiceAccountToken string `json:"serviceAccountToken,omitempty" datapolicy:"token"`
|
||||||
|
|
||||||
|
// serviceAccountAnnotations is a map of annotations on the service account bound to the
|
||||||
|
// pod for which the image is being pulled. The list of annotations in the service account
|
||||||
|
// that need to be passed to the plugin is configured in the kubelet's credential provider
|
||||||
|
// configuration.
|
||||||
|
ServiceAccountAnnotations map[string]string `json:"serviceAccountAnnotations,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type PluginCacheKeyType string
|
type PluginCacheKeyType string
|
||||||
|
|||||||
@@ -94,6 +94,8 @@ func Convert_credentialprovider_AuthConfig_To_v1_AuthConfig(in *credentialprovid
|
|||||||
|
|
||||||
func autoConvert_v1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(in *CredentialProviderRequest, out *credentialprovider.CredentialProviderRequest, s conversion.Scope) error {
|
func autoConvert_v1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(in *CredentialProviderRequest, out *credentialprovider.CredentialProviderRequest, s conversion.Scope) error {
|
||||||
out.Image = in.Image
|
out.Image = in.Image
|
||||||
|
out.ServiceAccountToken = in.ServiceAccountToken
|
||||||
|
out.ServiceAccountAnnotations = *(*map[string]string)(unsafe.Pointer(&in.ServiceAccountAnnotations))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -104,6 +106,8 @@ func Convert_v1_CredentialProviderRequest_To_credentialprovider_CredentialProvid
|
|||||||
|
|
||||||
func autoConvert_credentialprovider_CredentialProviderRequest_To_v1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
|
func autoConvert_credentialprovider_CredentialProviderRequest_To_v1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
|
||||||
out.Image = in.Image
|
out.Image = in.Image
|
||||||
|
out.ServiceAccountToken = in.ServiceAccountToken
|
||||||
|
out.ServiceAccountAnnotations = *(*map[string]string)(unsafe.Pointer(&in.ServiceAccountAnnotations))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -46,6 +46,13 @@ func (in *AuthConfig) DeepCopy() *AuthConfig {
|
|||||||
func (in *CredentialProviderRequest) DeepCopyInto(out *CredentialProviderRequest) {
|
func (in *CredentialProviderRequest) DeepCopyInto(out *CredentialProviderRequest) {
|
||||||
*out = *in
|
*out = *in
|
||||||
out.TypeMeta = in.TypeMeta
|
out.TypeMeta = in.TypeMeta
|
||||||
|
if in.ServiceAccountAnnotations != nil {
|
||||||
|
in, out := &in.ServiceAccountAnnotations, &out.ServiceAccountAnnotations
|
||||||
|
*out = make(map[string]string, len(*in))
|
||||||
|
for key, val := range *in {
|
||||||
|
(*out)[key] = val
|
||||||
|
}
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,27 @@
|
|||||||
|
/*
|
||||||
|
Copyright 2025 The Kubernetes Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package v1alpha1
|
||||||
|
|
||||||
|
import (
|
||||||
|
"k8s.io/apimachinery/pkg/conversion"
|
||||||
|
"k8s.io/kubelet/pkg/apis/credentialprovider"
|
||||||
|
)
|
||||||
|
|
||||||
|
func Convert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
|
||||||
|
// This conversion intentionally omits the serviceAccountToken and serviceAccountAnnotations fields which are only supported in v1 CredentialProviderRequest.
|
||||||
|
return autoConvert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in, out, s)
|
||||||
|
}
|
||||||
@@ -52,11 +52,6 @@ func RegisterConversions(s *runtime.Scheme) error {
|
|||||||
}); err != nil {
|
}); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := s.AddGeneratedConversionFunc((*credentialprovider.CredentialProviderRequest)(nil), (*CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
|
||||||
return Convert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(a.(*credentialprovider.CredentialProviderRequest), b.(*CredentialProviderRequest), scope)
|
|
||||||
}); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if err := s.AddGeneratedConversionFunc((*CredentialProviderResponse)(nil), (*credentialprovider.CredentialProviderResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
if err := s.AddGeneratedConversionFunc((*CredentialProviderResponse)(nil), (*credentialprovider.CredentialProviderResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
||||||
return Convert_v1alpha1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(a.(*CredentialProviderResponse), b.(*credentialprovider.CredentialProviderResponse), scope)
|
return Convert_v1alpha1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(a.(*CredentialProviderResponse), b.(*credentialprovider.CredentialProviderResponse), scope)
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
@@ -67,6 +62,11 @@ func RegisterConversions(s *runtime.Scheme) error {
|
|||||||
}); err != nil {
|
}); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
if err := s.AddConversionFunc((*credentialprovider.CredentialProviderRequest)(nil), (*CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
||||||
|
return Convert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(a.(*credentialprovider.CredentialProviderRequest), b.(*CredentialProviderRequest), scope)
|
||||||
|
}); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -104,14 +104,11 @@ func Convert_v1alpha1_CredentialProviderRequest_To_credentialprovider_Credential
|
|||||||
|
|
||||||
func autoConvert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
|
func autoConvert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
|
||||||
out.Image = in.Image
|
out.Image = in.Image
|
||||||
|
// WARNING: in.ServiceAccountToken requires manual conversion: does not exist in peer-type
|
||||||
|
// WARNING: in.ServiceAccountAnnotations requires manual conversion: does not exist in peer-type
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest is an autogenerated conversion function.
|
|
||||||
func Convert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
|
|
||||||
return autoConvert_credentialprovider_CredentialProviderRequest_To_v1alpha1_CredentialProviderRequest(in, out, s)
|
|
||||||
}
|
|
||||||
|
|
||||||
func autoConvert_v1alpha1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in *CredentialProviderResponse, out *credentialprovider.CredentialProviderResponse, s conversion.Scope) error {
|
func autoConvert_v1alpha1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in *CredentialProviderResponse, out *credentialprovider.CredentialProviderResponse, s conversion.Scope) error {
|
||||||
out.CacheKeyType = credentialprovider.PluginCacheKeyType(in.CacheKeyType)
|
out.CacheKeyType = credentialprovider.PluginCacheKeyType(in.CacheKeyType)
|
||||||
out.CacheDuration = (*v1.Duration)(unsafe.Pointer(in.CacheDuration))
|
out.CacheDuration = (*v1.Duration)(unsafe.Pointer(in.CacheDuration))
|
||||||
|
|||||||
@@ -0,0 +1,27 @@
|
|||||||
|
/*
|
||||||
|
Copyright 2025 The Kubernetes Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package v1beta1
|
||||||
|
|
||||||
|
import (
|
||||||
|
"k8s.io/apimachinery/pkg/conversion"
|
||||||
|
"k8s.io/kubelet/pkg/apis/credentialprovider"
|
||||||
|
)
|
||||||
|
|
||||||
|
func Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
|
||||||
|
// This conversion intentionally omits the serviceAccountToken and serviceAccountAnnotations fields which are only supported in v1 CredentialProviderRequest.
|
||||||
|
return autoConvert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in, out, s)
|
||||||
|
}
|
||||||
@@ -52,11 +52,6 @@ func RegisterConversions(s *runtime.Scheme) error {
|
|||||||
}); err != nil {
|
}); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := s.AddGeneratedConversionFunc((*credentialprovider.CredentialProviderRequest)(nil), (*CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
|
||||||
return Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(a.(*credentialprovider.CredentialProviderRequest), b.(*CredentialProviderRequest), scope)
|
|
||||||
}); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if err := s.AddGeneratedConversionFunc((*CredentialProviderResponse)(nil), (*credentialprovider.CredentialProviderResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
if err := s.AddGeneratedConversionFunc((*CredentialProviderResponse)(nil), (*credentialprovider.CredentialProviderResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
||||||
return Convert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(a.(*CredentialProviderResponse), b.(*credentialprovider.CredentialProviderResponse), scope)
|
return Convert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(a.(*CredentialProviderResponse), b.(*credentialprovider.CredentialProviderResponse), scope)
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
@@ -67,6 +62,11 @@ func RegisterConversions(s *runtime.Scheme) error {
|
|||||||
}); err != nil {
|
}); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
if err := s.AddConversionFunc((*credentialprovider.CredentialProviderRequest)(nil), (*CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
||||||
|
return Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(a.(*credentialprovider.CredentialProviderRequest), b.(*CredentialProviderRequest), scope)
|
||||||
|
}); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -104,14 +104,11 @@ func Convert_v1beta1_CredentialProviderRequest_To_credentialprovider_CredentialP
|
|||||||
|
|
||||||
func autoConvert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
|
func autoConvert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
|
||||||
out.Image = in.Image
|
out.Image = in.Image
|
||||||
|
// WARNING: in.ServiceAccountToken requires manual conversion: does not exist in peer-type
|
||||||
|
// WARNING: in.ServiceAccountAnnotations requires manual conversion: does not exist in peer-type
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest is an autogenerated conversion function.
|
|
||||||
func Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error {
|
|
||||||
return autoConvert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in, out, s)
|
|
||||||
}
|
|
||||||
|
|
||||||
func autoConvert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in *CredentialProviderResponse, out *credentialprovider.CredentialProviderResponse, s conversion.Scope) error {
|
func autoConvert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in *CredentialProviderResponse, out *credentialprovider.CredentialProviderResponse, s conversion.Scope) error {
|
||||||
out.CacheKeyType = credentialprovider.PluginCacheKeyType(in.CacheKeyType)
|
out.CacheKeyType = credentialprovider.PluginCacheKeyType(in.CacheKeyType)
|
||||||
out.CacheDuration = (*v1.Duration)(unsafe.Pointer(in.CacheDuration))
|
out.CacheDuration = (*v1.Duration)(unsafe.Pointer(in.CacheDuration))
|
||||||
|
|||||||
@@ -46,6 +46,13 @@ func (in *AuthConfig) DeepCopy() *AuthConfig {
|
|||||||
func (in *CredentialProviderRequest) DeepCopyInto(out *CredentialProviderRequest) {
|
func (in *CredentialProviderRequest) DeepCopyInto(out *CredentialProviderRequest) {
|
||||||
*out = *in
|
*out = *in
|
||||||
out.TypeMeta = in.TypeMeta
|
out.TypeMeta = in.TypeMeta
|
||||||
|
if in.ServiceAccountAnnotations != nil {
|
||||||
|
in, out := &in.ServiceAccountAnnotations, &out.ServiceAccountAnnotations
|
||||||
|
*out = make(map[string]string, len(*in))
|
||||||
|
for key, val := range *in {
|
||||||
|
(*out)[key] = val
|
||||||
|
}
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user