Merge pull request #1549 from omerlh/feat/service-account-custom-path

feat: custom path for service account token (supporting TokenVolume projection)
kubernetes-client · Jan 31, 2024 · 0fbfd8f · 0fbfd8f
2 parents 4fedbd6 + 342b796
commit 0fbfd8f
Show file tree

Hide file tree

Showing 2 changed files with 95 additions and 2 deletions.
diff --git a/src/config.ts b/src/config.ts
@@ -211,6 +211,12 @@ export class KubeConfig {
         const clusterName = 'inCluster';
         const userName = 'inClusterUser';
         const contextName = 'inClusterContext';
+        const tokenFile = process.env.TOKEN_FILE_PATH
+            ? process.env.TOKEN_FILE_PATH
+            : `${pathPrefix}${Config.SERVICEACCOUNT_TOKEN_PATH}`;
+        const caFile = process.env.KUBERNETES_CA_FILE_PATH
+            ? process.env.KUBERNETES_CA_FILE_PATH
+            : `${pathPrefix}${Config.SERVICEACCOUNT_CA_PATH}`;
 
         let scheme = 'https';
         if (port === '80' || port === '8080' || port === '8001') {
@@ -226,7 +232,7 @@ export class KubeConfig {
         this.clusters = [
             {
                 name: clusterName,
-                caFile: `${pathPrefix}${Config.SERVICEACCOUNT_CA_PATH}`,
+                caFile,
                 server: `${scheme}://${serverHost}:${port}`,
                 skipTLSVerify: false,
             },
@@ -237,7 +243,7 @@ export class KubeConfig {
                 authProvider: {
                     name: 'tokenFile',
                     config: {
-                        tokenFile: `${pathPrefix}${Config.SERVICEACCOUNT_TOKEN_PATH}`,
+                        tokenFile,
                     },
                 },
             },

diff --git a/src/config_test.ts b/src/config_test.ts
@@ -152,6 +152,93 @@ describe('KubeConfig', () => {
         });
     });
 
+    describe('loadFromCluster', () => {
+        let originalTokenPath: string | undefined;
+        let originalCaFilePath: string | undefined;
+
+        before(() => {
+            originalTokenPath = process.env['TOKEN_FILE_PATH'];
+            originalCaFilePath = process.env['KUBERNETES_CA_FILE_PATH'];
+
+            delete process.env['TOKEN_FILE_PATH'];
+            delete process.env['KUBERNETES_CA_FILE_PATH'];
+        });
+
+        after(() => {
+            delete process.env['TOKEN_FILE_PATH'];
+            delete process.env['KUBERNETES_CA_FILE_PATH'];
+
+            if (originalTokenPath) {
+                process.env['TOKEN_FILE_PATH'] = originalTokenPath;
+            }
+
+            if (originalCaFilePath) {
+                process.env['KUBERNETES_CA_FILE_PATH'] = originalCaFilePath;
+            }
+        });
+
+        it('should load from default env vars', () => {
+            const kc = new KubeConfig();
+            const cluster = {
+                name: 'inCluster',
+                server: 'https://undefined:undefined',
+                skipTLSVerify: false,
+                caFile: '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt',
+            } as Cluster;
+
+            const user = {
+                authProvider: {
+                    name: 'tokenFile',
+                    config: {
+                        tokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
+                    },
+                },
+                name: 'inClusterUser',
+            } as User;
+
+            kc.loadFromCluster();
+
+            const clusterOut = kc.getCurrentCluster();
+
+            expect(cluster).to.deep.equals(clusterOut);
+
+            const userOut = kc.getCurrentUser();
+            expect(userOut).to.deep.equals(user);
+        });
+
+        it('should support custom token file path', () => {
+            const kc = new KubeConfig();
+            process.env['TOKEN_FILE_PATH'] = '/etc/tokenFile';
+            process.env['KUBERNETES_CA_FILE_PATH'] = '/etc/ca.crt';
+
+            const cluster = {
+                name: 'inCluster',
+                server: 'https://undefined:undefined',
+                skipTLSVerify: false,
+                caFile: '/etc/ca.crt',
+            } as Cluster;
+
+            const user = {
+                authProvider: {
+                    name: 'tokenFile',
+                    config: {
+                        tokenFile: '/etc/tokenFile',
+                    },
+                },
+                name: 'inClusterUser',
+            } as User;
+
+            kc.loadFromCluster();
+
+            const clusterOut = kc.getCurrentCluster();
+
+            expect(cluster).to.deep.equals(clusterOut);
+
+            const userOut = kc.getCurrentUser();
+            expect(userOut).to.deep.equals(user);
+        });
+    });
+
     describe('clusterConstructor', () => {
         it('should load from options', () => {
             const cluster = {