Add plugin and key-cache for ExternalJWTSigner integration

Author: HarshalNeelkamal

cmd/kube-apiserver/app/options/completion.go

@@ -17,6 +17,7 @@ limitations under the License.
 package options
 
 import (
+	"context"
 	"fmt"
 	"net"
 	"strings"
@@ -45,27 +46,27 @@ type CompletedOptions struct {
 
 // Complete set default ServerRunOptions.
 // Should be called after kube-apiserver flags parsed.
-func (opts *ServerRunOptions) Complete() (CompletedOptions, error) {
-	if opts == nil {
+func (s *ServerRunOptions) Complete(ctx context.Context) (CompletedOptions, error) {
+	if s == nil {
 		return CompletedOptions{completedOptions: &completedOptions{}}, nil
 	}
 
-	// process opts.ServiceClusterIPRange from list to Primary and Secondary
+	// process s.ServiceClusterIPRange from list to Primary and Secondary
 	// we process secondary only if provided by user
-	apiServerServiceIP, primaryServiceIPRange, secondaryServiceIPRange, err := getServiceIPAndRanges(opts.ServiceClusterIPRanges)
+	apiServerServiceIP, primaryServiceIPRange, secondaryServiceIPRange, err := getServiceIPAndRanges(s.ServiceClusterIPRanges)
 	if err != nil {
 		return CompletedOptions{}, err
 	}
-	controlplane, err := opts.Options.Complete([]string{"kubernetes.default.svc", "kubernetes.default", "kubernetes"}, []net.IP{apiServerServiceIP})
+	controlplane, err := s.Options.Complete(ctx, []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes"}, []net.IP{apiServerServiceIP})
 	if err != nil {
 		return CompletedOptions{}, err
 	}
 
 	completed := completedOptions{
 		CompletedOptions: controlplane,
-		CloudProvider:    opts.CloudProvider,
+		CloudProvider:    s.CloudProvider,
 
-		Extra: opts.Extra,
+		Extra: s.Extra,
 	}
 
 	completed.PrimaryServiceClusterIPRange = primaryServiceIPRange

cmd/kube-apiserver/app/server.go

@@ -67,6 +67,7 @@ func NewAPIServerCommand() *cobra.Command {
 	_, featureGate := featuregate.DefaultComponentGlobalsRegistry.ComponentGlobalsOrRegister(
 		featuregate.DefaultKubeComponent, utilversion.DefaultBuildEffectiveVersion(), utilfeature.DefaultMutableFeatureGate)
 	s := options.NewServerRunOptions()
+	ctx := genericapiserver.SetupSignalContext()
 
 	cmd := &cobra.Command{
 		Use: "kube-apiserver",
@@ -97,7 +98,7 @@ cluster's shared state through which all other components interact.`,
 			cliflag.PrintFlags(fs)
 
 			// set default options
-			completedOptions, err := s.Complete()
+			completedOptions, err := s.Complete(ctx)
 			if err != nil {
 				return err
 			}
@@ -108,7 +109,7 @@ cluster's shared state through which all other components interact.`,
 			}
 			// add feature enablement metrics
 			featureGate.AddMetrics()
-			return Run(cmd.Context(), completedOptions)
+			return Run(ctx, completedOptions)
 		},
 		Args: func(cmd *cobra.Command, args []string) error {
 			for _, arg := range args {
@@ -119,7 +120,7 @@ cluster's shared state through which all other components interact.`,
 			return nil
 		},
 	}
-	cmd.SetContext(genericapiserver.SetupSignalContext())
+	cmd.SetContext(ctx)
 
 	fs := cmd.Flags()
 	namedFlagSets := s.Flags()

cmd/kube-apiserver/app/testing/testserver.go

@@ -390,7 +390,7 @@ func StartTestServer(t ktesting.TB, instanceOptions *TestServerInstanceOptions,
 	s.Authentication.ServiceAccounts.Issuers = []string{"https://foo.bar.example.com"}
 	s.Authentication.ServiceAccounts.KeyFiles = []string{saSigningKeyFile.Name()}
 
-	completedOptions, err := s.Complete()
+	completedOptions, err := s.Complete(tCtx)
 	if err != nil {
 		return result, fmt.Errorf("failed to set default ServerRunOptions: %v", err)
 	}

go.mod

@@ -103,6 +103,7 @@ require (
 	k8s.io/csi-translation-lib v0.0.0
 	k8s.io/dynamic-resource-allocation v0.0.0
 	k8s.io/endpointslice v0.0.0
+	k8s.io/externaljwt v0.0.0
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/kms v0.0.0
 	k8s.io/kube-aggregator v0.0.0
@@ -239,6 +240,7 @@ replace (
 	k8s.io/csi-translation-lib => ./staging/src/k8s.io/csi-translation-lib
 	k8s.io/dynamic-resource-allocation => ./staging/src/k8s.io/dynamic-resource-allocation
 	k8s.io/endpointslice => ./staging/src/k8s.io/endpointslice
+	k8s.io/externaljwt => ./staging/src/k8s.io/externaljwt
 	k8s.io/kms => ./staging/src/k8s.io/kms
 	k8s.io/kube-aggregator => ./staging/src/k8s.io/kube-aggregator
 	k8s.io/kube-controller-manager => ./staging/src/k8s.io/kube-controller-manager

go.work

@@ -23,6 +23,7 @@ use (
 	./staging/src/k8s.io/csi-translation-lib
 	./staging/src/k8s.io/dynamic-resource-allocation
 	./staging/src/k8s.io/endpointslice
+	./staging/src/k8s.io/externaljwt
 	./staging/src/k8s.io/kms
 	./staging/src/k8s.io/kube-aggregator
 	./staging/src/k8s.io/kube-controller-manager

hack/unwanted-dependencies.json

@@ -111,6 +111,7 @@
         "k8s.io/client-go",
         "k8s.io/code-generator",
         "k8s.io/cri-api",
+        "k8s.io/externaljwt",
         "k8s.io/kms",
         "k8s.io/kube-aggregator",
         "k8s.io/kubelet",

hack/update-codegen.sh

@@ -785,6 +785,8 @@ function codegen::protobindings() {
 
         "staging/src/k8s.io/kubelet/pkg/apis/pluginregistration"
         "pkg/kubelet/pluginmanager/pluginwatcher/example_plugin_apis"
+
+        "staging/src/k8s.io/externaljwt/apis"
     )
 
     kube::log::status "Generating protobuf bindings for ${#apis[@]} targets"

pkg/apis/authentication/validation/validation.go

@@ -19,19 +19,18 @@ limitations under the License.
 package validation
 
 import (
-	"time"
-
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kubernetes/pkg/apis/authentication"
 )
 
+const MinTokenAgeSec = 10 * 60 // 10 minutes
+
 // ValidateTokenRequest validates a TokenRequest.
 func ValidateTokenRequest(tr *authentication.TokenRequest) field.ErrorList {
 	allErrs := field.ErrorList{}
 	specPath := field.NewPath("spec")
 
-	const min = 10 * time.Minute
-	if tr.Spec.ExpirationSeconds < int64(min.Seconds()) {
+	if tr.Spec.ExpirationSeconds < MinTokenAgeSec {
 		allErrs = append(allErrs, field.Invalid(specPath.Child("expirationSeconds"), tr.Spec.ExpirationSeconds, "may not specify a duration less than 10 minutes"))
 	}
 	if tr.Spec.ExpirationSeconds > 1<<32 {

pkg/controller/serviceaccount/tokens_controller.go

@@ -409,7 +409,9 @@ func (e *TokensController) generateTokenIfNeeded(logger klog.Logger, serviceAcco
 
 	// Generate the token
 	if needsToken {
-		token, err := e.token.GenerateToken(serviceaccount.LegacyClaims(*serviceAccount, *liveSecret))
+		c, pc := serviceaccount.LegacyClaims(*serviceAccount, *liveSecret)
+		// TODO: need to plumb context if using external signer ever becomes a posibility.
+		token, err := e.token.GenerateToken(context.TODO(), c, pc)
 		if err != nil {
 			return false, err
 		}

pkg/controller/serviceaccount/tokens_controller_test.go

@@ -17,6 +17,7 @@ limitations under the License.
 package serviceaccount
 
 import (
+	"context"
 	"reflect"
 	"testing"
 	"time"
@@ -40,7 +41,7 @@ type testGenerator struct {
 	Err   error
 }
 
-func (t *testGenerator) GenerateToken(sc *jwt.Claims, pc interface{}) (string, error) {
+func (t *testGenerator) GenerateToken(ctx context.Context, sc *jwt.Claims, pc interface{}) (string, error) {
 	return t.Token, t.Err
 }