Merge pull request kubernetes#127062 from eminwux/fix-kcm-flags-doc

k8s-ci-robot · web-flow · commit f28691d069f5 · 2024-09-04T18:20:54.000+01:00
Clarify KCM --service-account-private-key-file flag documentation and improve legacy controller warning message.
diff --git a/cmd/kube-controller-manager/app/controllermanager.go b/cmd/kube-controller-manager/app/controllermanager.go
@@ -232,7 +232,7 @@ func Run(ctx context.Context, c *config.CompletedConfig) error {
 		}
 	}
 
-	clientBuilder, rootClientBuilder := createClientBuilders(logger, c)
+	clientBuilder, rootClientBuilder := createClientBuilders(c)
 
 	saTokenControllerDescriptor := newServiceAccountTokenControllerDescriptor(rootClientBuilder)
 
@@ -869,16 +869,12 @@ func readCA(file string) ([]byte, error) {
 }
 
 // createClientBuilders creates clientBuilder and rootClientBuilder from the given configuration
-func createClientBuilders(logger klog.Logger, c *config.CompletedConfig) (clientBuilder clientbuilder.ControllerClientBuilder, rootClientBuilder clientbuilder.ControllerClientBuilder) {
+func createClientBuilders(c *config.CompletedConfig) (clientBuilder clientbuilder.ControllerClientBuilder, rootClientBuilder clientbuilder.ControllerClientBuilder) {
+
 	rootClientBuilder = clientbuilder.SimpleControllerClientBuilder{
 		ClientConfig: c.Kubeconfig,
 	}
 	if c.ComponentConfig.KubeCloudShared.UseServiceAccountCredentials {
-		if len(c.ComponentConfig.SAController.ServiceAccountKeyFile) == 0 {
-			// It's possible another controller process is creating the tokens for us.
-			// If one isn't, we'll timeout and exit when our client builder is unable to create the tokens.
-			logger.Info("Warning: --use-service-account-credentials was specified without providing a --service-account-private-key-file")
-		}
 
 		clientBuilder = clientbuilder.NewDynamicClientBuilder(
 			restclient.AnonymousClientConfig(c.Kubeconfig),
diff --git a/cmd/kube-controller-manager/app/options/serviceaccountcontroller.go b/cmd/kube-controller-manager/app/options/serviceaccountcontroller.go
@@ -33,7 +33,7 @@ func (o *SAControllerOptions) AddFlags(fs *pflag.FlagSet) {
 		return
 	}
 
-	fs.StringVar(&o.ServiceAccountKeyFile, "service-account-private-key-file", o.ServiceAccountKeyFile, "Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.")
+	fs.StringVar(&o.ServiceAccountKeyFile, "service-account-private-key-file", o.ServiceAccountKeyFile, "Enables legacy secret-based tokens when set. Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.")
 	fs.Int32Var(&o.ConcurrentSATokenSyncs, "concurrent-serviceaccount-token-syncs", o.ConcurrentSATokenSyncs, "The number of service account token objects that are allowed to sync concurrently. Larger number = more responsive token generation, but more CPU (and network) load")
 	fs.StringVar(&o.RootCAFile, "root-ca-file", o.RootCAFile, "If set, this root certificate authority will be included in service account's token secret. This must be a valid PEM-encoded CA bundle.")
 }

Original file line number	Diff line number	Diff line change
`@@ -232,7 +232,7 @@ func Run(ctx context.Context, c *config.CompletedConfig) error {`
`232`	`232`	`}`
`233`	`233`	`}`
`234`	`234`
`235`		`- clientBuilder, rootClientBuilder := createClientBuilders(logger, c)`
	`235`	`+ clientBuilder, rootClientBuilder := createClientBuilders(c)`
`236`	`236`
`237`	`237`	`saTokenControllerDescriptor := newServiceAccountTokenControllerDescriptor(rootClientBuilder)`
`238`	`238`
`@@ -869,16 +869,12 @@ func readCA(file string) ([]byte, error) {`
`869`	`869`	`}`
`870`	`870`
`871`	`871`	`// createClientBuilders creates clientBuilder and rootClientBuilder from the given configuration`
`872`		`-func createClientBuilders(logger klog.Logger, c *config.CompletedConfig) (clientBuilder clientbuilder.ControllerClientBuilder, rootClientBuilder clientbuilder.ControllerClientBuilder) {`
	`872`	`+func createClientBuilders(c *config.CompletedConfig) (clientBuilder clientbuilder.ControllerClientBuilder, rootClientBuilder clientbuilder.ControllerClientBuilder) {`
	`873`	`+`
`873`	`874`	`rootClientBuilder = clientbuilder.SimpleControllerClientBuilder{`
`874`	`875`	`ClientConfig: c.Kubeconfig,`
`875`	`876`	`}`
`876`	`877`	`if c.ComponentConfig.KubeCloudShared.UseServiceAccountCredentials {`
`877`		`- if len(c.ComponentConfig.SAController.ServiceAccountKeyFile) == 0 {`
`878`		`- // It's possible another controller process is creating the tokens for us.`
`879`		`- // If one isn't, we'll timeout and exit when our client builder is unable to create the tokens.`
`880`		`- logger.Info("Warning: --use-service-account-credentials was specified without providing a --service-account-private-key-file")`
`881`		`- }`
`882`	`878`
`883`	`879`	`clientBuilder = clientbuilder.NewDynamicClientBuilder(`
`884`	`880`	`restclient.AnonymousClientConfig(c.Kubeconfig),`
Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ func (o SAControllerOptions) AddFlags(fs pflag.FlagSet) {`
`33`	`33`	`return`
`34`	`34`	`}`
`35`	`35`
`36`		`- fs.StringVar(&o.ServiceAccountKeyFile, "service-account-private-key-file", o.ServiceAccountKeyFile, "Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.")`
	`36`	`+ fs.StringVar(&o.ServiceAccountKeyFile, "service-account-private-key-file", o.ServiceAccountKeyFile, "Enables legacy secret-based tokens when set. Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.")`
`37`	`37`	`fs.Int32Var(&o.ConcurrentSATokenSyncs, "concurrent-serviceaccount-token-syncs", o.ConcurrentSATokenSyncs, "The number of service account token objects that are allowed to sync concurrently. Larger number = more responsive token generation, but more CPU (and network) load")`
`38`	`38`	`fs.StringVar(&o.RootCAFile, "root-ca-file", o.RootCAFile, "If set, this root certificate authority will be included in service account's token secret. This must be a valid PEM-encoded CA bundle.")`
`39`	`39`	`}`