Support using serviceaccount on session auth

rikatz · rikatz · commit 1aadbdd41cf1 · 2025-05-14T09:08:40.000-03:00
diff --git a/pkg/common/connectionmanager/zones.go b/pkg/common/connectionmanager/zones.go
@@ -292,7 +292,7 @@ func (cm *ConnectionManager) getDIFromMultiVCorDC(ctx context.Context,
 
 func withTagsClient(ctx context.Context, connection *vclib.VSphereConnection, f func(c *rest.Client) error) error {
 	c := rest.NewClient(connection.Client)
-	if connection.SessionManagerURL != "" && connection.SessionManagerToken != "" {
+	if connection.SessionManagerURL != "" {
 		c.SessionID(connection.Client.SessionCookie().Value)
 		return nil
 	}
@@ -313,7 +313,7 @@ func withTagsClient(ctx context.Context, connection *vclib.VSphereConnection, f
 
 	defer func() {
 		// When using shared session manager we don't need to logout
-		if connection.SessionManagerURL != "" && connection.SessionManagerToken != "" {
+		if connection.SessionManagerURL != "" {
 			return
 		}
 
diff --git a/pkg/common/credentialmanager/credentialmanager.go b/pkg/common/credentialmanager/credentialmanager.go
@@ -303,8 +303,7 @@ func parseConfig(data map[string][]byte, config map[string]*Credential) error {
 	}
 
 	for vcServer, credential := range config {
-		if (credential.User == "" || credential.Password == "") &&
-			(credential.VCSessionManagerURL == "" || credential.VCSessionManagerToken == "") {
+		if (credential.User == "" || credential.Password == "") && credential.VCSessionManagerURL == "" {
 
 			klog.Errorf("Username/Password or shared session manager URL/Token directives are missing for server %s", vcServer)
 			return ErrCredentialMissing
diff --git a/pkg/common/credentialmanager/credentialmanager_test.go b/pkg/common/credentialmanager/credentialmanager_test.go
@@ -394,7 +394,7 @@ func TestParseSecretConfig(t *testing.T) {
 					VCSessionManagerURL: "https://something.tld/session",
 				},
 			},
-			expectedError: ErrCredentialMissing,
+			expectedError: nil,
 		},
 		{
 			testName: "Missing session manager url",
diff --git a/pkg/common/vclib/connection.go b/pkg/common/vclib/connection.go
@@ -134,7 +134,7 @@ func (connection *VSphereConnection) login(ctx context.Context, client *vim25.Cl
 	connection.credentialsLock.Lock()
 	defer connection.credentialsLock.Unlock()
 
-	if connection.SessionManagerURL != "" && connection.SessionManagerToken != "" {
+	if connection.SessionManagerURL != "" {
 		token, err := GetSharedToken(ctx, SharedTokenOptions{
 			URL:   connection.SessionManagerURL,
 			Token: connection.SessionManagerToken,
diff --git a/pkg/common/vclib/vc_session_manager.go b/pkg/common/vclib/vc_session_manager.go
@@ -7,9 +7,14 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"os"
 	"time"
 )
 
+const (
+	saFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+)
+
 // SharedSessionResponse is the expected structure for a session manager valid
 // token response
 type SharedSessionResponse struct {
@@ -28,6 +33,8 @@ type SharedTokenOptions struct {
 	InsecureSkipVerify bool
 	// Timeout defines the client timeout. Defaults to 5 seconds
 	Timeout time.Duration
+	// TokenFile defines a file with token content. Defaults to Kubernetes Service Account file
+	TokenFile string
 }
 
 // GetSharedToken executes an http request on session manager and gets the session manager
@@ -36,8 +43,18 @@ func GetSharedToken(ctx context.Context, options SharedTokenOptions) (string, er
 	if options.URL == "" {
 		return "", fmt.Errorf("URL of session manager cannot be empty")
 	}
+
+	if options.TokenFile == "" {
+		options.TokenFile = saFile
+	}
+
+	// If the token is empty, we should use service account from the Pod instead
 	if options.Token == "" {
-		return "", fmt.Errorf("token of session manager cannot be empty")
+		saValue, err := os.ReadFile(options.TokenFile)
+		if err != nil {
+			return "", fmt.Errorf("failed reading token from service account: %w", err)
+		}
+		options.Token = string(saValue)
 	}
 
 	timeout := 5 * time.Second
diff --git a/pkg/common/vclib/vc_session_manager_test.go b/pkg/common/vclib/vc_session_manager_test.go
@@ -7,10 +7,12 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"testing"
 	"time"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"k8s.io/cloud-provider-vsphere/pkg/common/vclib"
 )
 
@@ -74,11 +76,11 @@ func TestGetSharedToken(t *testing.T) {
 			assert.ErrorContains(t, err, "URL of session manager cannot be empty")
 		})
 
-		t.Run("should fail when no token is passed", func(t *testing.T) {
+		t.Run("should fail when no token is passed and SA token cannot be read", func(t *testing.T) {
 			_, err := vclib.GetSharedToken(ctx, vclib.SharedTokenOptions{
-				URL: "https://some-session-manager.tld/session",
+				URL: "http://something.tld/lala",
 			})
-			assert.ErrorContains(t, err, "token of session manager cannot be empty")
+			assert.ErrorContains(t, err, "failed reading token from service account: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory")
 		})
 
 		t.Run("should fail when passed URL is invalid", func(t *testing.T) {
@@ -165,6 +167,22 @@ func TestGetSharedToken(t *testing.T) {
 			assert.NoError(t, err)
 			assert.Equal(t, validResponse, token)
 		})
+
+		t.Run("should return a valid token when using a file as a token", func(t *testing.T) {
+			tokenFile, err := os.CreateTemp("", "")
+			require.NoError(t, err)
+			require.NoError(t, tokenFile.Close())
+			require.NoError(t, os.WriteFile(tokenFile.Name(), []byte(validToken), 0755))
+
+			reqURL := fmt.Sprintf("%s/session", server.URL)
+			token, err := vclib.GetSharedToken(ctx, vclib.SharedTokenOptions{
+				URL:                 reqURL,
+				TrustedCertificates: certpool,
+				TokenFile:           tokenFile.Name(),
+			})
+			assert.NoError(t, err)
+			assert.Equal(t, validResponse, token)
+		})
 	})
 
 }

Original file line number	Diff line number	Diff line change
`@@ -292,7 +292,7 @@ func (cm *ConnectionManager) getDIFromMultiVCorDC(ctx context.Context,`
`292`	`292`
`293`	`293`	`func withTagsClient(ctx context.Context, connection vclib.VSphereConnection, f func(c rest.Client) error) error {`
`294`	`294`	`c := rest.NewClient(connection.Client)`
`295`		`- if connection.SessionManagerURL != "" && connection.SessionManagerToken != "" {`
	`295`	`+ if connection.SessionManagerURL != "" {`
`296`	`296`	`c.SessionID(connection.Client.SessionCookie().Value)`
`297`	`297`	`return nil`
`298`	`298`	`}`
`@@ -313,7 +313,7 @@ func withTagsClient(ctx context.Context, connection *vclib.VSphereConnection, f`
`313`	`313`
`314`	`314`	`defer func() {`
`315`	`315`	`// When using shared session manager we don't need to logout`
`316`		`- if connection.SessionManagerURL != "" && connection.SessionManagerToken != "" {`
	`316`	`+ if connection.SessionManagerURL != "" {`
`317`	`317`	`return`
`318`	`318`	`}`
`319`	`319`
Original file line number	Diff line number	Diff line change
`@@ -303,8 +303,7 @@ func parseConfig(data map[string][]byte, config map[string]*Credential) error {`
`303`	`303`	`}`
`304`	`304`
`305`	`305`	`for vcServer, credential := range config {`
`306`		`- if (credential.User == "" \|\| credential.Password == "") &&`
`307`		`- (credential.VCSessionManagerURL == "" \|\| credential.VCSessionManagerToken == "") {`
	`306`	`+ if (credential.User == "" \|\| credential.Password == "") && credential.VCSessionManagerURL == "" {`
`308`	`307`
`309`	`308`	`klog.Errorf("Username/Password or shared session manager URL/Token directives are missing for server %s", vcServer)`
`310`	`309`	`return ErrCredentialMissing`
Original file line number	Diff line number	Diff line change
`@@ -394,7 +394,7 @@ func TestParseSecretConfig(t *testing.T) {`
`394`	`394`	`VCSessionManagerURL: "https://something.tld/session",`
`395`	`395`	`},`
`396`	`396`	`},`
`397`		`- expectedError: ErrCredentialMissing,`
	`397`	`+ expectedError: nil,`
`398`	`398`	`},`
`399`	`399`	`{`
`400`	`400`	`testName: "Missing session manager url",`