Allow user to pass expiration

This option allows you to specify the desired validity period (in seconds) for the token requested when generating a kubeconfig
projectsveltos · Apr 12, 2024 · b1383cd · b1383cd
1 parent f02ce27
commit b1383cd
Showing 1 changed file with 40 additions and 20 deletions.
diff --git a/internal/commands/generate/generate_kubeconfig.go b/internal/commands/generate/generate_kubeconfig.go
@@ -21,8 +21,8 @@ import (
 	"encoding/base64"
 	"flag"
 	"fmt"
+	"strconv"
 	"strings"
-	"time"
 
 	"github.com/docopt/docopt-go"
 	"github.com/go-logr/logr"
@@ -40,12 +40,10 @@ import (
 
 const (
 	projectsveltos = "projectsveltos"
-	// expirationInSecond is the token expiration time.
-	saExpirationInSecond = 365 * 24 * 60 * time.Minute
 )
 
 func generateKubeconfigForServiceAccount(ctx context.Context, namespace, serviceAccountName string,
-	create bool, logger logr.Logger) error {
+	expirationSeconds int, create bool, logger logr.Logger) error {
 
 	if create {
 		if err := createNamespace(ctx, namespace, logger); err != nil {
@@ -69,7 +67,7 @@ func generateKubeconfigForServiceAccount(ctx context.Context, namespace, service
 		}
 	}
 
-	tokenRequest, err := getServiceAccountTokenRequest(ctx, namespace, serviceAccountName, logger)
+	tokenRequest, err := getServiceAccountTokenRequest(ctx, namespace, serviceAccountName, expirationSeconds, logger)
 	if err != nil {
 		return err
 	}
@@ -203,16 +201,19 @@ func createClusterRoleBinding(ctx context.Context, clusterRoleName, clusterRoleB
 
 // getServiceAccountTokenRequest returns token for a serviceaccount
 func getServiceAccountTokenRequest(ctx context.Context, serviceAccountNamespace, serviceAccountName string,
-	logger logr.Logger) (*authenticationv1.TokenRequestStatus, error) {
+	expirationSeconds int, logger logr.Logger) (*authenticationv1.TokenRequestStatus, error) {
 
 	instance := utils.GetAccessInstance()
 
-	expiration := int64(saExpirationInSecond.Seconds())
+	expiration := int64(expirationSeconds)
 
-	treq := &authenticationv1.TokenRequest{
-		Spec: authenticationv1.TokenRequestSpec{
+	treq := &authenticationv1.TokenRequest{}
+
+	if expirationSeconds != 0 {
+		fmt.Println("MGIANLUC", expiration)
+		treq.Spec = authenticationv1.TokenRequestSpec{
 			ExpirationSeconds: &expiration,
-		},
+		}
 	}
 
 	clientset, err := kubernetes.NewForConfig(instance.GetConfig())
@@ -267,15 +268,25 @@ current-context: sveltos-context`
 // GenerateKubeconfig creates a TokenRequest and a Kubeconfig associated with it
 func GenerateKubeconfig(ctx context.Context, args []string, logger logr.Logger) error {
 	doc := `Usage:
-  sveltosctl generate kubeconfig [options] [--namespace=<name>] [--serviceaccount=<name>] [--create] [--verbose]
-
-     --namespace=<name>      (Optional) Specifies the namespace of the ServiceAccount to use. If not provided, the "projectsveltos" namespace will be used.
-     --serviceaccount=<name> (Optional) Specifies the name of the ServiceAccount to use. If not provided, "projectsveltos" will be used.
-     --create                (Optional) If set, Sveltos will create the necessary resources if they don't already exist:
-                             - The specified namespace (if not already present)
-                             - The specified ServiceAccount (if not already present)
-                             - A ClusterRole with cluster-admin permissions
-                             - A ClusterRoleBinding granting the ServiceAccount cluster-admin permissions
+  sveltosctl generate kubeconfig [options] [--namespace=<name>] [--serviceaccount=<name>] [--create] [--expirationSeconds=<value>] [--verbose]
+
+     --namespace=<name>           (Optional) Specifies the namespace of the ServiceAccount to use. If not provided,
+                                  the "projectsveltos" namespace will be used.
+     --serviceaccount=<name>      (Optional) Specifies the name of the ServiceAccount to use. If not provided,
+                                  "projectsveltos" will be used.
+     --create                     (Optional) If set, Sveltos will create the necessary resources if they don't already exist:
+                                  - The specified namespace (if not already present)
+                                  - The specified ServiceAccount (if not already present)
+                                  - A ClusterRole with cluster-admin permissions
+                                  - A ClusterRoleBinding granting the ServiceAccount cluster-admin permissions
+     --expirationSeconds=<value>  - (Optional) This option allows you to specify the desired validity period 
+                                  (in seconds) for the token requested when generating a kubeconfig. Minimum value is 600 (10 minutes).
+                                  If you don't provide this option, the issuer (where the kubeconfig points)
+                                  will use its default expiration time for the token.
+                                  Once you register a cluster using the kubeconfig generated by this command,
+                                  you can manage automatic token renewal through the
+                                  SveltosCluster.Spec.TokenRequestRenewalOption setting within the registered
+                                  SveltosCluster resource. This provides more control over token expiration and renewal behavior. 
 
 Process:
 
@@ -325,7 +336,16 @@ or create a new one with the necessary permissions.
 		serviceAccount = passedServiceAccount.(string)
 	}
 
+	expirationSeconds := 0
+	if passedExpirationSeconds := parsedArgs["--expirationSeconds"]; passedExpirationSeconds != nil {
+		expirationSeconds, err = strconv.Atoi(passedExpirationSeconds.(string))
+		if err != nil {
+			return err
+		}
+	}
+
 	create := parsedArgs["--create"].(bool)
 
-	return generateKubeconfigForServiceAccount(ctx, namespace, serviceAccount, create, logger)
+	return generateKubeconfigForServiceAccount(ctx, namespace, serviceAccount, expirationSeconds,
+		create, logger)
 }