Skip to content

[WIP] pass node-bound SA tokens to SS providers#179

Open
stlaz wants to merge 18 commits intokubernetes-sigs:mainfrom
stlaz:node-local-tokens
Open

[WIP] pass node-bound SA tokens to SS providers#179
stlaz wants to merge 18 commits intokubernetes-sigs:mainfrom
stlaz:node-local-tokens

Conversation

@stlaz
Copy link
Contributor

@stlaz stlaz commented Jan 29, 2026

What type of PR is this?
/kind feature

What this PR does / why we need it:
This PR bounds the SA tokens the controller requests to a node the controller is running on. This helps in scenarios where the SS provider needs to request WI tokens but their kube-aware AS requires proving that the token request comes from a workload in the cluster.

Which issue(s) this PR fixes:
There is currently no issue for this.

Special notes for your reviewer:

TODOs:

  • includes documentation
  • adds unit tests

stlaz added 18 commits January 27, 2026 15:48
@stlaz
only add the controller-specific label with empty value
0c4545e 
Annotations are currently unused, there's no point having these
around at the moment. Keep the validation only, simplify
reconcile.

Signed-off-by: Stanislav Láznička <slznika@microsoft.com>
@stlaz
remove redundant and unused arguments to serverSidePatchSecret
51b9174 
Signed-off-by: Stanislav Láznička <slznika@microsoft.com>
@stlaz
handle secret type validation and defaulting in the API
a3f7c5f
@stlaz
decompose the reconcile method by extracting secret fetch logic
64b5ca3 
Signed-off-by: Stanislav Láznička <slznika@microsoft.com>
@stlaz
remove unused reconciler in computeSecretDataObjectHash()
b9d7456 
Signed-off-by: Stanislav Láznička <slznika@microsoft.com>
@stlaz
remove superfluous 'cat' from README
a3d8b6e 
Signed-off-by: Stanislav Láznička <slznika@microsoft.com>
@stlaz
simplify data prep logic for current state hashing
5708ace 
Remove the need for error handling by simply concatenating
the uid/gen strings.

Also remove the "v1" prefix from the final hash. The version was
wrong and therefore likely redundant.

Signed-off-by: Stanislav Láznička <slznika@microsoft.com>
@stlaz
Flatten the class hierarchy for SA token fetching
784d47f 
The TokenClient was not actually client and did not provide
any value on its own. This commit takes out the only function
of it that had any value and extracts it outside, taking the
tokenManager as an argument rather than wrapping it in another
object.

Signed-off-by: Stanislav Láznička <slznika@microsoft.com>
@stlaz
refactor fetching key from a bundle
2e0b9aa 
- pick the first one instead of the last to reduce PEM decoding overhead
- don't unnecessarily decode all keys with all three decoding functions
- document why we cannot simply use k8s keyutil PEM decoding utils

Signed-off-by: Stanislav Láznička <slznika@microsoft.com>
@stlaz
rework the broken-by-design condition system
f148e11 
There were several issues with the condition system:
1. disappearing conditions - Some conditions would appear and disappear.
2. nonsensical conditions
	- "Unknown" does not make sense for a condition type. What would it
	  even mean?
	- "Create" doesn't really mean anything either, neither does
	  "Update". Compare to the new "SecretCreated" and "SecretUpdated".
3. role confusion - It is unlikely the person viewing the conditions
   will be able to read the controller's logs, making most of the
   hardcoded condition messages not actionable, and therefore
   meaningless.

Signed-off-by: Stanislav Láznička <slznika@microsoft.com>
@stlaz
fix the bash e2e test broken by the refactoring
fab4bbf 
Improves the QoL by actually printing the failing condition, too.

Signed-off-by: Stanislav Láznička <slznika@microsoft.com>
@stlaz
Merge the VAPs guarding the secret.Type
191a7e1 
The policies would race during secret creation, causing different
causes for secret creation. This might cause condition hotloops
as we're failing to create the secret for different reasons.

We may want to think about a backoff mechanism for retries in the
future to avoid the controller's sensitivity to these situations.
However, validating the same field of the same resource during the
same conditions should likely be handled by a single policy, as long
as we own the check at least.

Signed-off-by: Stanislav Láznička <slznika@microsoft.com>
@stlaz
Remove the version from the controller's field manager value
f95d4a3 
The version was wrong (v1, expected v1alpha1) and having this
value versioned would only bring problems.

Signed-off-by: Stanislav Láznička <slznika@microsoft.com>
@stlaz
controller: unexport needlessly exported constants
c7a2854 
Signed-off-by: Stanislav Láznička <slznika@microsoft.com>
@stlaz
remove VAPs duplicating the API validation
5b6e1c7 
Signed-off-by: Stanislav Láznička <slznika@microsoft.com>
@stlaz
verify-codegen: also check the generated manifest in staging
acf8d2e 
Signed-off-by: Stanislav Láznička <slznika@microsoft.com>
@stlaz
fix wrong assumptions about label/annotation sizes
063243f 
Signed-off-by: Stanislav Láznička <slznika@microsoft.com>
@stlaz
WIP: create node-bound tokens to pass WI checks
2979a2d 
Signed-off-by: Stanislav Láznička <slznika@microsoft.com>
@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/feature Categorizes issue or PR as related to a new feature. labels Jan 29, 2026
@k8s-ci-robot k8s-ci-robot requested review from aramase and enj January 29, 2026 13:29
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jan 29, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: stlaz
Once this PR has been reviewed and has the lgtm label, please assign aramase for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Jan 29, 2026
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jan 29, 2026

This issue is currently awaiting triage.

If secrets-store-sync-controller contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jan 29, 2026
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jan 29, 2026

@stlaz: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-secrets-store-sync-controller-unit 2979a2d link true /test pull-secrets-store-sync-controller-unit

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@enj enj added this to SIG Auth Jan 29, 2026
@enj enj moved this to Subprojects - Needs Triage in SIG Auth Jan 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aramase aramase Awaiting requested review from aramase

@enj enj Awaiting requested review from enj

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/feature Categorizes issue or PR as related to a new feature. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stlaz @k8s-ci-robot