How to get kubernetes service account access token using fabric8 java client?

Question

I have configured minikube in my local machine and going to use kubernetes externally. I have created a Service Account in kubernetes and using it's secret I can get the access token using below command.

kubectl get secret <service-account-secret> -o yaml -n mynamespace

My question is how can I do this using fabric8 java client in runtime ? What I want is to obtain the access token by giving the secret of the Service account as a parameter.

I am initiating the config as bellow.

Config config = new ConfigBuilder().withMasterUrl(masterURL)
                .withClientCertFile(certFile).withOauthToken(serviceAccountAccessToken).build();

Can I know how to get the serviceAccountAccessToken as described above using fabric8 java client ?

Answer 1

From within a Pod, the service account token is volume-mounted as /var/run/secrets/kubernetes.io/serviceaccount/token as seen here. The fact that the path is hard-coded in (at least v2.6.2 of) the fabric8 Client leads me to believe that perhaps if one merely omits the withOauthToken() call that the Client may Just Work™

It's slightly unclear whether the code snippet you provided is expected to run outside of the cluster, but if so then you have a small chicken-and-egg problem of providing auth to the API so you can acquire the Secret

Answer 2

The client already does that for you.

If you just create an empty Config object:

Config config = new ConfigBuilder().build();

or create the client, like:

KubernetesClient client = new DefaultKubernetesClient();

from within a pod, it will automatically read the token for you.

If you need to pass it elsewhere, you can just:

String token = config.getOauthToken();

or

String token = client.getConfiguration().getOauthToken();

Answer 3

Config config = new ConfigBuilder().withMasterUrl(externalTunnelUrl).withOauthToken(managementTokenProvider.getManagementToken(clusterName)).withUsername("management-token").build();

Just had the same need. OauthToken is maybe not the obvious name, but works.

Note that I do not specify client cert file there.

Answer 4

Create a service account with below yaml definition

Step 1: create api-manager.yaml with below content

kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: api-manager namespace: default rules:

• apiGroups: ["batch", "extensions"] resources: ["jobs","cronjob"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

---

kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: udefreadonlybinding namespace: default subjects:

• kind: ServiceAccount name: api-manager namespace: default roleRef: kind: Role name: job-creator apiGroup: rbac.authorization.k8s.io

Step 2: kubectl create -f api-manager.yaml

Step 3: Edit your pod dp file and map the service account Then map this service account to the pod which internally map the service account inside the container ( path :/var/run/secrets/kubernetes.io/serviceaccount/token)

Step 4: In java code io.fabric8.kubernetes.client.DefaultKubernetesClient client = new DefaultKubernetesClient(); System.out.println("client"+client.getNamespace());