@@ -2242,6 +2242,128 @@ _oc_secrets()

     must_have_one_noun=()

 }

+_oc_serviceaccounts_get-token()

+{

+    last_command="oc_serviceaccounts_get-token"

+    commands=()

+

+    flags=()

+    two_word_flags=()

+    flags_with_completion=()

+    flags_completion=()

+

+    flags+=("--api-version=")

+    flags+=("--certificate-authority=")

+    flags_with_completion+=("--certificate-authority")

+    flags_completion+=("_filedir")

+    flags+=("--client-certificate=")

+    flags_with_completion+=("--client-certificate")

+    flags_completion+=("_filedir")

+    flags+=("--client-key=")

+    flags_with_completion+=("--client-key")

+    flags_completion+=("_filedir")

+    flags+=("--cluster=")

+    flags+=("--config=")

+    flags_with_completion+=("--config")

+    flags_completion+=("_filedir")

+    flags+=("--context=")

+    flags+=("--google-json-key=")

+    flags+=("--insecure-skip-tls-verify")

+    flags+=("--log-flush-frequency=")

+    flags+=("--match-server-version")

+    flags+=("--namespace=")

+    two_word_flags+=("-n")

+    flags+=("--server=")

+    flags+=("--token=")

+    flags+=("--user=")

+

+    must_have_one_flag=()

+    must_have_one_noun=()

+}

+

+_oc_serviceaccounts_new-token()

+{

+    last_command="oc_serviceaccounts_new-token"

+    commands=()

+

+    flags=()

+    two_word_flags=()

+    flags_with_completion=()

+    flags_completion=()

+

+    flags+=("--labels=")

+    two_word_flags+=("-l")

+    flags+=("--timeout=")

+    flags+=("--api-version=")

+    flags+=("--certificate-authority=")

+    flags_with_completion+=("--certificate-authority")

+    flags_completion+=("_filedir")

+    flags+=("--client-certificate=")

+    flags_with_completion+=("--client-certificate")

+    flags_completion+=("_filedir")

+    flags+=("--client-key=")

+    flags_with_completion+=("--client-key")

+    flags_completion+=("_filedir")

+    flags+=("--cluster=")

+    flags+=("--config=")

+    flags_with_completion+=("--config")

+    flags_completion+=("_filedir")

+    flags+=("--context=")

+    flags+=("--google-json-key=")

+    flags+=("--insecure-skip-tls-verify")

+    flags+=("--log-flush-frequency=")

+    flags+=("--match-server-version")

+    flags+=("--namespace=")

+    two_word_flags+=("-n")

+    flags+=("--server=")

+    flags+=("--token=")

+    flags+=("--user=")

+

+    must_have_one_flag=()

+    must_have_one_noun=()

+}

+

+_oc_serviceaccounts()

+{

+    last_command="oc_serviceaccounts"

+    commands=()

+    commands+=("get-token")

+    commands+=("new-token")

+

+    flags=()

+    two_word_flags=()

+    flags_with_completion=()

+    flags_completion=()

+

+    flags+=("--api-version=")

+    flags+=("--certificate-authority=")

+    flags_with_completion+=("--certificate-authority")

+    flags_completion+=("_filedir")

+    flags+=("--client-certificate=")

+    flags_with_completion+=("--client-certificate")

+    flags_completion+=("_filedir")

+    flags+=("--client-key=")

+    flags_with_completion+=("--client-key")

+    flags_completion+=("_filedir")

+    flags+=("--cluster=")

+    flags+=("--config=")

+    flags_with_completion+=("--config")

+    flags_completion+=("_filedir")

+    flags+=("--context=")

+    flags+=("--google-json-key=")

+    flags+=("--insecure-skip-tls-verify")

+    flags+=("--log-flush-frequency=")

+    flags+=("--match-server-version")

+    flags+=("--namespace=")

+    two_word_flags+=("-n")

+    flags+=("--server=")

+    flags+=("--token=")

+    flags+=("--user=")

+

+    must_have_one_flag=()

+    must_have_one_noun=()

+}

+

 _oc_logs()

 {

     last_command="oc_logs"

@@ -5810,6 +5932,53 @@ _oc_create_secret()

     must_have_one_noun=()

 }

+_oc_create_serviceaccount()

+{

+    last_command="oc_create_serviceaccount"

+    commands=()

+

+    flags=()

+    two_word_flags=()

+    flags_with_completion=()

+    flags_completion=()

+

+    flags+=("--dry-run")

+    flags+=("--generator=")

+    flags+=("--output=")

+    two_word_flags+=("-o")

+    flags+=("--output-version=")

+    flags+=("--save-config")

+    flags+=("--schema-cache-dir=")

+    flags+=("--validate")

+    flags+=("--api-version=")

+    flags+=("--certificate-authority=")

+    flags_with_completion+=("--certificate-authority")

+    flags_completion+=("_filedir")

+    flags+=("--client-certificate=")

+    flags_with_completion+=("--client-certificate")

+    flags_completion+=("_filedir")

+    flags+=("--client-key=")

+    flags_with_completion+=("--client-key")

+    flags_completion+=("_filedir")

+    flags+=("--cluster=")

+    flags+=("--config=")

+    flags_with_completion+=("--config")

+    flags_completion+=("_filedir")

+    flags+=("--context=")

+    flags+=("--google-json-key=")

+    flags+=("--insecure-skip-tls-verify")

+    flags+=("--log-flush-frequency=")

+    flags+=("--match-server-version")

+    flags+=("--namespace=")

+    two_word_flags+=("-n")

+    flags+=("--server=")

+    flags+=("--token=")

+    flags+=("--user=")

+

+    must_have_one_flag=()

+    must_have_one_noun=()

+}

+

 _oc_create_route_edge()

 {

     last_command="oc_create_route_edge"

@@ -6009,6 +6178,7 @@ _oc_create()

     commands=()

     commands+=("namespace")

     commands+=("secret")

+    commands+=("serviceaccount")

     commands+=("route")

     flags=()

@@ -7349,6 +7519,7 @@ _oc()

     commands+=("scale")

     commands+=("autoscale")

     commands+=("secrets")

+    commands+=("serviceaccounts")

     commands+=("logs")

     commands+=("rsh")

     commands+=("rsync")

@@ -5579,6 +5579,128 @@ _openshift_cli_secrets()

     must_have_one_noun=()

 }

+_openshift_cli_serviceaccounts_get-token()

+{

+    last_command="openshift_cli_serviceaccounts_get-token"

+    commands=()

+

+    flags=()

+    two_word_flags=()

+    flags_with_completion=()

+    flags_completion=()

+

+    flags+=("--api-version=")

+    flags+=("--certificate-authority=")

+    flags_with_completion+=("--certificate-authority")

+    flags_completion+=("_filedir")

+    flags+=("--client-certificate=")

+    flags_with_completion+=("--client-certificate")

+    flags_completion+=("_filedir")

+    flags+=("--client-key=")

+    flags_with_completion+=("--client-key")

+    flags_completion+=("_filedir")

+    flags+=("--cluster=")

+    flags+=("--config=")

+    flags_with_completion+=("--config")

+    flags_completion+=("_filedir")

+    flags+=("--context=")

+    flags+=("--google-json-key=")

+    flags+=("--insecure-skip-tls-verify")

+    flags+=("--log-flush-frequency=")

+    flags+=("--match-server-version")

+    flags+=("--namespace=")

+    two_word_flags+=("-n")

+    flags+=("--server=")

+    flags+=("--token=")

+    flags+=("--user=")

+

+    must_have_one_flag=()

+    must_have_one_noun=()

+}

+

+_openshift_cli_serviceaccounts_new-token()

+{

+    last_command="openshift_cli_serviceaccounts_new-token"

+    commands=()

+

+    flags=()

+    two_word_flags=()

+    flags_with_completion=()

+    flags_completion=()

+

+    flags+=("--labels=")

+    two_word_flags+=("-l")

+    flags+=("--timeout=")

+    flags+=("--api-version=")

+    flags+=("--certificate-authority=")

+    flags_with_completion+=("--certificate-authority")

+    flags_completion+=("_filedir")

+    flags+=("--client-certificate=")

+    flags_with_completion+=("--client-certificate")

+    flags_completion+=("_filedir")

+    flags+=("--client-key=")

+    flags_with_completion+=("--client-key")

+    flags_completion+=("_filedir")

+    flags+=("--cluster=")

+    flags+=("--config=")

+    flags_with_completion+=("--config")

+    flags_completion+=("_filedir")

+    flags+=("--context=")

+    flags+=("--google-json-key=")

+    flags+=("--insecure-skip-tls-verify")

+    flags+=("--log-flush-frequency=")

+    flags+=("--match-server-version")

+    flags+=("--namespace=")

+    two_word_flags+=("-n")

+    flags+=("--server=")

+    flags+=("--token=")

+    flags+=("--user=")

+

+    must_have_one_flag=()

+    must_have_one_noun=()

+}

+

+_openshift_cli_serviceaccounts()

+{

+    last_command="openshift_cli_serviceaccounts"

+    commands=()

+    commands+=("get-token")

+    commands+=("new-token")

+

+    flags=()

+    two_word_flags=()

+    flags_with_completion=()

+    flags_completion=()

+

+    flags+=("--api-version=")

+    flags+=("--certificate-authority=")

+    flags_with_completion+=("--certificate-authority")

+    flags_completion+=("_filedir")

+    flags+=("--client-certificate=")

+    flags_with_completion+=("--client-certificate")

+    flags_completion+=("_filedir")

+    flags+=("--client-key=")

+    flags_with_completion+=("--client-key")

+    flags_completion+=("_filedir")

+    flags+=("--cluster=")

+    flags+=("--config=")

+    flags_with_completion+=("--config")

+    flags_completion+=("_filedir")

+    flags+=("--context=")

+    flags+=("--google-json-key=")

+    flags+=("--insecure-skip-tls-verify")

+    flags+=("--log-flush-frequency=")

+    flags+=("--match-server-version")

+    flags+=("--namespace=")

+    two_word_flags+=("-n")

+    flags+=("--server=")

+    flags+=("--token=")

+    flags+=("--user=")

+

+    must_have_one_flag=()

+    must_have_one_noun=()

+}

+

 _openshift_cli_logs()

 {

     last_command="openshift_cli_logs"

@@ -9147,6 +9269,53 @@ _openshift_cli_create_secret()

     must_have_one_noun=()

 }

+_openshift_cli_create_serviceaccount()

+{

+    last_command="openshift_cli_create_serviceaccount"

+    commands=()

+

+    flags=()

+    two_word_flags=()

+    flags_with_completion=()

+    flags_completion=()

+

+    flags+=("--dry-run")

+    flags+=("--generator=")

+    flags+=("--output=")

+    two_word_flags+=("-o")

+    flags+=("--output-version=")

+    flags+=("--save-config")

+    flags+=("--schema-cache-dir=")

+    flags+=("--validate")

+    flags+=("--api-version=")

+    flags+=("--certificate-authority=")

+    flags_with_completion+=("--certificate-authority")

+    flags_completion+=("_filedir")

+    flags+=("--client-certificate=")

+    flags_with_completion+=("--client-certificate")

+    flags_completion+=("_filedir")

+    flags+=("--client-key=")

+    flags_with_completion+=("--client-key")

+    flags_completion+=("_filedir")

+    flags+=("--cluster=")

+    flags+=("--config=")

+    flags_with_completion+=("--config")

+    flags_completion+=("_filedir")

+    flags+=("--context=")

+    flags+=("--google-json-key=")

+    flags+=("--insecure-skip-tls-verify")

+    flags+=("--log-flush-frequency=")

+    flags+=("--match-server-version")

+    flags+=("--namespace=")

+    two_word_flags+=("-n")

+    flags+=("--server=")

+    flags+=("--token=")

+    flags+=("--user=")

+

+    must_have_one_flag=()

+    must_have_one_noun=()

+}

+

 _openshift_cli_create_route_edge()

 {

     last_command="openshift_cli_create_route_edge"

@@ -9346,6 +9515,7 @@ _openshift_cli_create()

     commands=()

     commands+=("namespace")

     commands+=("secret")

+    commands+=("serviceaccount")

     commands+=("route")

     flags=()

@@ -10686,6 +10856,7 @@ _openshift_cli()

     commands+=("scale")

     commands+=("autoscale")

     commands+=("secrets")

+    commands+=("serviceaccounts")

     commands+=("logs")

     commands+=("rsh")

     commands+=("rsync")

@@ -11129,12 +11300,61 @@ _openshift_kube_create_secret()

     must_have_one_noun=()

 }

+_openshift_kube_create_serviceaccount()

+{

+    last_command="openshift_kube_create_serviceaccount"

+    commands=()

+

+    flags=()

+    two_word_flags=()

+    flags_with_completion=()

+    flags_completion=()

+

+    flags+=("--dry-run")

+    flags+=("--generator=")

+    flags+=("--output=")

+    two_word_flags+=("-o")

+    flags+=("--output-version=")

+    flags+=("--save-config")

+    flags+=("--schema-cache-dir=")

+    flags+=("--validate")

+    flags+=("--api-version=")

+    flags+=("--certificate-authority=")

+    flags_with_completion+=("--certificate-authority")

+    flags_completion+=("_filedir")

+    flags+=("--client-certificate=")

+    flags_with_completion+=("--client-certificate")

+    flags_completion+=("_filedir")

+    flags+=("--client-key=")

+    flags_with_completion+=("--client-key")

+    flags_completion+=("_filedir")

+    flags+=("--cluster=")

+    flags+=("--config=")

+    flags_with_completion+=("--config")

+    flags_completion+=("_filedir")

+    flags+=("--context=")

+    flags+=("--google-json-key=")

+    flags+=("--insecure-skip-tls-verify")

+    flags+=("--kubeconfig=")

+    flags+=("--log-flush-frequency=")

+    flags+=("--match-server-version")

+    flags+=("--namespace=")

+    two_word_flags+=("-n")

+    flags+=("--server=")

+    flags+=("--token=")

+    flags+=("--user=")

+

+    must_have_one_flag=()

+    must_have_one_noun=()

+}

+

 _openshift_kube_create()

 {

     last_command="openshift_kube_create"

     commands=()

     commands+=("namespace")

     commands+=("secret")

+    commands+=("serviceaccount")

     flags=()

     two_word_flags=()

@@ -841,6 +841,19 @@ Create a secret from a local file, directory or literal value.

 ====

+== oc create serviceaccount

+Create a service account with the specified name.

+

+====

+

+[options="nowrap"]

+----

+  # Create a new service account named my-service-account

+  $ kubectl create serviceaccount my-service-account

+----

+====

+

+

 == oc debug

 Launch a new instance of a pod for debugging

@@ -1625,6 +1638,38 @@ Create a new secret for SSH authentication

 ====

+== oc serviceaccounts get-token

+Get a token assigned to a service account.

+

+====

+

+[options="nowrap"]

+----

+  # Get the service account token from service account 'default'

+  $ oc serviceaccounts get-token 'default'

+

+----

+====

+

+

+== oc serviceaccounts new-token

+Generate a new token for a service account.

+

+====

+

+[options="nowrap"]

+----

+  # Generate a new token for service account 'default'

+  $ oc serviceaccounts new-token 'default'

+

+  # Generate a new token for service account 'default' and apply 

+  # labels 'foo' and 'bar' to the new token for identification

+  # oc serviceaccounts new-token 'default' --labels foo=foo-value,bar=bar-value

+

+----

+====

+

+

 == oc set env

 Update environment variables on a pod template

@@ -18,6 +18,7 @@ import (

 	"github.com/openshift/origin/pkg/cmd/cli/cmd/rsync"

 	"github.com/openshift/origin/pkg/cmd/cli/cmd/set"

 	"github.com/openshift/origin/pkg/cmd/cli/policy"

+	"github.com/openshift/origin/pkg/cmd/cli/sa"

 	"github.com/openshift/origin/pkg/cmd/cli/secrets"

 	"github.com/openshift/origin/pkg/cmd/flagtypes"

 	"github.com/openshift/origin/pkg/cmd/templates"

@@ -122,6 +123,7 @@ func NewCommandCLI(name, fullName string, in io.Reader, out, errout io.Writer) *

 				cmd.NewCmdScale(fullName, f, out),

 				cmd.NewCmdAutoscale(fullName, f, out),

 				secrets.NewCmdSecrets(secrets.SecretsRecommendedName, fullName+" "+secrets.SecretsRecommendedName, f, in, out, fullName+" edit"),

+				sa.NewCmdServiceAccounts(sa.ServiceAccountsRecommendedName, fullName+" "+sa.ServiceAccountsRecommendedName, f, out),

 			},

 		},

 		{

new file mode 100644

@@ -0,0 +1,139 @@

+package sa

+

+import (

+	"errors"

+	"fmt"

+	"io"

+	"os"

+

+	"github.com/spf13/cobra"

+

+	kapi "k8s.io/kubernetes/pkg/api"

+	"k8s.io/kubernetes/pkg/client/unversioned"

+	cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"

+

+	"github.com/openshift/origin/pkg/cmd/util"

+	"github.com/openshift/origin/pkg/cmd/util/clientcmd"

+	"github.com/openshift/origin/pkg/serviceaccounts"

+)

+

+const (

+	GetServiceAccountTokenRecommendedName = "get-token"

+

+	getServiceAccountTokenShort = `Get a token assigned to a service account.`

+

+	getServiceAccountTokenLong = `

+Get a token assigned to a service account.

+

+If the service account has multiple tokens, the first token found will be returned.

+

+Service account API tokens are used by service accounts to authenticate to the API.

+Client actions using a service account token will be executed as if the service account

+itself were making the actions.

+`

+

+	getServiceAccountTokenUsage = `%s SA-NAME`

+

+	getServiceAccountTokenExamples = `  # Get the service account token from service account 'default'

+  $ %[1]s 'default'

+`

+)

+

+type GetServiceAccountTokenOptions struct {

+	SAName        string

+	SAClient      unversioned.ServiceAccountsInterface

+	SecretsClient unversioned.SecretsInterface

+

+	Out io.Writer

+	Err io.Writer

+}

+

+func NewCommandGetServiceAccountToken(name, fullname string, f *clientcmd.Factory, out io.Writer) *cobra.Command {

+	options := &GetServiceAccountTokenOptions{

+		Out: out,

+		Err: os.Stderr,

+	}

+

+	getServiceAccountTokenCommand := &cobra.Command{

+		Use:     fmt.Sprintf(getServiceAccountTokenUsage, name),

+		Short:   getServiceAccountTokenShort,

+		Long:    getServiceAccountTokenLong,

+		Example: fmt.Sprintf(getServiceAccountTokenExamples, fullname),

+		Run: func(cmd *cobra.Command, args []string) {

+			cmdutil.CheckErr(options.Complete(args, f, cmd))

+

+			cmdutil.CheckErr(options.Validate())

+

+			cmdutil.CheckErr(options.Run())

+		},

+	}

+

+	return getServiceAccountTokenCommand

+}

+

+func (o *GetServiceAccountTokenOptions) Complete(args []string, f *clientcmd.Factory, cmd *cobra.Command) error {

+	if len(args) != 1 {

+		return cmdutil.UsageError(cmd, fmt.Sprintf("expected one service account name as an argument, got %q", args))

+	}

+

+	o.SAName = args[0]

+

+	client, err := f.Client()

+	if err != nil {

+		return err

+	}

+

+	namespace, _, err := f.DefaultNamespace()

+	if err != nil {

+		return err

+	}

+

+	o.SAClient = client.ServiceAccounts(namespace)

+	o.SecretsClient = client.Secrets(namespace)

+	return nil

+}

+

+func (o *GetServiceAccountTokenOptions) Validate() error {

+	if o.SAName == "" {

+		return errors.New("service account name cannot be empty")

+	}

+

+	if o.SAClient == nil || o.SecretsClient == nil {

+		return errors.New("API clients must not be nil in order to create a new service account token")

+	}

+

+	if o.Out == nil || o.Err == nil {

+		return errors.New("cannot proceed if output or error writers are nil")

+	}

+

+	return nil

+}

+

+func (o *GetServiceAccountTokenOptions) Run() error {

+	serviceAccount, err := o.SAClient.Get(o.SAName)

+	if err != nil {

+		return err

+	}

+

+	for _, reference := range serviceAccount.Secrets {

+		secret, err := o.SecretsClient.Get(reference.Name)

+		if err != nil {

+			continue

+		}

+

+		if serviceaccounts.IsValidServiceAccountToken(serviceAccount, secret) {

+			token, exists := secret.Data[kapi.ServiceAccountTokenKey]

+			if !exists {

+				return fmt.Errorf("service account token %q for service account %q did not contain token data", secret.Name, serviceAccount.Name)

+			}

+

+			fmt.Fprintf(o.Out, string(token))

+			if util.IsTerminalWriter(o.Out) {

+				// pretty-print for a TTY

+				fmt.Fprintf(o.Out, "\n")

+			}

+			return nil

+		}

+	}

+	return fmt.Errorf("could not find a service account token for service account %q", serviceAccount.Name)

+}

new file mode 100644

@@ -0,0 +1,235 @@

+package sa

+

+import (

+	"errors"

+	"fmt"

+	"io"

+	"math"

+	"os"

+	"time"

+

+	"github.com/spf13/cobra"

+

+	"k8s.io/kubernetes/pkg/api"

+	"k8s.io/kubernetes/pkg/client/unversioned"

+	"k8s.io/kubernetes/pkg/fields"

+	"k8s.io/kubernetes/pkg/kubectl"

+	cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"

+	"k8s.io/kubernetes/pkg/watch"

+

+	"github.com/openshift/origin/pkg/cmd/cli/cmd"

+	"github.com/openshift/origin/pkg/cmd/util"

+	"github.com/openshift/origin/pkg/cmd/util/clientcmd"

+	"github.com/openshift/origin/pkg/serviceaccounts"

+	osautil "github.com/openshift/origin/pkg/serviceaccounts/util"

+)

+

+const (

+	NewServiceAccountTokenRecommendedName = "new-token"

+

+	newServiceAccountTokenShort = `Generate a new token for a service account.`

+

+	newServiceAccountTokenLong = `

+Generate a new token for a service account.

+

+Service account API tokens are used by service accounts to authenticate to the API.

+This command will generate a new token, which could be used to compartmentalize service

+account actions by executing them with distinct tokens, to rotate out pre-existing token

+on the service account, or for use by an external client. If a label is provided, it will

+be applied to any created token so that tokens created with this command can be idenitifed.

+`

+

+	newServiceAccountTokenUsage = `%s SA-NAME`

+

+	newServiceAccountTokenExamples = `  # Generate a new token for service account 'default'

+  $ %[1]s 'default'

+

+  # Generate a new token for service account 'default' and apply 

+  # labels 'foo' and 'bar' to the new token for identification

+  # %[1]s 'default' --labels foo=foo-value,bar=bar-value

+`

+)

+

+type NewServiceAccountTokenOptions struct {

+	SAName        string

+	SAClient      unversioned.ServiceAccountsInterface

+	SecretsClient unversioned.SecretsInterface

+

+	Labels map[string]string

+

+	Timeout time.Duration

+

+	Out io.Writer

+	Err io.Writer

+}

+

+func NewCommandNewServiceAccountToken(name, fullname string, f *clientcmd.Factory, out io.Writer) *cobra.Command {

+	options := &NewServiceAccountTokenOptions{

+		Out:    out,

+		Err:    os.Stderr,

+		Labels: map[string]string{},

+	}

+

+	var requestedLabels string

+	newServiceAccountTokenCommand := &cobra.Command{

+		Use:     fmt.Sprintf(newServiceAccountTokenUsage, name),

+		Short:   newServiceAccountTokenShort,

+		Long:    newServiceAccountTokenLong,

+		Example: fmt.Sprintf(newServiceAccountTokenExamples, fullname),

+		Run: func(cmd *cobra.Command, args []string) {

+			cmdutil.CheckErr(options.Complete(args, requestedLabels, f, cmd))

+

+			cmdutil.CheckErr(options.Validate())

+

+			cmdutil.CheckErr(options.Run())

+		},

+	}

+

+	newServiceAccountTokenCommand.Flags().DurationVar(&options.Timeout, "timeout", 30*time.Second, "the maximum time allowed to generate a token")

+	newServiceAccountTokenCommand.Flags().StringVarP(&requestedLabels, "labels", "l", "", "labels to set in all resources for this application, given as a comma-delimited list of key-value pairs")

+	return newServiceAccountTokenCommand

+}

+

+func (o *NewServiceAccountTokenOptions) Complete(args []string, requestedLabels string, f *clientcmd.Factory, cmd *cobra.Command) error {

+	if len(args) != 1 {

+		return cmdutil.UsageError(cmd, fmt.Sprintf("expected one service account name as an argument, got %q", args))

+	}

+

+	o.SAName = args[0]

+

+	if len(requestedLabels) > 0 {

+		labels, err := kubectl.ParseLabels(requestedLabels)

+		if err != nil {

+			return cmdutil.UsageError(cmd, err.Error())

+		}

+		o.Labels = labels

+	}

+

+	client, err := f.Client()

+	if err != nil {

+		return err

+	}

+

+	namespace, _, err := f.DefaultNamespace()

+	if err != nil {

+		return fmt.Errorf("could not retrieve default namespace: %v", err)

+	}

+

+	o.SAClient = client.ServiceAccounts(namespace)

+	o.SecretsClient = client.Secrets(namespace)

+	return nil

+}

+

+func (o *NewServiceAccountTokenOptions) Validate() error {

+	if o.SAName == "" {

+		return errors.New("service account name cannot be empty")

+	}

+

+	if o.SAClient == nil || o.SecretsClient == nil {

+		return errors.New("API clients must not be nil in order to create a new service account token")

+	}

+

+	if o.Timeout <= 0 {

+		return errors.New("a positive amount of time must be allotted for the timeout")

+	}

+

+	if o.Out == nil || o.Err == nil {

+		return errors.New("cannot proceed if output or error writers are nil")

+	}

+

+	return nil

+}

+

+// Run creates a new token secret, waits for the service account token controller to fulfill it, then adds the token to the service account

+func (o *NewServiceAccountTokenOptions) Run() error {

+	serviceAccount, err := o.SAClient.Get(o.SAName)

+	if err != nil {

+		return err

+	}

+

+	tokenSecret := &api.Secret{

+		ObjectMeta: api.ObjectMeta{

+			GenerateName: osautil.GetTokenSecretNamePrefix(serviceAccount),

+			Namespace:    serviceAccount.Namespace,

+			Labels:       o.Labels,

+			Annotations: map[string]string{

+				api.ServiceAccountNameKey: serviceAccount.Name,

+			},

+		},

+		Type: api.SecretTypeServiceAccountToken,

+		Data: map[string][]byte{},

+	}

+

+	persistedToken, err := o.SecretsClient.Create(tokenSecret)

+	if err != nil {

+		return err

+	}

+

+	// we need to wait for the service account token controller to make the new token valid

+	tokenSecret, err = waitForToken(persistedToken, serviceAccount, o.Timeout, o.SecretsClient)

+	if err != nil {

+		return err

+	}

+

+	token, exists := tokenSecret.Data[api.ServiceAccountTokenKey]

+	if !exists {

+		return fmt.Errorf("service account token %q did not contain token data", tokenSecret.Name)

+	}

+

+	fmt.Fprintf(o.Out, string(token))

+	if util.IsTerminalWriter(o.Out) {

+		// pretty-print for a TTY

+		fmt.Fprintf(o.Out, "\n")

+	}

+	return nil

+}

+

+// waitForToken uses `cmd.Until` to wait for the service account controller to fulfill the token request

+func waitForToken(token *api.Secret, serviceAccount *api.ServiceAccount, timeout time.Duration, client unversioned.SecretsInterface) (*api.Secret, error) {

+	// there is no provided rounding function, so we use Round(x) === Floor(x + 0.5)

+	timeoutSeconds := int64(math.Floor(timeout.Seconds() + 0.5))

+

+	options := api.ListOptions{

+		FieldSelector:   fields.SelectorFromSet(fields.Set(map[string]string{"metadata.name": token.Name})),

+		Watch:           true,

+		ResourceVersion: token.ResourceVersion,

+		TimeoutSeconds:  &timeoutSeconds,

+	}

+

+	watcher, err := client.Watch(options)

+	if err != nil {

+		return nil, fmt.Errorf("could not begin watch for token: %v", err)