From 9fe330d7cf22e69c9bc654b279fc45c8085478a9 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Mon, 10 Apr 2023 23:03:10 -0700
Subject: [PATCH] fix API call SA token and response (#6842)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
---
 .../templates/admission-controller/deployment.yaml   |  9 ---------
 config/install-latest-testing.yaml                   |  9 ---------
 pkg/engine/apicall/apiCall.go                        | 12 +++++++++---
 3 files changed, 9 insertions(+), 21 deletions(-)

diff --git a/charts/kyverno/templates/admission-controller/deployment.yaml b/charts/kyverno/templates/admission-controller/deployment.yaml
index 0a0fa685f4..31544fe9b1 100644
--- a/charts/kyverno/templates/admission-controller/deployment.yaml
+++ b/charts/kyverno/templates/admission-controller/deployment.yaml
@@ -202,16 +202,7 @@ spec:
           volumeMounts:
             - mountPath: {{ .Values.admissionController.tufRootMountPath }}
               name: sigstore
-            - mountPath: /var/run/secrets/tokens
-              name: api-token
       volumes:
       - name: sigstore
         {{- toYaml (required "A valid .Values.admissionController.sigstoreVolume entry is required" .Values.admissionController.sigstoreVolume) | nindent 8 }}
-      - name: api-token
-        projected:
-          sources:
-          - serviceAccountToken:
-              path: api-token
-              expirationSeconds: 600
-              audience: kyverno-extension
 {{- end -}}
diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml
index 9d537292b6..2ecd211b57 100644
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@@ -34801,18 +34801,9 @@ spec:
           volumeMounts:
             - mountPath: /.sigstore
               name: sigstore
-            - mountPath: /var/run/secrets/tokens
-              name: api-token
       volumes:
       - name: sigstore
         emptyDir: {}
-      - name: api-token
-        projected:
-          sources:
-          - serviceAccountToken:
-              path: api-token
-              expirationSeconds: 600
-              audience: kyverno-extension
 ---
 apiVersion: apps/v1
 kind: Deployment
diff --git a/pkg/engine/apicall/apiCall.go b/pkg/engine/apicall/apiCall.go
index 747b4fff76..bdd4e9698f 100644
--- a/pkg/engine/apicall/apiCall.go
+++ b/pkg/engine/apicall/apiCall.go
@@ -99,7 +99,12 @@ func (a *apiCall) executeServiceCall(service *kyvernov1.ServiceCall) ([]byte, er
 	}
 
 	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-		return nil, fmt.Errorf("HTTP %d: %s", resp.StatusCode, resp.Status)
+		b, err := io.ReadAll(resp.Body)
+		if err == nil {
+			return nil, fmt.Errorf("HTTP %s: %s", resp.Status, string(b))
+		}
+
+		return nil, fmt.Errorf("HTTP %s", resp.Status)
 	}
 
 	defer resp.Body.Close()
@@ -139,9 +144,10 @@ func (a *apiCall) buildHTTPRequest(service *kyvernov1.ServiceCall) (req *http.Re
 }
 
 func (a *apiCall) getToken() string {
-	b, err := os.ReadFile("/var/run/secrets/tokens/api-token")
+	fileName := "/var/run/secrets/kubernetes.io/serviceaccount/token"
+	b, err := os.ReadFile(fileName)
 	if err != nil {
-		a.log.Info("failed to read token", "path", "/var/run/secrets/tokens/api-token")
+		a.log.Info("failed to read service account token", "path", fileName)
 		return ""
 	}