New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow specifying additional accepted issuers for the shoot kapi server #5498
Conversation
/cc @vpnachev |
/assign |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice PR!
if config.ServiceAccountConfig.AcceptedIssuers != nil { | ||
out.AcceptedIssuers = append([]string{}, config.ServiceAccountConfig.AcceptedIssuers...) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not simply assigning out.AcceptedIssuers = config.ServiceAccountConfig.AcceptedIssuers
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My thought here was that it seems more robust to have different backing arrays for the out.AcceptedIssuers
and config.ServiceAccountConfig.AcceptedIssuers
slices.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Documentation of b.Shoot.GetInfo()
states that the method should be used only for reading the data of the shoot resource. This is why it seems more logical to me to use a different underlying array since I do not expect modifying the out
object to actually change the shoot's spec object.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, but we don't do this anywhere else, so I would still vote for going the straight-forward way for consistency reasons.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I get your point and I did the requested changes. The behavior we are supporting is still rather confusing for me. I am leaving a sample test for reference.
It("Failing test", func() {
botanist.Shoot.SetInfo(&gardencorev1beta1.Shoot{
Spec: gardencorev1beta1.ShootSpec{
Kubernetes: gardencorev1beta1.Kubernetes{
KubeAPIServer: &gardencorev1beta1.KubeAPIServerConfig{
ServiceAccountConfig: &gardencorev1beta1.ServiceAccountConfig{
AcceptedIssuers: []string{"a", "b"},
},
},
},
},
})
serviceAccountConfig, err := botanist.computeKubeAPIServerServiceAccountConfig(ctx, botanist.Shoot.GetInfo().Spec.Kubernetes.KubeAPIServer, "something.here.com")
Expect(err).NotTo(HaveOccurred())
serviceAccountConfig.AcceptedIssuers[0] = "c"
Expect(botanist.Shoot.GetInfo().Spec.Kubernetes.KubeAPIServer.ServiceAccountConfig.AcceptedIssuers[0]).To(Equal("a"))
})
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor nits otherwise lgtm.
pkg/operation/botanist/component/kubeapiserver/kube_apiserver_test.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/squash
gardener#5498) * Allow specifying additional accepted issuers for the shoot kapi server * Address comments * Address comments
gardener#5498) * Allow specifying additional accepted issuers for the shoot kapi server * Address comments * Address comments
How to categorize this PR?
/area control-plane
/kind api-change
/kind enhancement
What this PR does / why we need it:
In k8s 1.22+ there is a posibility to specify the flag
--service-account-issuer
multiple times for thekube-apiserver
. Right now Gardener sets this flag to the value of.kubeAPIServer.serviceAccountConfig.issuer
or defaults it to the API server's address. If one wants to change this flag, all of the already generated tokens will be invalidated and the change would cause disturbance. Askube-apiserver
's documentation here (see--service-account-issuer
flag) states if the flag is specified multiple times then the first occurrence will be used to generate new service account tokens and all other occurrences will be used to determine if a service account token is accepted.This PR introduces a new field in the shoot spec called
.kubeAPIServer.serviceAccountConfig.acceptedIssuers
which will allow the configuration of multipleaccepted issuers
. This will allow a non-disruptive change of theissuer
of thekube-apiserver
. See here and read the note regarding the--service-account-issuer
flag.Having the ability to change the
issuer
of akube-apiserver
will give the opportunity to expose theopenid-configuration
andjwks
of a cluster without enabling anonymous authentication. This will also allow serving the OpenID discovery documents on an endpoint with certificate signed by a trusted certificate authority.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
I am not sure if changing the order in theprotobuf
struct tags can have some implications.Release note: