Allow specifying additional accepted issuers for the shoot kapi server

[dimityrmirchev]

How to categorize this PR?

/area control-plane
/kind api-change
/kind enhancement

What this PR does / why we need it:
In k8s 1.22+ there is a posibility to specify the flag --service-account-issuer multiple times for the kube-apiserver. Right now Gardener sets this flag to the value of .kubeAPIServer.serviceAccountConfig.issuer or defaults it to the API server's address. If one wants to change this flag, all of the already generated tokens will be invalidated and the change would cause disturbance. As kube-apiserver's documentation here (see --service-account-issuer flag) states if the flag is specified multiple times then the first occurrence will be used to generate new service account tokens and all other occurrences will be used to determine if a service account token is accepted.

This PR introduces a new field in the shoot spec called .kubeAPIServer.serviceAccountConfig.acceptedIssuers which will allow the configuration of multiple accepted issuers. This will allow a non-disruptive change of the issuer of the kube-apiserver. See here and read the note regarding the --service-account-issuer flag.

Having the ability to change the issuer of a kube-apiserver will give the opportunity to expose the openid-configuration and jwks of a cluster without enabling anonymous authentication. This will also allow serving the OpenID discovery documents on an endpoint with certificate signed by a trusted certificate authority.
Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:
I am not sure if changing the order in the protobuf struct tags can have some implications.

Release note:

It is now possible to configure multiple accepted issuers for a shoot's `kube-apiserver` by setting `.kubernetes.kubeAPIServer.serviceAccountConfig.acceptedIssuers` in the shoot spec. This list of issuers will not be used to generate new service account tokens but will be used to determine if a service account token is accepted by asserting the value in the `iss` claim. This also allows a non-disruptive change of the current issuer of a `kube-apiserver`.

[dimityrmirchev]

/cc @vpnachev

[rfranzke]

/assign

[rfranzke]

Nice PR!

[rfranzke]

Why not simply assigning out.AcceptedIssuers = config.ServiceAccountConfig.AcceptedIssuers?

[dimityrmirchev]

My thought here was that it seems more robust to have different backing arrays for the out.AcceptedIssuers and config.ServiceAccountConfig.AcceptedIssuers slices.

[rfranzke]

Why?

[dimityrmirchev]

Documentation of b.Shoot.GetInfo() states that the method should be used only for reading the data of the shoot resource. This is why it seems more logical to me to use a different underlying array since I do not expect modifying the out object to actually change the shoot's spec object.

[rfranzke]

OK, but we don't do this anywhere else, so I would still vote for going the straight-forward way for consistency reasons.

[dimityrmirchev]

I get your point and I did the requested changes. The behavior we are supporting is still rather confusing for me. I am leaving a sample test for reference.

It("Failing test", func() {
	botanist.Shoot.SetInfo(&gardencorev1beta1.Shoot{
		Spec: gardencorev1beta1.ShootSpec{
			Kubernetes: gardencorev1beta1.Kubernetes{
				KubeAPIServer: &gardencorev1beta1.KubeAPIServerConfig{
					ServiceAccountConfig: &gardencorev1beta1.ServiceAccountConfig{
						AcceptedIssuers: []string{"a", "b"},
					},
				},
			},
		},
	})

	serviceAccountConfig, err := botanist.computeKubeAPIServerServiceAccountConfig(ctx, botanist.Shoot.GetInfo().Spec.Kubernetes.KubeAPIServer, "something.here.com")
	Expect(err).NotTo(HaveOccurred())
	serviceAccountConfig.AcceptedIssuers[0] = "c"
	Expect(botanist.Shoot.GetInfo().Spec.Kubernetes.KubeAPIServer.ServiceAccountConfig.AcceptedIssuers[0]).To(Equal("a"))
})

[ialidzhikov]

Minor nits otherwise lgtm.

[ialidzhikov]

/lgtm
/squash