gardener · rfranzke · Mar 4, 2022 · Mar 1, 2022 · Mar 2, 2022 · Mar 4, 2022
diff --git a/docs/api-reference/core.md b/docs/api-reference/core.md
@@ -8726,8 +8726,8 @@ string
 <td>
 <em>(Optional)</em>
 <p>Issuer is the identifier of the service account token issuer. The issuer will assert this
-identifier in &ldquo;iss&rdquo; claim of issued tokens. This value is a string or URI.
-Defaults to URI of the API server.</p>
+identifier in &ldquo;iss&rdquo; claim of issued tokens. This value is used to generate new service account tokens.
+This value is a string or URI. Defaults to URI of the API server.</p>
 </td>
 </tr>
 <tr>
@@ -8777,6 +8777,21 @@ otherwise valid TokenRequest with a validity duration larger than this value is
 with a validity duration of this value.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>acceptedIssuers</code></br>
+<em>
+[]string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>AcceptedIssuers is an additional set of issuers that are used to determine which service account tokens are accepted.
+These values are not used to generate new service account tokens. Only useful when service account tokens are also
+issued by another external system or a change of the current issuer that is used for generating tokens is being performed.
+This field is only available for Kubernetes v1.22 or later.</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="core.gardener.cloud/v1beta1.ShootAdvertisedAddress">ShootAdvertisedAddress

diff --git a/example/90-shoot.yaml b/example/90-shoot.yaml
@@ -177,6 +177,9 @@ spec:
   #   enableAnonymousAuthentication: false # See: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
   #   serviceAccountConfig:
   #     issuer: foo
+  #     acceptedIssuers:
+  #     - foo1
+  #     - foo2
   #     signingKeySecretName:
   #       name: my-signing-key-secret
   #     extendTokenExpiration: true

diff --git a/pkg/apis/core/types_shoot.go b/pkg/apis/core/types_shoot.go
@@ -488,8 +488,8 @@ type KubeAPIServerRequests struct {
 // ServiceAccountConfig is the kube-apiserver configuration for service accounts.
 type ServiceAccountConfig struct {
 	// Issuer is the identifier of the service account token issuer. The issuer will assert this
-	// identifier in "iss" claim of issued tokens. This value is a string or URI.
-	// Defaults to URI of the API server.
+	// identifier in "iss" claim of issued tokens. This value is used to generate new service account tokens.
+	// This value is a string or URI. Defaults to URI of the API server.
 	Issuer *string
 	// SigningKeySecret is a reference to a secret that contains an optional private key of the
 	// service account token issuer. The issuer will sign issued ID tokens with this private key.
@@ -504,6 +504,11 @@ type ServiceAccountConfig struct {
 	// otherwise valid TokenRequest with a validity duration larger than this value is requested, a token will be issued
 	// with a validity duration of this value.
 	MaxTokenExpiration *metav1.Duration
+	// AcceptedIssuers is an additional set of issuers that are used to determine which service account tokens are accepted.
+	// These values are not used to generate new service account tokens. Only useful when service account tokens are also
+	// issued by another external system or a change of the current issuer that is used for generating tokens is being performed.
+	// This field is only available for Kubernetes v1.22 or later.
+	AcceptedIssuers []string
 }
 
 // AuditConfig contains settings for audit of the api server

diff --git a/pkg/apis/core/v1alpha1/generated.pb.go b/pkg/apis/core/v1alpha1/generated.pb.go
diff --git a/pkg/apis/core/v1alpha1/generated.proto b/pkg/apis/core/v1alpha1/generated.proto
diff --git a/pkg/apis/core/v1alpha1/types_shoot.go b/pkg/apis/core/v1alpha1/types_shoot.go
@@ -603,8 +603,8 @@ type KubeAPIServerRequests struct {
 // ServiceAccountConfig is the kube-apiserver configuration for service accounts.
 type ServiceAccountConfig struct {
 	// Issuer is the identifier of the service account token issuer. The issuer will assert this
-	// identifier in "iss" claim of issued tokens. This value is a string or URI.
-	// Defaults to URI of the API server.
+	// identifier in "iss" claim of issued tokens. This value is used to generate new service account tokens.
+	// This value is a string or URI. Defaults to URI of the API server.
 	// +optional
 	Issuer *string `json:"issuer,omitempty" protobuf:"bytes,1,opt,name=issuer"`
 	// SigningKeySecret is a reference to a secret that contains an optional private key of the
@@ -623,6 +623,12 @@ type ServiceAccountConfig struct {
 	// with a validity duration of this value.
 	// +optional
 	MaxTokenExpiration *metav1.Duration `json:"maxTokenExpiration,omitempty" protobuf:"bytes,4,opt,name=maxTokenExpiration"`
+	// AcceptedIssuers is an additional set of issuers that are used to determine which service account tokens are accepted.
+	// These values are not used to generate new service account tokens. Only useful when service account tokens are also
+	// issued by another external system or a change of the current issuer that is used for generating tokens is being performed.
+	// This field is only available for Kubernetes v1.22 or later.
+	// +optional
+	AcceptedIssuers []string `json:"acceptedIssuers,omitempty" protobuf:"bytes,5,opt,name=acceptedIssuers"`
 }
 
 // AuditConfig contains settings for audit of the api server

diff --git a/pkg/apis/core/v1alpha1/zz_generated.conversion.go b/pkg/apis/core/v1alpha1/zz_generated.conversion.go
diff --git a/pkg/apis/core/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/core/v1alpha1/zz_generated.deepcopy.go