-
Notifications
You must be signed in to change notification settings - Fork 38.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow multiple of --service-account-issuer #101155
Conversation
/assign @liggitt |
@@ -416,7 +416,7 @@ func CreateKubeAPIServerConfig( | |||
pubKeys = append(pubKeys, keys...) | |||
} | |||
// Plumb the required metadata through ExtraConfig. | |||
config.ExtraConfig.ServiceAccountIssuerURL = s.Authentication.ServiceAccounts.Issuer | |||
config.ExtraConfig.ServiceAccountIssuerURL = s.Authentication.ServiceAccounts.Issuers[0] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
are we guaranteed len(s.Authentication.ServiceAccounts.Issuers) > 0 here so this doesn't panic?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is guaranteed as long as the validation is called. in the integration tests, the test server doesn't provide those options and the validation is not called.
done. i added the validation logic in the test server initialization and the missing options.
"This flag can be specified multiple times with different values but only the first one"+ | ||
"is used to generate tokens.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
clarify that when specified multiple times, the first is used to generate tokens and all are used to determine which issuers are accepted
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
looks like a fair number of panics in integration tests, a few questions/clarifications, lgtm otherwise |
1 similar comment
looks like a fair number of panics in integration tests, a few questions/clarifications, lgtm otherwise |
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
integration test failures look relevant |
a4a1de7
to
e137547
Compare
/test pull-kubernetes-e2e-kind |
/test pull-kubernetes-e2e-kind |
/retest |
@@ -159,6 +160,7 @@ var ( | |||
gvr("authorization.k8s.io", "v1beta1", "selfsubjectrulesreviews"): `{"metadata": {"name": "", "namespace":"` + testNamespace + `"}, "spec": {"namespace":"` + testNamespace + `"}}`, | |||
|
|||
// Other Non persistent resources | |||
gvr("", "v1", "serviceaccounts/token"): `{"metadata": {"name": "sa1name"}, "spec": {"audience": ["api"]}}`, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is probably better done as an addition to customTestFuncs (similar to something like testPodBindingEviction)... I don't think the subresource create implementation is likely to work well as a generic implementation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
test/integration/etcd/server.go
Outdated
@@ -70,12 +77,25 @@ func StartRealMasterOrDie(t *testing.T, configFuncs ...func(*options.ServerRunOp | |||
t.Fatal(err) | |||
} | |||
|
|||
saSigningKeyFile, err := ioutil.TempFile("/tmp", "key") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: name the file so it is clear it is a test key (insecure_test_key
or something), since we're setting permission file permissions on it. applies to all the places we're persisting the test keys
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@@ -53,6 +54,12 @@ import ( | |||
_ "k8s.io/kubernetes/pkg/controlplane" | |||
) | |||
|
|||
const ecdsaPrivateKey = `-----BEGIN EC PRIVATE KEY----- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add a comment to all the places we're inlining private keys that they are for test purposes only and are not considered secure (This key is for testing purposes only and is not considered secure.
). Applies to all the places you added test key data
We've had issues with people reporting keys in testdata as security vulnerabilities
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
a few comments on tests and testdata, lgtm otherwise |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, zshihang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
3 similar comments
/retest |
/retest |
/retest |
What type of PR is this?
/kind feature
/kind api-change
What this PR does / why we need it:
change the issuer in a non-disruptive way
Special notes for your reviewer:
Does this PR introduce a user-facing change?
-->
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: