allow multiple of --service-account-issuer #101155
Conversation
k8s-ci-robot
added
release-note
k8s-ci-robot
added
sig/api-machinery
k8s-ci-robot
added
area/test
sig/testing
|
/assign @liggitt |
k8s-ci-robot
added
triage/accepted
| @@ -416,7 +416,7 @@ func CreateKubeAPIServerConfig( | |||
| pubKeys = append(pubKeys, keys...) | |||
| } | |||
| // Plumb the required metadata through ExtraConfig. | |||
| config.ExtraConfig.ServiceAccountIssuerURL = s.Authentication.ServiceAccounts.Issuer | |||
| config.ExtraConfig.ServiceAccountIssuerURL = s.Authentication.ServiceAccounts.Issuers[0] | |||
There was a problem hiding this comment.
are we guaranteed len(s.Authentication.ServiceAccounts.Issuers) > 0 here so this doesn't panic?
There was a problem hiding this comment.
it is guaranteed as long as the validation is called. in the integration tests, the test server doesn't provide those options and the validation is not called.
done. i added the validation logic in the test server initialization and the missing options.
| "This flag can be specified multiple times with different values but only the first one"+ | ||
| "is used to generate tokens.") |
There was a problem hiding this comment.
clarify that when specified multiple times, the first is used to generate tokens and all are used to determine which issuers are accepted
|
looks like a fair number of panics in integration tests, a few questions/clarifications, lgtm otherwise |
1 similar comment
|
looks like a fair number of panics in integration tests, a few questions/clarifications, lgtm otherwise |
|
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
|
integration test failures look relevant |
zshihang
force-pushed
the
bound
branch
2 times, most recently
from
a4a1de7
to
e137547
Compare
k8s-ci-robot
added
the
sig/node
|
/test pull-kubernetes-e2e-kind |
|
/test pull-kubernetes-e2e-kind |
|
/retest |
| @@ -159,6 +160,7 @@ var ( | |||
| gvr("authorization.k8s.io", "v1beta1", "selfsubjectrulesreviews"): `{"metadata": {"name": "", "namespace":"` + testNamespace + `"}, "spec": {"namespace":"` + testNamespace + `"}}`, | |||
|
|
|||
| // Other Non persistent resources | |||
| gvr("", "v1", "serviceaccounts/token"): `{"metadata": {"name": "sa1name"}, "spec": {"audience": ["api"]}}`, | |||
There was a problem hiding this comment.
this is probably better done as an addition to customTestFuncs (similar to something like testPodBindingEviction)... I don't think the subresource create implementation is likely to work well as a generic implementation
test/integration/etcd/server.go
Outdated
| @@ -70,12 +77,25 @@ func StartRealMasterOrDie(t *testing.T, configFuncs ...func(*options.ServerRunOp | |||
| t.Fatal(err) | |||
| } | |||
|
|
|||
| saSigningKeyFile, err := ioutil.TempFile("/tmp", "key") | |||
There was a problem hiding this comment.
nit: name the file so it is clear it is a test key (insecure_test_key or something), since we're setting permission file permissions on it. applies to all the places we're persisting the test keys
| @@ -53,6 +54,12 @@ import ( | |||
| _ "k8s.io/kubernetes/pkg/controlplane" | |||
| ) | |||
|
|
|||
| const ecdsaPrivateKey = `-----BEGIN EC PRIVATE KEY----- | |||
There was a problem hiding this comment.
Add a comment to all the places we're inlining private keys that they are for test purposes only and are not considered secure (This key is for testing purposes only and is not considered secure.). Applies to all the places you added test key data
We've had issues with people reporting keys in testdata as security vulnerabilities
|
a few comments on tests and testdata, lgtm otherwise |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, zshihang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/retest |
3 similar comments
|
/retest |
|
/retest |
|
/retest |
What type of PR is this?
/kind feature
/kind api-change
What this PR does / why we need it:
change the issuer in a non-disruptive way
Special notes for your reviewer:
Does this PR introduce a user-facing change?
-->
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: