Support multiple service-account-issuer flags

kubernetes · Apr 27, 2024 · 4777562 · 4777562
1 parent fd4fa6d
commit 4777562
Show file tree

Hide file tree

Showing 277 changed files with 828 additions and 269 deletions.
diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml
@@ -2075,6 +2075,15 @@ spec:
                       Identifier of the service account token issuer. The issuer will assert this identifier
                       in "iss" claim of issued tokens. This value is a string or URI.
                     type: string
+                  serviceAccountIssuers:
+                    description: |-
+                      Identifier of the service account token issuers. The issuer will assert this identifier
+                      in "iss" claim of issued tokens. This value is a string or URI.
+                      when using multiple issuers, the first issuer in the list will be used to sign tokens.
+                      All values are used to determine which issuers are accepted.
+                    items:
+                      type: string
+                    type: array
                   serviceAccountJWKSURI:
                     description: ServiceAccountJWKSURI overrides the path for the
                       jwks document; this is useful when we are republishing the service

diff --git a/nodeup/pkg/model/kube_apiserver.go b/nodeup/pkg/model/kube_apiserver.go
@@ -678,6 +678,7 @@ func (b *KubeAPIServerBuilder) buildPod(ctx context.Context, kubeAPIServer *kops
 			"/usr/local/bin/kube-apiserver",
 		}
 		container.Args = append(container.Args, sortedStrings(flags)...)
+		container.Args = sortServiceAccountIssuers(container.Args, kubeAPIServer.ServiceAccountIssuers)
 	}
 
 	for _, path := range b.SSLHostPaths() {
@@ -755,3 +756,25 @@ func (b *KubeAPIServerBuilder) buildAnnotations() map[string]string {
 
 	return annotations
 }
+
+func sortServiceAccountIssuers(in []string, issuers []string) []string {
+	if len(issuers) == 0 {
+		return in
+	}
+
+	positionMap := make(map[int]string)
+	for k, v := range issuers {
+		positionMap[k] = fmt.Sprintf("--service-account-issuer=%s", v)
+	}
+
+	out := make([]string, 0, len(in))
+	issuerPosition := 0
+	for _, flag := range in {
+		if strings.HasPrefix(flag, "--service-account-issuer=") {
+			flag = positionMap[issuerPosition]
+			issuerPosition++
+		}
+		out = append(out, flag)
+	}
+	return out
+}
diff --git a/nodeup/pkg/model/kube_apiserver_test.go b/nodeup/pkg/model/kube_apiserver_test.go
@@ -176,6 +176,13 @@ func TestWithoutEtcdEventsAPIServerBuilder(t *testing.T) {
 	})
 }
 
+func TestMultiServiceAccountIssuerBuilder(t *testing.T) {
+	RunGoldenTest(t, "tests/golden/multiple-sa-issuers", "kube-apiserver", func(nodeupModelContext *NodeupModelContext, target *fi.NodeupModelBuilderContext) error {
+		builder := KubeAPIServerBuilder{NodeupModelContext: nodeupModelContext}
+		return builder.Build(target)
+	})
+}
+
 func TestAwsIamAuthenticator(t *testing.T) {
 	RunGoldenTest(t, "tests/golden/awsiam", "kube-apiserver", func(nodeupModelContext *NodeupModelContext, target *fi.NodeupModelBuilderContext) error {
 		builder := KubeAPIServerBuilder{NodeupModelContext: nodeupModelContext}

diff --git a/nodeup/pkg/model/tests/golden/multiple-sa-issuers/cluster.yaml b/nodeup/pkg/model/tests/golden/multiple-sa-issuers/cluster.yaml
@@ -0,0 +1,70 @@
+apiVersion: kops.k8s.io/v1alpha2
+kind: Cluster
+metadata:
+  name: multisaissuer.example.com
+spec:
+  kubernetesApiAccess:
+  - 0.0.0.0/0
+  channel: stable
+  cloudProvider: aws
+  configBase: memfs://clusters.example.com/multisaissuer.example.com
+  etcdClusters:
+  - cpuRequest: 200m
+    etcdMembers:
+    - instanceGroup: master-us-test-1a
+      name: us-test-1a
+    memoryRequest: 100Mi
+    name: main
+    provider: Manager
+    backups:
+      backupStore: memfs://clusters.example.com/multisaissuer.example.com/backups/etcd-main
+  - cpuRequest: 100m
+    etcdMembers:
+    - instanceGroup: master-us-test-1a
+      name: us-test-1a
+    memoryRequest: 100Mi
+    name: events
+    provider: Manager
+    backups:
+      backupStore: memfs://clusters.example.com/multisaissuer.example.com/backups/etcd-events
+  iam: {}
+  kubelet:
+    anonymousAuth: false
+  kubernetesVersion: v1.28.0
+  masterPublicName: api.multisaissuer.example.com
+  networkCIDR: 172.20.0.0/16
+  kubeAPIServer:
+    serviceAccountIssuers:
+    - https://huh.com/multisaissuer.example.com
+    - https://foobar.com
+    - https://aaa.com
+    - https://hello.com
+    - https://dorld.com
+  networking:
+    kubenet: {}
+  nonMasqueradeCIDR: 100.64.0.0/10
+  sshAccess:
+  - 0.0.0.0/0
+  subnets:
+  - cidr: 172.20.32.0/19
+    name: us-test-1a
+    type: Public
+    zone: us-test-1a
+
+---
+
+apiVersion: kops.k8s.io/v1alpha2
+kind: InstanceGroup
+metadata:
+  name: master-us-test-1a
+  labels:
+    kops.k8s.io/cluster: multisaissuer.example.com
+spec:
+  associatePublicIp: true
+  image: ami-1234
+  machineType: m3.medium
+  maxSize: 1
+  minSize: 1
+  role: Master
+  subnets:
+  - us-test-1a