append AdditionalServiceAccountIssuers flags

zetaab · Apr 29, 2024 · a35c4f3 · a35c4f3
1 parent 496b7f5
commit a35c4f3
Showing 6 changed files with 10 additions and 66 deletions.
diff --git a/nodeup/pkg/model/kube_apiserver.go b/nodeup/pkg/model/kube_apiserver.go
@@ -678,7 +678,9 @@ func (b *KubeAPIServerBuilder) buildPod(ctx context.Context, kubeAPIServer *kops
 			"/usr/local/bin/kube-apiserver",
 		}
 		container.Args = append(container.Args, sortedStrings(flags)...)
-		container.Args = sortServiceAccountIssuers(container.Args, fi.ValueOf(kubeAPIServer.ServiceAccountIssuer), kubeAPIServer.AdditionalServiceAccountIssuers)
+		for _, issuer := range kubeAPIServer.AdditionalServiceAccountIssuers {
+			container.Args = append(container.Args, "--service-account-issuer="+issuer)
+		}
 	}
 
 	for _, path := range b.SSLHostPaths() {
@@ -756,26 +758,3 @@ func (b *KubeAPIServerBuilder) buildAnnotations() map[string]string {
 
 	return annotations
 }
-
-func sortServiceAccountIssuers(in []string, currentIssuer string, oldIssuers []string) []string {
-	if len(oldIssuers) == 0 {
-		return in
-	}
-
-	positionMap := make(map[int]string)
-	positionMap[0] = fmt.Sprintf("--service-account-issuer=%s", currentIssuer)
-	for k, v := range oldIssuers {
-		positionMap[k+1] = fmt.Sprintf("--service-account-issuer=%s", v)
-	}
-
-	out := make([]string, 0, len(in))
-	issuerPosition := 0
-	for _, flag := range in {
-		if strings.HasPrefix(flag, "--service-account-issuer=") {
-			flag = positionMap[issuerPosition]
-			issuerPosition++
-		}
-		out = append(out, flag)
-	}
-	return out
-}
diff --git a/nodeup/pkg/model/kube_apiserver_test.go b/nodeup/pkg/model/kube_apiserver_test.go
@@ -19,7 +19,6 @@ package model
 import (
 	"testing"
 
-	"github.com/stretchr/testify/assert"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/flagbuilder"
 	"k8s.io/kops/upup/pkg/fi"
@@ -198,37 +197,3 @@ func TestKubeAPIServerBuilderARM64(t *testing.T) {
 		return builder.Build(target)
 	})
 }
-
-func TestSortServiceAccountIssuers(t *testing.T) {
-	type testCase struct {
-		name          string
-		flags         []string
-		currentIssuer string
-		oldIssuers    []string
-		expected      []string
-	}
-
-	testCases := []testCase{
-		{
-			name:          "flags without old issuers",
-			flags:         []string{"--bar=foo", "--service-account-issuer=https://foo"},
-			currentIssuer: "https://foo",
-			oldIssuers:    nil,
-			expected:      []string{"--bar=foo", "--service-account-issuer=https://foo"},
-		},
-		{
-			name:          "flags without with old issuers",
-			flags:         []string{"--bar=foo", "--service-account-issuer=https://aa", "--service-account-issuer=https://bar", "--service-account-issuer=https://foo", "--zz=zz"},
-			currentIssuer: "https://foo",
-			oldIssuers:    []string{"https://aa", "https://bar"},
-			expected:      []string{"--bar=foo", "--service-account-issuer=https://foo", "--service-account-issuer=https://aa", "--service-account-issuer=https://bar", "--zz=zz"},
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			actual := sortServiceAccountIssuers(tc.flags, tc.currentIssuer, tc.oldIssuers)
-			assert.Equal(t, tc.expected, actual)
-		})
-	}
-}
diff --git a/nodeup/pkg/model/tests/golden/oidc/tasks-kube-apiserver.yaml b/nodeup/pkg/model/tests/golden/oidc/tasks-kube-apiserver.yaml
@@ -53,10 +53,6 @@ contents: |
       - --requestheader-username-headers=X-Remote-User
       - --secure-port=443
       - --service-account-issuer=https://huh.com/multisaissuer.example.com
-      - --service-account-issuer=https://foobar.com
-      - --service-account-issuer=https://aaa.com
-      - --service-account-issuer=https://hello.com
-      - --service-account-issuer=https://dorld.com
       - --service-account-jwks-uri=https://huh.com/multisaissuer.example.com/openid/v1/jwks
       - --service-account-key-file=/srv/kubernetes/kube-apiserver/service-account.pub
       - --service-account-signing-key-file=/srv/kubernetes/kube-apiserver/service-account.key
@@ -65,6 +61,10 @@ contents: |
       - --tls-cert-file=/srv/kubernetes/kube-apiserver/server.crt
       - --tls-private-key-file=/srv/kubernetes/kube-apiserver/server.key
       - --v=2
+      - --service-account-issuer=https://foobar.com
+      - --service-account-issuer=https://aaa.com
+      - --service-account-issuer=https://hello.com
+      - --service-account-issuer=https://dorld.com
       command:
       - /go-runner
       image: registry.k8s.io/kube-apiserver:v1.28.0

diff --git a/pkg/apis/kops/componentconfig.go b/pkg/apis/kops/componentconfig.go
@@ -501,7 +501,7 @@ type KubeAPIServerConfig struct {
 	ServiceAccountIssuer *string `json:"serviceAccountIssuer,omitempty" flag:"service-account-issuer"`
 
 	// AdditionalServiceAccountIssuers can contain additional service account token issuers.
-	AdditionalServiceAccountIssuers []string `json:"additionalServiceAccountIssuers,omitempty" flag:"service-account-issuer,repeat"`
+	AdditionalServiceAccountIssuers []string `json:"additionalServiceAccountIssuers,omitempty"`
 
 	// ServiceAccountJWKSURI overrides the path for the jwks document; this is useful when we are republishing the service account discovery information elsewhere.
 	ServiceAccountJWKSURI *string `json:"serviceAccountJWKSURI,omitempty" flag:"service-account-jwks-uri"`

diff --git a/pkg/apis/kops/v1alpha2/componentconfig.go b/pkg/apis/kops/v1alpha2/componentconfig.go
@@ -508,7 +508,7 @@ type KubeAPIServerConfig struct {
 	ServiceAccountIssuer *string `json:"serviceAccountIssuer,omitempty" flag:"service-account-issuer"`
 
 	// AdditionalServiceAccountIssuers can contain additional service account token issuers.
-	AdditionalServiceAccountIssuers []string `json:"additionalServiceAccountIssuers,omitempty" flag:"service-account-issuer,repeat"`
+	AdditionalServiceAccountIssuers []string `json:"additionalServiceAccountIssuers,omitempty"`
 
 	// ServiceAccountJWKSURI overrides the path for the jwks document; this is useful when we are republishing the service account discovery information elsewhere.
 	ServiceAccountJWKSURI *string `json:"serviceAccountJWKSURI,omitempty" flag:"service-account-jwks-uri"`

diff --git a/pkg/apis/kops/v1alpha3/componentconfig.go b/pkg/apis/kops/v1alpha3/componentconfig.go
@@ -499,7 +499,7 @@ type KubeAPIServerConfig struct {
 	ServiceAccountIssuer *string `json:"serviceAccountIssuer,omitempty" flag:"service-account-issuer"`
 
 	// AdditionalServiceAccountIssuers can contain additional service account token issuers.
-	AdditionalServiceAccountIssuers []string `json:"additionalServiceAccountIssuers,omitempty" flag:"service-account-issuer,repeat"`
+	AdditionalServiceAccountIssuers []string `json:"additionalServiceAccountIssuers,omitempty"`
 
 	// ServiceAccountJWKSURI overrides the path for the jwks document; this is useful when we are republishing the service account discovery information elsewhere.
 	ServiceAccountJWKSURI *string `json:"serviceAccountJWKSURI,omitempty" flag:"service-account-jwks-uri"`