Merge pull request #11391 from johngmyers/no-public-jwks

Don't use PublicJWKS in TestAWSLBController
2021-05-06 01:05:15 -07:00 · 2021-05-06 01:05:15 -07:00 · 3b719f3c8a
parent 7542c593cf d21cb0f306
commit 3b719f3c8a
4 changed files with 7 additions and 16 deletions
--- a/cmd/kops/integration_test.go
+++ b/cmd/kops/integration_test.go
@ -320,11 +320,11 @@ func TestVFSServiceAccountIssuerDiscovery(t *testing.T) {
 }
-// TestAWSLBController runs a simple configuration, but with AWS LB controller, UseServiceAccountIAM and PublicJWKS enabled
+// TestAWSLBController runs a simple configuration, but with AWS LB controller and UseServiceAccountIAM enabled
 func TestAWSLBController(t *testing.T) {
-	featureflag.ParseFlags("+UseServiceAccountIAM,+PublicJWKS")
+	featureflag.ParseFlags("+UseServiceAccountIAM")
 	unsetFeatureFlags := func() {
-		featureflag.ParseFlags("-UseServiceAccountIAM,-PublicJWKS")
+		featureflag.ParseFlags("-UseServiceAccountIAM")
 	}
 	defer unsetFeatureFlags()
--- a/pkg/model/components/discovery.go
+++ b/pkg/model/components/discovery.go
@ -17,8 +17,6 @@ limitations under the License.
 package components
 import (
 	"strings"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/featureflag"
 	"k8s.io/kops/pkg/model/iam"
@ -64,14 +62,9 @@ func (b *DiscoveryOptionsBuilder) BuildOptions(o interface{}) error {
 			kubeAPIServer.FeatureGates = make(map[string]string)
 		}
 		kubeAPIServer.FeatureGates["ServiceAccountIssuerDiscovery"] = "true"
 	}
-		if kubeAPIServer.ServiceAccountJWKSURI == nil {
+	if kubeAPIServer.ServiceAccountJWKSURI == nil {
 			jwksURL := *kubeAPIServer.ServiceAccountIssuer
 			jwksURL = strings.TrimSuffix(jwksURL, "/") + "/keys.json"
 			kubeAPIServer.ServiceAccountJWKSURI = &jwksURL
 		}
 	} else if kubeAPIServer.ServiceAccountJWKSURI == nil {
 		jwksURI, err := iam.ServiceAccountIssuer(clusterSpec)
 		if err != nil {
 			return err
--- a/tests/integration/update_cluster/aws-lb-controller/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data
+++ b/tests/integration/update_cluster/aws-lb-controller/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data
@ -190,8 +190,6 @@ kubeAPIServer:
  - http://127.0.0.1:4001
  etcdServersOverrides:
  - /events#http://127.0.0.1:4002
  featureGates:
    ServiceAccountIssuerDiscovery: "true"
  image: k8s.gcr.io/kube-apiserver:v1.21.0
  kubeletPreferredAddressTypes:
  - InternalIP
@ -208,7 +206,7 @@ kubeAPIServer:
  - X-Remote-User
  securePort: 443
  serviceAccountIssuer: https://discovery.example.com/minimal.example.com/oidc
-  serviceAccountJWKSURI: https://discovery.example.com/minimal.example.com/oidc/keys.json
+  serviceAccountJWKSURI: https://discovery.example.com/minimal.example.com/oidc/openid/v1/jwks
  serviceClusterIPRange: 100.64.0.0/13
  storageBackend: etcd3
 kubeControllerManager:
--- a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data
+++ b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data
@ -208,7 +208,7 @@ kubeAPIServer:
  - X-Remote-User
  securePort: 443
  serviceAccountIssuer: https://discovery.example.com/minimal.example.com/oidc
-  serviceAccountJWKSURI: https://discovery.example.com/minimal.example.com/oidc/keys.json
+  serviceAccountJWKSURI: https://discovery.example.com/minimal.example.com/oidc/openid/v1/jwks
  serviceClusterIPRange: 100.64.0.0/13
  storageBackend: etcd3
 kubeControllerManager: