Add toggle for AWS OIDC provider. Free it from any feature flag

k8s/crds/kops.k8s.io_clusters.yaml

@@ -4041,6 +4041,10 @@ spec:
                     description: DiscoveryStore is the VFS path to where OIDC Issuer
                       Discovery metadata is stored.
                     type: string
+                  enableAWSOIDCProvider:
+                    description: EnableAWSOIDCProvider will provision an AWS OIDC
+                      provider that trusts the ServiceAccount Issuer
+                    type: boolean
                 type: object
               serviceClusterIPRange:
                 description: ServiceClusterIPRange is the CIDR, from the internal

pkg/apis/kops/cluster.go

@@ -214,6 +214,8 @@ type ClusterSpec struct {
 type OIDCIssuerConfig struct {
 	// DiscoveryStore is the VFS path to where OIDC Issuer Discovery metadata is stored.
 	DiscoveryStore string `json:"discoveryStore,omitempty"`
+	// EnableAWSOIDCProvider will provision an AWS OIDC provider that trusts the ServiceAccount Issuer
+	EnableAWSOIDCProvider bool `json:"enableAWSOIDCProvider,omitempty"`
 }
 
 // NodeAuthorizationSpec is used to node authorization

pkg/apis/kops/v1alpha2/cluster.go

@@ -213,6 +213,8 @@ type ClusterSpec struct {
 type OIDCIssuerConfig struct {
 	// DiscoveryStore is the VFS path to where OIDC Issuer Discovery metadata is stored.
 	DiscoveryStore string `json:"discoveryStore,omitempty"`
+	// EnableAWSOIDCProvider will provision an AWS OIDC provider that trusts the ServiceAccount Issuer
+	EnableAWSOIDCProvider bool `json:"enableAWSOIDCProvider,omitempty"`
 }
 
 // NodeAuthorizationSpec is used to node authorization

pkg/apis/kops/v1alpha2/zz_generated.conversion.go

@@ -5844,6 +5844,7 @@ func Convert_kops_NodeTerminationHandlerConfig_To_v1alpha2_NodeTerminationHandle
 
 func autoConvert_v1alpha2_OIDCIssuerConfig_To_kops_OIDCIssuerConfig(in *OIDCIssuerConfig, out *kops.OIDCIssuerConfig, s conversion.Scope) error {
 	out.DiscoveryStore = in.DiscoveryStore
+	out.EnableAWSOIDCProvider = in.EnableAWSOIDCProvider
 	return nil
 }
 
@@ -5854,6 +5855,7 @@ func Convert_v1alpha2_OIDCIssuerConfig_To_kops_OIDCIssuerConfig(in *OIDCIssuerCo
 
 func autoConvert_kops_OIDCIssuerConfig_To_v1alpha2_OIDCIssuerConfig(in *kops.OIDCIssuerConfig, out *OIDCIssuerConfig, s conversion.Scope) error {
 	out.DiscoveryStore = in.DiscoveryStore
+	out.EnableAWSOIDCProvider = in.EnableAWSOIDCProvider
 	return nil
 }
 

pkg/model/awsmodel/oidc_provider.go

@@ -17,7 +17,6 @@ limitations under the License.
 package awsmodel
 
 import (
-	"k8s.io/kops/pkg/featureflag"
 	"k8s.io/kops/pkg/model/iam"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/cloudup/awstasks"
@@ -38,7 +37,8 @@ const (
 
 func (b *OIDCProviderBuilder) Build(c *fi.ModelBuilderContext) error {
 
-	if !featureflag.PublicJWKS.Enabled() {
+	if b.Cluster.Spec.ServiceAccountIssuerDiscovery == nil ||
+		!b.Cluster.Spec.ServiceAccountIssuerDiscovery.EnableAWSOIDCProvider {
 		return nil
 	}
 

tests/integration/update_cluster/aws-lb-controller/in-v1alpha2.yaml

@@ -34,6 +34,7 @@ spec:
   nonMasqueradeCIDR: 100.64.0.0/10
   serviceAccountIssuerDiscovery:
     discoveryStore: memfs://discovery.example.com/minimal.example.com
+    enableAWSOIDCProvider: true
   sshAccess:
     - 0.0.0.0/0
   topology:

tests/integration/update_cluster/public-jwks/in-v1alpha2.yaml

@@ -30,6 +30,7 @@ spec:
   nonMasqueradeCIDR: 100.64.0.0/10
   serviceAccountIssuerDiscovery:
     discoveryStore: memfs://discovery.example.com/minimal.example.com
+    enableAWSOIDCProvider: true
   sshAccess:
     - 0.0.0.0/0
   topology: