Fix JWKS path for volume projection

pkg/model/components/discovery.go

@@ -17,11 +17,10 @@ limitations under the License.
 package components
 
 import (
-	"strings"
-
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/featureflag"
 	"k8s.io/kops/pkg/model/iam"
+	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/loader"
 )
 
@@ -55,20 +54,8 @@ func (b *DiscoveryOptionsBuilder) BuildOptions(o interface{}) error {
 		kubeAPIServer.ServiceAccountIssuer = &serviceAccountIssuer
 	}
 
-	// We set apiserver ServiceAccountKey and ServiceAccountSigningKeyFile in nodeup
-
-	if useJWKS {
-		if kubeAPIServer.FeatureGates == nil {
-			kubeAPIServer.FeatureGates = make(map[string]string)
-		}
-		kubeAPIServer.FeatureGates["ServiceAccountIssuerDiscovery"] = "true"
-
-		if kubeAPIServer.ServiceAccountJWKSURI == nil {
-			jwksURL := *kubeAPIServer.ServiceAccountIssuer
-			jwksURL = strings.TrimSuffix(jwksURL, "/") + "/openid/v1/jwks"
-
-			kubeAPIServer.ServiceAccountJWKSURI = &jwksURL
-		}
+	if kubeAPIServer.ServiceAccountJWKSURI == nil {
+		kubeAPIServer.ServiceAccountJWKSURI = fi.String(iam.ServiceAccountIssuer(b.ClusterName, clusterSpec) + "/openid/v1/jwks")
 	}
 
 	return nil

tests/integration/update_cluster/bastionadditional_user-data/data/aws_launch_template_master-us-test-1a.masters.bastionuserdata.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.bastionuserdata.example.com
+  serviceAccountJWKSURI: https://api.bastionuserdata.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/complex/cloudformation.json.extracted.yaml

@@ -221,6 +221,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amasterscomplexexamplecom.Properties.
     - X-Remote-User
     securePort: 443
     serviceAccountIssuer: https://api.complex.example.com
+    serviceAccountJWKSURI: https://api.complex.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     serviceNodePortRange: 28000-32767
     storageBackend: etcd3

tests/integration/update_cluster/complex/data/aws_launch_template_master-us-test-1a.masters.complex.example.com_user_data

@@ -220,6 +220,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.complex.example.com
+  serviceAccountJWKSURI: https://api.complex.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   serviceNodePortRange: 28000-32767
   storageBackend: etcd3

tests/integration/update_cluster/compress/data/aws_launch_template_master-us-test-1a.masters.compress.example.com_user_data

@@ -144,7 +144,7 @@ function download-release() {
 echo "== nodeup node config starting =="
 ensure-install-dir
 
-echo "H4sIAAAAAAAA/+xWX48bNRB/z6ewiqq+9Hazd0eBVSsRcoWLuCshKQUJVcixJxsrXns7tvcuiA+Pxt4km9yFAn2ERErW88/z5zczK7QNcmzNUlXlgLGaG17B3FvkFYw1dw5cyTwGGAhrPFcGcBaMVzWUbEeRe6YkKyLa+6EFRCWhZH8MGGOsBXTKGvaKnQ8i4ddGh0oZ9z4d94TsibLZ3mRWYSOytsgEqic74b8n3qP3NP+xboYpaHdg5N+boQfx/sAUYx3zN79pgL1iRyZJI2vPnwyOtD7Jhcw2XlkqATv6zDfOQy3HFdrQsFcJA4xpW91AC7pkyiztYFfVkhXZZXYxkFasAQkEbq2aiXGea90hCIzATbyvAxwzQesBeCHHOjgP6EgRWjA+PvWsX2SXWXEREarM47x1WMBoOpkDtskDrrW9m6JqlYYKZLmNgRtrNrUNbhT8qmRLrl0kN2oUpAIjIN5+xsgiGvDgMteKTMKSB+2TaLpmbIPxJSuIFvzKovqdU4C3lnA/0nd840bkxoCxhTJyJCWCcyUbZvFLzUIdOEXbKglYMn7nKAeGLzSMZK0cxThNJU5eveE1uIYLuFFLEBuhIZJvVK38jJsKMJ7JQSVgJAT5GElTypjzYPw7q0MNN3wBOnKuUmj9xu/T31oNGAObg7BGJuZt8NwrU+3c/BkWK2vXkfmOayVPs99YCTNwHpUgs5E2A2cDCvgxWM8pCV7IlOYu8pX3TZnnxfkXMXtFeTkcFoeC26HTaeQJTJ89pnk+YEzVvIKSrb90WSUwUzanmp/xRrkEo7bIzlOdiKHBTxGWgAjbUr7dNNvLJsYDGq4n03i8ts4bXqfqvL7v8fZNRD4gfAjg/Aq4BIxgARlrnKzyqkKouLd4LPv63iO/jo/klbrfqvxyNoPaejiLEmfHet9RSye9Y4XIOpb/yZHrNTyuQlxqdxABYWrRl+zy8iJS+gCcOBcI31QJV+Y5b1QmbN1QDjO453WjgQh7xW4mTKYR1CUrhsPsxSXVL4+TwCWwfsPFGowsIwrSFBhb49FqDXgb99luGgjugZA3nlzN3H4eeM/F6grod0b4FkrDfGPEFFBZWbKiHrpTnSqSl2QxufjVi+RisWdSNWldPhptWpYBYUzmZzZ4WrnboXQCoGIX4VndhbhHqk7o0BBbKw3LHq18OMsJhsHB4cgYI0gwXnG9TRVdPUV7vyk/GngTZglCkUdxrrp22L8WPPua37lnp4Ns4lW9uHr+ksBcrEAGncp7wobbyXxafrruL0+vDxE35RUqGhvMpfW5o8+s9SXLP4KiqzfzHs6LYY9j4+LbHjPCst4tiitYhKpSprrmRmrq0W0M0KYBe81RlqyG2uIm4y1XmvReFsPhrXpurISlOyA/3RIV/btvEeDl50+fxyw/EN1SD2T/uuSUz4T8Kacs5i3HXKtF3iU63ws8QKoBf2dxnZZi11tGEcOaW+4+BECeevxwaFA6GytvuVFLcL67GLzI94s+rzuuG9ScMv39/4X/rxWe1l9F70nYTRiKd1vvPwEAAP//AQAA//9CyzWBMQ0AAA==" | base64 -d | gzip -d > conf/cluster_spec.yaml
+echo "H4sIAAAAAAAA/+xWbW/bthN/709B9I+ibxrJSvLvNqEF5jnd4jXpPLsPA4ZioMmzzJki1SOpxMM+/HCkbMtOsm7ry80GbPGeeA+/u5PQNsixNUtVlQPGam54BXNvkVcw1tw5cCXzGGAgrPFcGcBZMF7VULIdRe6ZkqyIaO+HFhCVhJL9PmCMsRbQKWvYC3Y6iISfGx0qZdyHdNwTskfKZnuTWYWNyNoiE6ge7YT/mniP3tP827oZpqDdgZF/boYexIcDU4x1zF/8pgH2gh2ZJI2sPX00ONL6LBcy23hlqQTs6DPfOA+1HFdoQ8NeJAwwpm11BS3okimztINdVUtWZOfZ2UBasQYkELi1aibGea51hyAwAjfxvg5wzAStB+CFHOvgPKAjRWjB+PjUs36WnWfFWUSoMvfz1mEBo+lkDtgmD7jW9maKqlUaKpDlNgZurNnUNrhR8KuSLbl2kdyoUZAKjIB4+wkji2jAg8tcKzIJSx60T6LpmrENxpesIFrwK4vqN04BXlvC/Ujf8I0bkRsDxhbKyJGUCM6VbJjFLzULdeAUbaskYMn4jaMcGL7QMJK1chTjNJU4efWa1+AaLuBKLUFshIZIvlK18jNuKsB4JgeVgJEQ5GMkTSljzoPx76wONVzxBejIuUih9Ru/T39jNWAMbA7CGpmY18Fzr0y1c/M9LFbWriPzHddKPsx+bSXMwHlUgsxG2gycDSjgx2A9pyR4IVOau8hX3jdlnhenX8TsFeX5cFgcCm6HTqeRJzD97z7N0wFjquYVlGz9pcsqgZmyOdX8hDfKJRi1RXaa6kQMDX6KsARE2JbyzabZXjYxHtBwPZnG46V13vA6VeflbY+3byLyAeFjAOdXwCVgBAvIWONklVcVQsW9xWPZl7ce+WV8JK/U7Vblp5MZ1NbDSZQ4Odb7jlo66R0rRNax/FtHrtdwvwpxqd1BBISpRV+y8/OzSOkDcOJcIHxTJVyZ57xRmbB1QznM4JbXjQYi3FH8/v2r+dvZ5NOauW3AKJm3Rf7rzdrtDXXDZTKN3VGyYjjMnp0TEPI4UlxC/TdcrMHIMsIpjZOxNR6t1oDXcTHuxorgHgjC48nFzO0Hi/dcrC6AfmfUKEJpmG+MmAIqK0tW1EP3UMuL5CVZTC5+9Sy5WOyZBAvau/emLW3dgDAm8zMbPO3u7XR7AOliF+FJ3YW4h7xOMNMQezRN3R6tvLsUCM/BweHsGSNIMF5xvU0VXT1Fe7spPxl4E2YJi5FHca66vtq/Xzz5mt+4Jw8H2cSrenH1/CWBuViBDDqV9wEbbifzefnpxkj58B4SceVeoKL5w1zawzv6zFpfsvwTKLp4Pe/hvBj2ODZu0O0xIyzr3ca5gEWoKmWqS26kpmbfxgBtmtSXHGXJaqgtbjLecqVJ73kxHF6rp8ZKWLoD8uMtUdG/+xYBnv//8dOY5TuiW+qB7J+XnPKZkD/llMW85Zhrtci7ROd7gTtINeBvLK7Tdu16yyhiWHPN3ccAyFOPHw4NSmdj5TU3agnOdxeDF/n+jSGvO64b1Jwy/eq/wv/bCk97tKIXLuwmDMW7rfcfAAAA//8BAAD//5CIzc16DQAA" | base64 -d | gzip -d > conf/cluster_spec.yaml
 
 echo "H4sIAAAAAAAA/6qu5QIAAAD//wEAAP//BrCh3QMAAAA=" | base64 -d | gzip -d > conf/ig_spec.yaml
 

tests/integration/update_cluster/containerd-custom/cloudformation.json.extracted.yaml

@@ -225,6 +225,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amasterscontainerdexamplecom.Properti
     - X-Remote-User
     securePort: 443
     serviceAccountIssuer: https://api.containerd.example.com
+    serviceAccountJWKSURI: https://api.containerd.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/containerd/cloudformation.json.extracted.yaml

@@ -207,6 +207,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amasterscontainerdexamplecom.Properti
     - X-Remote-User
     securePort: 443
     serviceAccountIssuer: https://api.containerd.example.com
+    serviceAccountJWKSURI: https://api.containerd.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/docker-custom/cloudformation.json.extracted.yaml

@@ -207,6 +207,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersdockerexamplecom.Properties.L
     - X-Remote-User
     securePort: 443
     serviceAccountIssuer: https://api.docker.example.com
+    serviceAccountJWKSURI: https://api.docker.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/existing_iam/data/aws_launch_template_master-us-test-1a.masters.existing-iam.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.existing-iam.example.com
+  serviceAccountJWKSURI: https://api.existing-iam.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/existing_iam/data/aws_launch_template_master-us-test-1b.masters.existing-iam.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.existing-iam.example.com
+  serviceAccountJWKSURI: https://api.existing-iam.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/existing_iam/data/aws_launch_template_master-us-test-1c.masters.existing-iam.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.existing-iam.example.com
+  serviceAccountJWKSURI: https://api.existing-iam.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/existing_iam_cloudformation/cloudformation.json.extracted.yaml

@@ -207,6 +207,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersminimalexamplecom.Properties.
     - X-Remote-User
     securePort: 443
     serviceAccountIssuer: https://api.minimal.example.com
+    serviceAccountJWKSURI: https://api.minimal.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/existing_sg/data/aws_launch_template_master-us-test-1a.masters.existingsg.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.existingsg.example.com
+  serviceAccountJWKSURI: https://api.existingsg.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/existing_sg/data/aws_launch_template_master-us-test-1b.masters.existingsg.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.existingsg.example.com
+  serviceAccountJWKSURI: https://api.existingsg.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/existing_sg/data/aws_launch_template_master-us-test-1c.masters.existingsg.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.existingsg.example.com
+  serviceAccountJWKSURI: https://api.existingsg.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/externallb/cloudformation.json.extracted.yaml

@@ -207,6 +207,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersexternallbexamplecom.Properti
     - X-Remote-User
     securePort: 443
     serviceAccountIssuer: https://api.externallb.example.com
+    serviceAccountJWKSURI: https://api.externallb.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/externallb/data/aws_launch_template_master-us-test-1a.masters.externallb.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.externallb.example.com
+  serviceAccountJWKSURI: https://api.externallb.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/externalpolicies/data/aws_launch_template_master-us-test-1a.masters.externalpolicies.example.com_user_data

@@ -207,6 +207,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.externalpolicies.example.com
+  serviceAccountJWKSURI: https://api.externalpolicies.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   serviceNodePortRange: 28000-32767
   storageBackend: etcd3

tests/integration/update_cluster/ha/data/aws_launch_template_master-us-test-1a.masters.ha.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.ha.example.com
+  serviceAccountJWKSURI: https://api.ha.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/ha/data/aws_launch_template_master-us-test-1b.masters.ha.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.ha.example.com
+  serviceAccountJWKSURI: https://api.ha.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/ha/data/aws_launch_template_master-us-test-1c.masters.ha.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.ha.example.com
+  serviceAccountJWKSURI: https://api.ha.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/ha_gce/data/google_compute_instance_template_master-us-test1-a-ha-gce-example-com_metadata_startup-script

@@ -208,6 +208,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.ha-gce.example.com
+  serviceAccountJWKSURI: https://api.ha-gce.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/ha_gce/data/google_compute_instance_template_master-us-test1-b-ha-gce-example-com_metadata_startup-script

@@ -208,6 +208,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.ha-gce.example.com
+  serviceAccountJWKSURI: https://api.ha-gce.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/ha_gce/data/google_compute_instance_template_master-us-test1-c-ha-gce-example-com_metadata_startup-script

@@ -208,6 +208,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.ha-gce.example.com
+  serviceAccountJWKSURI: https://api.ha-gce.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/launch_templates/cloudformation.json.extracted.yaml

@@ -207,6 +207,7 @@ Resources.AWSAutoScalingLaunchConfigurationmasterustest1amasterslaunchtemplatese
     - X-Remote-User
     securePort: 443
     serviceAccountIssuer: https://api.launchtemplates.example.com
+    serviceAccountJWKSURI: https://api.launchtemplates.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:
@@ -545,6 +546,7 @@ Resources.AWSAutoScalingLaunchConfigurationmasterustest1bmasterslaunchtemplatese
     - X-Remote-User
     securePort: 443
     serviceAccountIssuer: https://api.launchtemplates.example.com
+    serviceAccountJWKSURI: https://api.launchtemplates.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:
@@ -883,6 +885,7 @@ Resources.AWSAutoScalingLaunchConfigurationmasterustest1cmasterslaunchtemplatese
     - X-Remote-User
     securePort: 443
     serviceAccountIssuer: https://api.launchtemplates.example.com
+    serviceAccountJWKSURI: https://api.launchtemplates.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/launch_templates/data/aws_launch_configuration_master-us-test-1a.masters.launchtemplates.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.launchtemplates.example.com
+  serviceAccountJWKSURI: https://api.launchtemplates.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/launch_templates/data/aws_launch_configuration_master-us-test-1b.masters.launchtemplates.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.launchtemplates.example.com
+  serviceAccountJWKSURI: https://api.launchtemplates.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/launch_templates/data/aws_launch_configuration_master-us-test-1c.masters.launchtemplates.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.launchtemplates.example.com
+  serviceAccountJWKSURI: https://api.launchtemplates.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/minimal-cloudformation/cloudformation.json.extracted.yaml

@@ -207,6 +207,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersminimalexamplecom.Properties.
     - X-Remote-User
     securePort: 443
     serviceAccountIssuer: https://api.minimal.example.com
+    serviceAccountJWKSURI: https://api.minimal.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/minimal-gp3/cloudformation.json.extracted.yaml

@@ -207,6 +207,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersminimalexamplecom.Properties.
     - X-Remote-User
     securePort: 443
     serviceAccountIssuer: https://api.minimal.example.com
+    serviceAccountJWKSURI: https://api.minimal.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/minimal-gp3/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.minimal.example.com
+  serviceAccountJWKSURI: https://api.minimal.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/minimal/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.minimal.example.com
+  serviceAccountJWKSURI: https://api.minimal.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/minimal_gce/data/google_compute_instance_template_master-us-test1-a-minimal-gce-example-com_metadata_startup-script

@@ -208,6 +208,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.minimal-gce.example.com
+  serviceAccountJWKSURI: https://api.minimal-gce.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/mixed_instances/cloudformation.json.extracted.yaml

@@ -207,6 +207,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersmixedinstancesexamplecom.Prop
     - X-Remote-User
     securePort: 443
     serviceAccountIssuer: https://api.mixedinstances.example.com
+    serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:
@@ -545,6 +546,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1bmastersmixedinstancesexamplecom.Prop
     - X-Remote-User
     securePort: 443
     serviceAccountIssuer: https://api.mixedinstances.example.com
+    serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:
@@ -883,6 +885,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1cmastersmixedinstancesexamplecom.Prop
     - X-Remote-User
     securePort: 443
     serviceAccountIssuer: https://api.mixedinstances.example.com
+    serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/mixed_instances/data/aws_launch_template_master-us-test-1a.masters.mixedinstances.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.mixedinstances.example.com
+  serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/mixed_instances/data/aws_launch_template_master-us-test-1b.masters.mixedinstances.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.mixedinstances.example.com
+  serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/mixed_instances/data/aws_launch_template_master-us-test-1c.masters.mixedinstances.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.mixedinstances.example.com
+  serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/mixed_instances_spot/cloudformation.json.extracted.yaml

@@ -207,6 +207,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersmixedinstancesexamplecom.Prop
     - X-Remote-User
     securePort: 443
     serviceAccountIssuer: https://api.mixedinstances.example.com
+    serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:
@@ -545,6 +546,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1bmastersmixedinstancesexamplecom.Prop
     - X-Remote-User
     securePort: 443
     serviceAccountIssuer: https://api.mixedinstances.example.com
+    serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:
@@ -883,6 +885,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1cmastersmixedinstancesexamplecom.Prop
     - X-Remote-User
     securePort: 443
     serviceAccountIssuer: https://api.mixedinstances.example.com
+    serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/mixed_instances_spot/data/aws_launch_template_master-us-test-1a.masters.mixedinstances.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.mixedinstances.example.com
+  serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/mixed_instances_spot/data/aws_launch_template_master-us-test-1b.masters.mixedinstances.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.mixedinstances.example.com
+  serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/mixed_instances_spot/data/aws_launch_template_master-us-test-1c.masters.mixedinstances.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.mixedinstances.example.com
+  serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/private-shared-ip/cloudformation.json.extracted.yaml

@@ -208,6 +208,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersprivatesharedipexamplecom.Pro
     - X-Remote-User
     securePort: 443
     serviceAccountIssuer: https://api.private-shared-ip.example.com
+    serviceAccountJWKSURI: https://api.private-shared-ip.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/private-shared-ip/data/aws_launch_template_master-us-test-1a.masters.private-shared-ip.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.private-shared-ip.example.com
+  serviceAccountJWKSURI: https://api.private-shared-ip.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/private-shared-subnet/data/aws_launch_template_master-us-test-1a.masters.private-shared-subnet.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.private-shared-subnet.example.com
+  serviceAccountJWKSURI: https://api.private-shared-subnet.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/privatecalico/cloudformation.json.extracted.yaml

@@ -208,6 +208,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersprivatecalicoexamplecom.Prope
     - X-Remote-User
     securePort: 443
     serviceAccountIssuer: https://api.privatecalico.example.com
+    serviceAccountJWKSURI: https://api.privatecalico.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/privatecalico/data/aws_launch_template_master-us-test-1a.masters.privatecalico.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.privatecalico.example.com
+  serviceAccountJWKSURI: https://api.privatecalico.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/privatecanal/data/aws_launch_template_master-us-test-1a.masters.privatecanal.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.privatecanal.example.com
+  serviceAccountJWKSURI: https://api.privatecanal.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/privatecilium/cloudformation.json.extracted.yaml

@@ -208,6 +208,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersprivateciliumexamplecom.Prope
     - X-Remote-User
     securePort: 443
     serviceAccountIssuer: https://api.privatecilium.example.com
+    serviceAccountJWKSURI: https://api.privatecilium.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/privatecilium/data/aws_launch_template_master-us-test-1a.masters.privatecilium.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.privatecilium.example.com
+  serviceAccountJWKSURI: https://api.privatecilium.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/privateciliumadvanced/cloudformation.json.extracted.yaml

@@ -210,6 +210,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersprivateciliumadvancedexamplec
     - X-Remote-User
     securePort: 443
     serviceAccountIssuer: https://api.privateciliumadvanced.example.com
+    serviceAccountJWKSURI: https://api.privateciliumadvanced.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/privateciliumadvanced/data/aws_launch_template_master-us-test-1a.masters.privateciliumadvanced.example.com_user_data

@@ -208,6 +208,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.privateciliumadvanced.example.com
+  serviceAccountJWKSURI: https://api.privateciliumadvanced.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/privatedns1/data/aws_launch_template_master-us-test-1a.masters.privatedns1.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.privatedns1.example.com
+  serviceAccountJWKSURI: https://api.privatedns1.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/privatedns2/data/aws_launch_template_master-us-test-1a.masters.privatedns2.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.privatedns2.example.com
+  serviceAccountJWKSURI: https://api.privatedns2.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/privateflannel/data/aws_launch_template_master-us-test-1a.masters.privateflannel.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.privateflannel.example.com
+  serviceAccountJWKSURI: https://api.privateflannel.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/privatekopeio/data/aws_launch_template_master-us-test-1a.masters.privatekopeio.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.privatekopeio.example.com
+  serviceAccountJWKSURI: https://api.privatekopeio.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/privateweave/data/aws_launch_template_master-us-test-1a.masters.privateweave.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.privateweave.example.com
+  serviceAccountJWKSURI: https://api.privateweave.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/public-jwks/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data

@@ -190,8 +190,6 @@ kubeAPIServer:
   - http://127.0.0.1:4001
   etcdServersOverrides:
   - /events#http://127.0.0.1:4002
-  featureGates:
-    ServiceAccountIssuerDiscovery: "true"
   image: k8s.gcr.io/kube-apiserver:v1.20.0
   kubeletPreferredAddressTypes:
   - InternalIP

tests/integration/update_cluster/shared_subnet/data/aws_launch_template_master-us-test-1a.masters.sharedsubnet.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.sharedsubnet.example.com
+  serviceAccountJWKSURI: https://api.sharedsubnet.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/shared_vpc/data/aws_launch_template_master-us-test-1a.masters.sharedvpc.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.sharedvpc.example.com
+  serviceAccountJWKSURI: https://api.sharedvpc.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/unmanaged/data/aws_launch_template_master-us-test-1a.masters.unmanaged.example.com_user_data

@@ -206,6 +206,7 @@ kubeAPIServer:
   - X-Remote-User
   securePort: 443
   serviceAccountIssuer: https://api.unmanaged.example.com
+  serviceAccountJWKSURI: https://api.unmanaged.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager: