append AdditionalServiceAccountIssuers flags

2024-04-29 13:28:17 +03:00 · 2024-04-29 13:28:17 +03:00 · a35c4f3c52
parent 496b7f5ea0
commit a35c4f3c52
6 changed files with 10 additions and 66 deletions
--- a/nodeup/pkg/model/kube_apiserver.go
+++ b/nodeup/pkg/model/kube_apiserver.go
@ -678,7 +678,9 @@ func (b *KubeAPIServerBuilder) buildPod(ctx context.Context, kubeAPIServer *kops
 			"/usr/local/bin/kube-apiserver",
 		}
 		container.Args = append(container.Args, sortedStrings(flags)...)
-		container.Args = sortServiceAccountIssuers(container.Args, fi.ValueOf(kubeAPIServer.ServiceAccountIssuer), kubeAPIServer.AdditionalServiceAccountIssuers)
+		for _, issuer := range kubeAPIServer.AdditionalServiceAccountIssuers {
+			container.Args = append(container.Args, "--service-account-issuer="+issuer)
+		}
 	}

 	for _, path := range b.SSLHostPaths() {
@ -756,26 +758,3 @@ func (b *KubeAPIServerBuilder) buildAnnotations() map[string]string {

 	return annotations
 }
-
-func sortServiceAccountIssuers(in []string, currentIssuer string, oldIssuers []string) []string {
-	if len(oldIssuers) == 0 {
-		return in
-	}
-
-	positionMap := make(map[int]string)
-	positionMap[0] = fmt.Sprintf("--service-account-issuer=%s", currentIssuer)
-	for k, v := range oldIssuers {
-		positionMap[k+1] = fmt.Sprintf("--service-account-issuer=%s", v)
-	}
-
-	out := make([]string, 0, len(in))
-	issuerPosition := 0
-	for _, flag := range in {
-		if strings.HasPrefix(flag, "--service-account-issuer=") {
-			flag = positionMap[issuerPosition]
-			issuerPosition++
-		}
-		out = append(out, flag)
-	}
-	return out
-}
--- a/nodeup/pkg/model/kube_apiserver_test.go
+++ b/nodeup/pkg/model/kube_apiserver_test.go
@ -19,7 +19,6 @@ package model
 import (
 	"testing"

-	"github.com/stretchr/testify/assert"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/flagbuilder"
 	"k8s.io/kops/upup/pkg/fi"
@ -198,37 +197,3 @@ func TestKubeAPIServerBuilderARM64(t *testing.T) {
 		return builder.Build(target)
 	})
 }
-
-func TestSortServiceAccountIssuers(t *testing.T) {
-	type testCase struct {
-		name          string
-		flags         []string
-		currentIssuer string
-		oldIssuers    []string
-		expected      []string
-	}
-
-	testCases := []testCase{
-		{
-			name:          "flags without old issuers",
-			flags:         []string{"--bar=foo", "--service-account-issuer=https://foo"},
-			currentIssuer: "https://foo",
-			oldIssuers:    nil,
-			expected:      []string{"--bar=foo", "--service-account-issuer=https://foo"},
-		},
-		{
-			name:          "flags without with old issuers",
-			flags:         []string{"--bar=foo", "--service-account-issuer=https://aa", "--service-account-issuer=https://bar", "--service-account-issuer=https://foo", "--zz=zz"},
-			currentIssuer: "https://foo",
-			oldIssuers:    []string{"https://aa", "https://bar"},
-			expected:      []string{"--bar=foo", "--service-account-issuer=https://foo", "--service-account-issuer=https://aa", "--service-account-issuer=https://bar", "--zz=zz"},
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			actual := sortServiceAccountIssuers(tc.flags, tc.currentIssuer, tc.oldIssuers)
-			assert.Equal(t, tc.expected, actual)
-		})
-	}
-}
--- a/nodeup/pkg/model/tests/golden/oidc/tasks-kube-apiserver.yaml
+++ b/nodeup/pkg/model/tests/golden/oidc/tasks-kube-apiserver.yaml
@ -53,10 +53,6 @@ contents: |
      - --requestheader-username-headers=X-Remote-User
      - --secure-port=443
      - --service-account-issuer=https://huh.com/multisaissuer.example.com
-      - --service-account-issuer=https://foobar.com
-      - --service-account-issuer=https://aaa.com
-      - --service-account-issuer=https://hello.com
-      - --service-account-issuer=https://dorld.com
      - --service-account-jwks-uri=https://huh.com/multisaissuer.example.com/openid/v1/jwks
      - --service-account-key-file=/srv/kubernetes/kube-apiserver/service-account.pub
      - --service-account-signing-key-file=/srv/kubernetes/kube-apiserver/service-account.key
@ -65,6 +61,10 @@ contents: |
      - --tls-cert-file=/srv/kubernetes/kube-apiserver/server.crt
      - --tls-private-key-file=/srv/kubernetes/kube-apiserver/server.key
      - --v=2
+      - --service-account-issuer=https://foobar.com
+      - --service-account-issuer=https://aaa.com
+      - --service-account-issuer=https://hello.com
+      - --service-account-issuer=https://dorld.com
      command:
      - /go-runner
      image: registry.k8s.io/kube-apiserver:v1.28.0
--- a/pkg/apis/kops/componentconfig.go
+++ b/pkg/apis/kops/componentconfig.go
@ -501,7 +501,7 @@ type KubeAPIServerConfig struct {
 	ServiceAccountIssuer *string `json:"serviceAccountIssuer,omitempty" flag:"service-account-issuer"`

 	// AdditionalServiceAccountIssuers can contain additional service account token issuers.
-	AdditionalServiceAccountIssuers []string `json:"additionalServiceAccountIssuers,omitempty" flag:"service-account-issuer,repeat"`
+	AdditionalServiceAccountIssuers []string `json:"additionalServiceAccountIssuers,omitempty"`

 	// ServiceAccountJWKSURI overrides the path for the jwks document; this is useful when we are republishing the service account discovery information elsewhere.
 	ServiceAccountJWKSURI *string `json:"serviceAccountJWKSURI,omitempty" flag:"service-account-jwks-uri"`
--- a/pkg/apis/kops/v1alpha2/componentconfig.go
+++ b/pkg/apis/kops/v1alpha2/componentconfig.go
@ -508,7 +508,7 @@ type KubeAPIServerConfig struct {
 	ServiceAccountIssuer *string `json:"serviceAccountIssuer,omitempty" flag:"service-account-issuer"`

 	// AdditionalServiceAccountIssuers can contain additional service account token issuers.
-	AdditionalServiceAccountIssuers []string `json:"additionalServiceAccountIssuers,omitempty" flag:"service-account-issuer,repeat"`
+	AdditionalServiceAccountIssuers []string `json:"additionalServiceAccountIssuers,omitempty"`

 	// ServiceAccountJWKSURI overrides the path for the jwks document; this is useful when we are republishing the service account discovery information elsewhere.
 	ServiceAccountJWKSURI *string `json:"serviceAccountJWKSURI,omitempty" flag:"service-account-jwks-uri"`
--- a/pkg/apis/kops/v1alpha3/componentconfig.go
+++ b/pkg/apis/kops/v1alpha3/componentconfig.go
@ -499,7 +499,7 @@ type KubeAPIServerConfig struct {
 	ServiceAccountIssuer *string `json:"serviceAccountIssuer,omitempty" flag:"service-account-issuer"`

 	// AdditionalServiceAccountIssuers can contain additional service account token issuers.
-	AdditionalServiceAccountIssuers []string `json:"additionalServiceAccountIssuers,omitempty" flag:"service-account-issuer,repeat"`
+	AdditionalServiceAccountIssuers []string `json:"additionalServiceAccountIssuers,omitempty"`

 	// ServiceAccountJWKSURI overrides the path for the jwks document; this is useful when we are republishing the service account discovery information elsewhere.
 	ServiceAccountJWKSURI *string `json:"serviceAccountJWKSURI,omitempty" flag:"service-account-jwks-uri"`