Use consistent ServiceAccountJWKSURI default for PublicJWKS

2021-05-06 00:15:15 -07:00 · 2021-05-06 00:15:15 -07:00 · d21cb0f306
parent a79da8ee86
commit d21cb0f306
2 changed files with 3 additions and 10 deletions
--- a/pkg/model/components/discovery.go
+++ b/pkg/model/components/discovery.go
@ -17,8 +17,6 @@ limitations under the License.
 package components

 import (
-	"strings"
-
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/featureflag"
 	"k8s.io/kops/pkg/model/iam"
@ -64,14 +62,9 @@ func (b *DiscoveryOptionsBuilder) BuildOptions(o interface{}) error {
 			kubeAPIServer.FeatureGates = make(map[string]string)
 		}
 		kubeAPIServer.FeatureGates["ServiceAccountIssuerDiscovery"] = "true"
+	}

-		if kubeAPIServer.ServiceAccountJWKSURI == nil {
-			jwksURL := *kubeAPIServer.ServiceAccountIssuer
-			jwksURL = strings.TrimSuffix(jwksURL, "/") + "/keys.json"
-
-			kubeAPIServer.ServiceAccountJWKSURI = &jwksURL
-		}
-	} else if kubeAPIServer.ServiceAccountJWKSURI == nil {
+	if kubeAPIServer.ServiceAccountJWKSURI == nil {
 		jwksURI, err := iam.ServiceAccountIssuer(clusterSpec)
 		if err != nil {
 			return err
--- a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data
+++ b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data
@ -208,7 +208,7 @@ kubeAPIServer:
  - X-Remote-User
  securePort: 443
  serviceAccountIssuer: https://discovery.example.com/minimal.example.com/oidc
-  serviceAccountJWKSURI: https://discovery.example.com/minimal.example.com/oidc/keys.json
+  serviceAccountJWKSURI: https://discovery.example.com/minimal.example.com/oidc/openid/v1/jwks
  serviceClusterIPRange: 100.64.0.0/13
  storageBackend: etcd3
 kubeControllerManager: