From 056c19e8b3971919d012be5b3f8aa2402c544a7c Mon Sep 17 00:00:00 2001
From: Hao Ruan <righthandss@gmail.com>
Date: Tue, 18 Jul 2023 16:11:08 +0800
Subject: [PATCH] Add slash ended urls for service-account-issuer-discovery to
 match API in swagger (#117511)

* Add slash ended urls for service-account-issuer-discovery to match API in swagger

* update the comment for adding slash-ended URLs

Co-authored-by: Jordan Liggitt <jordan@liggitt.net>

---------

Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
---
 plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go      | 3 +++
 .../rbac/bootstrappolicy/testdata/cluster-roles.yaml           | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
index 5b1b7cb6a60..2e0dbdbaddf 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -514,12 +514,15 @@ func ClusterRoles() []rbacv1.ClusterRole {
 	}...)
 
 	// Add the cluster role for reading the ServiceAccountIssuerDiscovery endpoints
+	// Also allow slash-ended URLs to allow clients generated from published openapi docs prior to fixing the trailing slash to work properly
 	roles = append(roles, rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{Name: "system:service-account-issuer-discovery"},
 		Rules: []rbacv1.PolicyRule{
 			rbacv1helpers.NewRule("get").URLs(
 				"/.well-known/openid-configuration",
+				"/.well-known/openid-configuration/",
 				"/openid/v1/jwks",
+				"/openid/v1/jwks/",
 			).RuleOrDie(),
 		},
 	})
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
index d5509e42da3..205e3b91e9c 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
@@ -1265,7 +1265,9 @@ items:
   rules:
   - nonResourceURLs:
     - /.well-known/openid-configuration
+    - /.well-known/openid-configuration/
     - /openid/v1/jwks
+    - /openid/v1/jwks/
     verbs:
     - get
 - apiVersion: rbac.authorization.k8s.io/v1