Add slash ended urls for service-account-issuer-discovery to match API in swagger (#117511)

* Add slash ended urls for service-account-issuer-discovery to match API in swagger

* update the comment for adding slash-ended URLs

Co-authored-by: Jordan Liggitt <jordan@liggitt.net>

---------

Co-authored-by: Jordan Liggitt <jordan@liggitt.net>

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go

@@ -514,12 +514,15 @@ func ClusterRoles() []rbacv1.ClusterRole {
 	}...)
 
 	// Add the cluster role for reading the ServiceAccountIssuerDiscovery endpoints
+	// Also allow slash-ended URLs to allow clients generated from published openapi docs prior to fixing the trailing slash to work properly
 	roles = append(roles, rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{Name: "system:service-account-issuer-discovery"},
 		Rules: []rbacv1.PolicyRule{
 			rbacv1helpers.NewRule("get").URLs(
 				"/.well-known/openid-configuration",
+				"/.well-known/openid-configuration/",
 				"/openid/v1/jwks",
+				"/openid/v1/jwks/",
 			).RuleOrDie(),
 		},
 	})

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml

@@ -1265,7 +1265,9 @@ items:
   rules:
   - nonResourceURLs:
     - /.well-known/openid-configuration
+    - /.well-known/openid-configuration/
     - /openid/v1/jwks
+    - /openid/v1/jwks/
     verbs:
     - get
 - apiVersion: rbac.authorization.k8s.io/v1