Relax external signer path validation to allow relative paths

This commit is contained in:
Jordan Liggitt
2025-04-28 08:11:43 -04:00
parent 3a8af5a174
commit 48054afd6a
2 changed files with 10 additions and 32 deletions

View File

@@ -94,7 +94,7 @@ func validateUnknownVersionInteroperabilityProxyFlags(options *Options) []error
return err
}
var pathOrSocket = regexp.MustCompile(`(^(/[^/ ]*)+/?$)|(^@([a-zA-Z0-9_-]+\.)*[a-zA-Z0-9_-]+$)`)
var abstractSocketRegex = regexp.MustCompile(`^@([a-zA-Z0-9_-]+\.)*[a-zA-Z0-9_-]+$`)
func validateServiceAccountTokenSigningConfig(options *Options) []error {
if len(options.ServiceAccountSigningEndpoint) == 0 {
@@ -109,9 +109,9 @@ func validateServiceAccountTokenSigningConfig(options *Options) []error {
if !utilfeature.DefaultFeatureGate.Enabled(features.ExternalServiceAccountTokenSigner) {
errors = append(errors, fmt.Errorf("setting `--service-account-signing-endpoint` requires enabling ExternalServiceAccountTokenSigner feature gate"))
}
// Check if ServiceAccountSigningEndpoint is a linux file path or an abstract socket name.
if !pathOrSocket.MatchString(options.ServiceAccountSigningEndpoint) {
errors = append(errors, fmt.Errorf("invalid value %q passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace", options.ServiceAccountSigningEndpoint))
// Ensure ServiceAccountSigningEndpoint is a valid abstract socket name if prefixed with '@'.
if strings.HasPrefix(options.ServiceAccountSigningEndpoint, "@") && !abstractSocketRegex.MatchString(options.ServiceAccountSigningEndpoint) {
errors = append(errors, fmt.Errorf("invalid value %q passed for `--service-account-signing-endpoint`, when prefixed with @ must be a valid abstract socket name", options.ServiceAccountSigningEndpoint))
}
return errors

View File

@@ -303,11 +303,9 @@ func TestValidateServcieAccountTokenSigningConfig(t *testing.T) {
},
},
{
name: "invalid external signer endpoint provided - 1",
name: "relative external signer endpoint provided",
featureEnabled: true,
expectedErrors: []error{
fmt.Errorf("invalid value \"abc\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"),
},
expectedErrors: []error{},
options: &Options{
ServiceAccountSigningEndpoint: "abc",
},
@@ -316,7 +314,7 @@ func TestValidateServcieAccountTokenSigningConfig(t *testing.T) {
name: "invalid external signer endpoint provided - 2",
featureEnabled: true,
expectedErrors: []error{
fmt.Errorf("invalid value \"@abc@\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"),
fmt.Errorf("invalid value \"@abc@\" passed for `--service-account-signing-endpoint`, when prefixed with @ must be a valid abstract socket name"),
},
options: &Options{
ServiceAccountSigningEndpoint: "@abc@",
@@ -326,32 +324,12 @@ func TestValidateServcieAccountTokenSigningConfig(t *testing.T) {
name: "invalid external signer endpoint provided - 3",
featureEnabled: true,
expectedErrors: []error{
fmt.Errorf("invalid value \"@abc.abc .ae\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"),
fmt.Errorf("invalid value \"@abc.abc .ae\" passed for `--service-account-signing-endpoint`, when prefixed with @ must be a valid abstract socket name"),
},
options: &Options{
ServiceAccountSigningEndpoint: "@abc.abc .ae",
},
},
{
name: "invalid external signer endpoint provided - 4",
featureEnabled: true,
expectedErrors: []error{
fmt.Errorf("invalid value \"/@e_adnb/xyz /efg\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"),
},
options: &Options{
ServiceAccountSigningEndpoint: "/@e_adnb/xyz /efg",
},
},
{
name: "invalid external signer endpoint provided - 5",
featureEnabled: true,
expectedErrors: []error{
fmt.Errorf("invalid value \"/e /xyz /efg\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"),
},
options: &Options{
ServiceAccountSigningEndpoint: "/e /xyz /efg",
},
},
{
name: "valid external signer endpoint provided - 1",
featureEnabled: true,
@@ -382,10 +360,10 @@ func TestValidateServcieAccountTokenSigningConfig(t *testing.T) {
expectedErrors: []error{
fmt.Errorf("can't set `--service-account-signing-key-file` and/or `--service-account-key-file` with `--service-account-signing-endpoint` (They are mutually exclusive)"),
fmt.Errorf("setting `--service-account-signing-endpoint` requires enabling ExternalServiceAccountTokenSigner feature gate"),
fmt.Errorf("invalid value \"/e /xyz /efg\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"),
fmt.Errorf("invalid value \"@a@\" passed for `--service-account-signing-endpoint`, when prefixed with @ must be a valid abstract socket name"),
},
options: &Options{
ServiceAccountSigningEndpoint: "/e /xyz /efg",
ServiceAccountSigningEndpoint: "@a@",
ServiceAccountSigningKeyFile: "/abc/efg",
Authentication: &kubeoptions.BuiltInAuthenticationOptions{
ServiceAccounts: &kubeoptions.ServiceAccountAuthenticationOptions{