diff --git a/pkg/controlplane/apiserver/options/validation.go b/pkg/controlplane/apiserver/options/validation.go index 6670bb68d4a..2a63457799e 100644 --- a/pkg/controlplane/apiserver/options/validation.go +++ b/pkg/controlplane/apiserver/options/validation.go @@ -94,7 +94,7 @@ func validateUnknownVersionInteroperabilityProxyFlags(options *Options) []error return err } -var pathOrSocket = regexp.MustCompile(`(^(/[^/ ]*)+/?$)|(^@([a-zA-Z0-9_-]+\.)*[a-zA-Z0-9_-]+$)`) +var abstractSocketRegex = regexp.MustCompile(`^@([a-zA-Z0-9_-]+\.)*[a-zA-Z0-9_-]+$`) func validateServiceAccountTokenSigningConfig(options *Options) []error { if len(options.ServiceAccountSigningEndpoint) == 0 { @@ -109,9 +109,9 @@ func validateServiceAccountTokenSigningConfig(options *Options) []error { if !utilfeature.DefaultFeatureGate.Enabled(features.ExternalServiceAccountTokenSigner) { errors = append(errors, fmt.Errorf("setting `--service-account-signing-endpoint` requires enabling ExternalServiceAccountTokenSigner feature gate")) } - // Check if ServiceAccountSigningEndpoint is a linux file path or an abstract socket name. - if !pathOrSocket.MatchString(options.ServiceAccountSigningEndpoint) { - errors = append(errors, fmt.Errorf("invalid value %q passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace", options.ServiceAccountSigningEndpoint)) + // Ensure ServiceAccountSigningEndpoint is a valid abstract socket name if prefixed with '@'. + if strings.HasPrefix(options.ServiceAccountSigningEndpoint, "@") && !abstractSocketRegex.MatchString(options.ServiceAccountSigningEndpoint) { + errors = append(errors, fmt.Errorf("invalid value %q passed for `--service-account-signing-endpoint`, when prefixed with @ must be a valid abstract socket name", options.ServiceAccountSigningEndpoint)) } return errors diff --git a/pkg/controlplane/apiserver/options/validation_test.go b/pkg/controlplane/apiserver/options/validation_test.go index fccb597da95..044a48630c4 100644 --- a/pkg/controlplane/apiserver/options/validation_test.go +++ b/pkg/controlplane/apiserver/options/validation_test.go @@ -303,11 +303,9 @@ func TestValidateServcieAccountTokenSigningConfig(t *testing.T) { }, }, { - name: "invalid external signer endpoint provided - 1", + name: "relative external signer endpoint provided", featureEnabled: true, - expectedErrors: []error{ - fmt.Errorf("invalid value \"abc\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"), - }, + expectedErrors: []error{}, options: &Options{ ServiceAccountSigningEndpoint: "abc", }, @@ -316,7 +314,7 @@ func TestValidateServcieAccountTokenSigningConfig(t *testing.T) { name: "invalid external signer endpoint provided - 2", featureEnabled: true, expectedErrors: []error{ - fmt.Errorf("invalid value \"@abc@\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"), + fmt.Errorf("invalid value \"@abc@\" passed for `--service-account-signing-endpoint`, when prefixed with @ must be a valid abstract socket name"), }, options: &Options{ ServiceAccountSigningEndpoint: "@abc@", @@ -326,32 +324,12 @@ func TestValidateServcieAccountTokenSigningConfig(t *testing.T) { name: "invalid external signer endpoint provided - 3", featureEnabled: true, expectedErrors: []error{ - fmt.Errorf("invalid value \"@abc.abc .ae\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"), + fmt.Errorf("invalid value \"@abc.abc .ae\" passed for `--service-account-signing-endpoint`, when prefixed with @ must be a valid abstract socket name"), }, options: &Options{ ServiceAccountSigningEndpoint: "@abc.abc .ae", }, }, - { - name: "invalid external signer endpoint provided - 4", - featureEnabled: true, - expectedErrors: []error{ - fmt.Errorf("invalid value \"/@e_adnb/xyz /efg\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"), - }, - options: &Options{ - ServiceAccountSigningEndpoint: "/@e_adnb/xyz /efg", - }, - }, - { - name: "invalid external signer endpoint provided - 5", - featureEnabled: true, - expectedErrors: []error{ - fmt.Errorf("invalid value \"/e /xyz /efg\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"), - }, - options: &Options{ - ServiceAccountSigningEndpoint: "/e /xyz /efg", - }, - }, { name: "valid external signer endpoint provided - 1", featureEnabled: true, @@ -382,10 +360,10 @@ func TestValidateServcieAccountTokenSigningConfig(t *testing.T) { expectedErrors: []error{ fmt.Errorf("can't set `--service-account-signing-key-file` and/or `--service-account-key-file` with `--service-account-signing-endpoint` (They are mutually exclusive)"), fmt.Errorf("setting `--service-account-signing-endpoint` requires enabling ExternalServiceAccountTokenSigner feature gate"), - fmt.Errorf("invalid value \"/e /xyz /efg\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"), + fmt.Errorf("invalid value \"@a@\" passed for `--service-account-signing-endpoint`, when prefixed with @ must be a valid abstract socket name"), }, options: &Options{ - ServiceAccountSigningEndpoint: "/e /xyz /efg", + ServiceAccountSigningEndpoint: "@a@", ServiceAccountSigningKeyFile: "/abc/efg", Authentication: &kubeoptions.BuiltInAuthenticationOptions{ ServiceAccounts: &kubeoptions.ServiceAccountAuthenticationOptions{