github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-21 01:50:55 +00:00
Code Issues Projects Releases Wiki Activity

Graduate ServiceAccountIssuerDiscovery to GA

Browse Source 
Waiting on KEP updates first:
https://github.com/kubernetes/enhancements/pull/2363
This commit is contained in:
Michael Taufen
2021-01-28 17:03:34 -08:00
parent f384925847
commit 6aa80d9172
7 changed files with 68 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
pkg/kubeapiserver/options/authentication.go
View File

@@ -213,18 +213,14 @@ func (o *BuiltInAuthenticationOptions) Validate() []error {
allErrors = append(allErrors, errors.New("service-account-key-file is a required flag"))
}
if utilfeature.DefaultFeatureGate.Enabled(features.ServiceAccountIssuerDiscovery) {
// Validate the JWKS URI when it is explicitly set.
// When unset, it is later derived from ExternalHost.
if o.ServiceAccounts.JWKSURI != "" {
if u, err := url.Parse(o.ServiceAccounts.JWKSURI); err != nil {
allErrors = append(allErrors, fmt.Errorf("service-account-jwks-uri must be a valid URL: %v", err))
} else if u.Scheme != "https" {
allErrors = append(allErrors, fmt.Errorf("service-account-jwks-uri requires https scheme, parsed as: %v", u.String()))
}
// Validate the JWKS URI when it is explicitly set.
// When unset, it is later derived from ExternalHost.
if o.ServiceAccounts.JWKSURI != "" {
if u, err := url.Parse(o.ServiceAccounts.JWKSURI); err != nil {
allErrors = append(allErrors, fmt.Errorf("service-account-jwks-uri must be a valid URL: %v", err))
} else if u.Scheme != "https" {
allErrors = append(allErrors, fmt.Errorf("service-account-jwks-uri requires https scheme, parsed as: %v", u.String()))
}
} else if len(o.ServiceAccounts.JWKSURI) > 0 {
allErrors = append(allErrors, fmt.Errorf("service-account-jwks-uri may only be set when the ServiceAccountIssuerDiscovery feature gate is enabled"))
}
}