From 9710eb62ae7ec2aa97502b4a070f30e327b0294f Mon Sep 17 00:00:00 2001
From: Cao Shufeng <caosf.fnst@cn.fujitsu.com>
Date: Mon, 22 May 2017 18:03:28 +0800
Subject: [PATCH] validate oidc flags

This change validate oidc flags for kube-apiserver.
---
 cmd/kube-apiserver/app/options/validation.go | 3 +++
 pkg/kubeapiserver/options/authentication.go  | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/cmd/kube-apiserver/app/options/validation.go b/cmd/kube-apiserver/app/options/validation.go
index e2a47f74cbb..3a9bbbfea65 100644
--- a/cmd/kube-apiserver/app/options/validation.go
+++ b/cmd/kube-apiserver/app/options/validation.go
@@ -60,6 +60,9 @@ func (options *ServerRunOptions) Validate() []error {
 	if errs := options.SecureServing.Validate(); len(errs) > 0 {
 		errors = append(errors, errs...)
 	}
+	if errs := options.Authentication.Validate(); len(errs) > 0 {
+		errors = append(errors, errs...)
+	}
 	if errs := options.InsecureServing.Validate("insecure-port"); len(errs) > 0 {
 		errors = append(errors, errs...)
 	}
diff --git a/pkg/kubeapiserver/options/authentication.go b/pkg/kubeapiserver/options/authentication.go
index b8ddd3b2f57..ab24bbe0531 100644
--- a/pkg/kubeapiserver/options/authentication.go
+++ b/pkg/kubeapiserver/options/authentication.go
@@ -163,8 +163,14 @@ func (s *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptio
 	return s
 }
 
+// Validate checks invalid config combination
 func (s *BuiltInAuthenticationOptions) Validate() []error {
 	allErrors := []error{}
+
+	if s.OIDC != nil && (len(s.OIDC.IssuerURL) > 0) != (len(s.OIDC.ClientID) > 0) {
+		allErrors = append(allErrors, fmt.Errorf("oidc-issuer-url and oidc-client-id should be specified together"))
+	}
+
 	return allErrors
 }