Merge pull request #98586 from mtaufen/said-conform

Promote ServiceAccountIssuerDiscovery test to conformance

test/conformance/testdata/conformance.yaml

@@ -1351,6 +1351,13 @@
     resource must support get, update, patch.'
   release: v1.19
   file: test/e2e/auth/certificates.go
+- testname: OIDC Discovery (ServiceAccountIssuerDiscovery)
+  codename: '[sig-auth] ServiceAccounts ServiceAccountIssuerDiscovery should support
+    OIDC discovery of service account issuer [Conformance]'
+  description: Ensure kube-apiserver serves correct OIDC discovery endpoints by deploying
+    a Pod that verifies its own token against these endpoints.
+  release: v1.21
+  file: test/e2e/auth/service_accounts.go
 - testname: Service account tokens auto mount optionally
   codename: '[sig-auth] ServiceAccounts should allow opting out of API token automount  [Conformance]'
   description: Ensure that Service Account keys are mounted into the Pod only when

test/e2e/auth/service_accounts.go

@@ -673,7 +673,15 @@ var _ = SIGDescribe("ServiceAccounts", func() {
 		}
 	})
 
-	ginkgo.It("ServiceAccountIssuerDiscovery should support OIDC discovery of service account issuer", func() {
+	/*
+	   Release: v1.21
+	   Testname: OIDC Discovery (ServiceAccountIssuerDiscovery)
+	   Description: Ensure kube-apiserver serves correct OIDC discovery
+	   endpoints by deploying a Pod that verifies its own
+	   token against these endpoints.
+	*/
+	framework.ConformanceIt("ServiceAccountIssuerDiscovery should support OIDC discovery of service account issuer", func() {
+
 		// Allow the test pod access to the OIDC discovery non-resource URLs.
 		// The role should have already been automatically created as part of the
 		// RBAC bootstrap policy, but not the role binding. If RBAC is disabled,