upstream/kubernetes
1
0
Fork 0
mirror of https://github.com/kubernetes/kubernetes.git synced 2026-02-03 20:40:26 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Make ExternalServiceAccountTokenSigner GA

Browse source
This commit is contained in:
Harshal Neelkamal 2026-01-08 23:35:09 +00:00
parent bc9c9f79ad
commit 754c108b96
4 changed files with 12 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
pkg/controlplane/apiserver/options/validation_test.go
View file

@ -28,7 +28,6 @@ import (
utilfeature "k8s.io/apiserver/pkg/util/feature"
basecompatibility "k8s.io/component-base/compatibility"
basemetrics "k8s.io/component-base/metrics"
"k8s.io/kubernetes/pkg/features"
peerreconcilers "k8s.io/apiserver/pkg/reconcilers"
featuregatetesting "k8s.io/component-base/featuregate/testing"
@ -241,13 +240,11 @@ func TestValidateOptions(t *testing.T) {
func TestValidateServiceAccountTokenSigningConfig(t *testing.T) {
tests := []struct {
name string
featureEnabled bool
options *Options
expectedErrors []error
}{
{
name: "Signing keys file provided while external signer endpoint is provided",
featureEnabled: true,
name: "Signing keys file provided while external signer endpoint is provided",
expectedErrors: []error{
fmt.Errorf("can't set `--service-account-signing-key-file` and/or `--service-account-key-file` with `--service-account-signing-endpoint` (They are mutually exclusive)"),
},
@ -257,8 +254,7 @@ func TestValidateServiceAccountTokenSigningConfig(t *testing.T) {
},
},
{
name: "Verification keys file provided while external signer endpoint is provided",
featureEnabled: true,
name: "Verification keys file provided while external signer endpoint is provided",
expectedErrors: []error{
fmt.Errorf("can't set `--service-account-signing-key-file` and/or `--service-account-key-file` with `--service-account-signing-endpoint` (They are mutually exclusive)"),
},
@ -275,8 +271,7 @@ func TestValidateServiceAccountTokenSigningConfig(t *testing.T) {
},
},
{
name: "Verification key and signing key file provided while external signer endpoint is provided",
featureEnabled: true,
name: "Verification key and signing key file provided while external signer endpoint is provided",
expectedErrors: []error{
fmt.Errorf("can't set `--service-account-signing-key-file` and/or `--service-account-key-file` with `--service-account-signing-endpoint` (They are mutually exclusive)"),
},
@ -293,27 +288,15 @@ func TestValidateServiceAccountTokenSigningConfig(t *testing.T) {
},
},
},
{
name: "feature disabled and external signer endpoint is provided",
featureEnabled: false,
expectedErrors: []error{
fmt.Errorf("setting `--service-account-signing-endpoint` requires enabling ExternalServiceAccountTokenSigner feature gate"),
},
options: &Options{
ServiceAccountSigningEndpoint: "@ebc.eng.hij",
},
},
{
name: "relative external signer endpoint provided",
featureEnabled: true,
expectedErrors: []error{},
options: &Options{
ServiceAccountSigningEndpoint: "abc",
},
},
{
name: "invalid external signer endpoint provided - 2",
featureEnabled: true,
name: "invalid external signer endpoint provided - 2",
expectedErrors: []error{
fmt.Errorf("invalid value \"@abc@\" passed for `--service-account-signing-endpoint`, when prefixed with @ must be a valid abstract socket name"),
},
@ -322,8 +305,7 @@ func TestValidateServiceAccountTokenSigningConfig(t *testing.T) {
},
},
{
name: "invalid external signer endpoint provided - 3",
featureEnabled: true,
name: "invalid external signer endpoint provided - 3",
expectedErrors: []error{
fmt.Errorf("invalid value \"@abc.abc .ae\" passed for `--service-account-signing-endpoint`, when prefixed with @ must be a valid abstract socket name"),
},
@ -333,7 +315,6 @@ func TestValidateServiceAccountTokenSigningConfig(t *testing.T) {
},
{
name: "valid external signer endpoint provided - 1",
featureEnabled: true,
expectedErrors: []error{},
options: &Options{
ServiceAccountSigningEndpoint: "/e/an_b-d/efg",
@ -341,7 +322,6 @@ func TestValidateServiceAccountTokenSigningConfig(t *testing.T) {
},
{
name: "valid external signer endpoint provided - 2",
featureEnabled: true,
expectedErrors: []error{},
options: &Options{
ServiceAccountSigningEndpoint: "@ebc.sock",
@ -349,18 +329,15 @@ func TestValidateServiceAccountTokenSigningConfig(t *testing.T) {
},
{
name: "valid external signer endpoint provided - 3",
featureEnabled: true,
expectedErrors: []error{},
options: &Options{
ServiceAccountSigningEndpoint: "@ebc.eng.hij",
},
},
{
name: "All errors at once",
featureEnabled: false,
name: "All errors at once",
expectedErrors: []error{
fmt.Errorf("can't set `--service-account-signing-key-file` and/or `--service-account-key-file` with `--service-account-signing-endpoint` (They are mutually exclusive)"),
fmt.Errorf("setting `--service-account-signing-endpoint` requires enabling ExternalServiceAccountTokenSigner feature gate"),
fmt.Errorf("invalid value \"@a@\" passed for `--service-account-signing-endpoint`, when prefixed with @ must be a valid abstract socket name"),
},
options: &Options{
@ -388,7 +365,6 @@ func TestValidateServiceAccountTokenSigningConfig(t *testing.T) {
}
}
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ExternalServiceAccountTokenSigner, test.featureEnabled)
errs := validateServiceAccountTokenSigningConfig(test.options)
if !reflect.DeepEqual(errs, test.expectedErrors) {
t.Errorf("Expected errors message: %v \n but got: %v", test.expectedErrors, errs)

1
pkg/features/kube_features.go
View file

@ -1284,6 +1284,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
ExternalServiceAccountTokenSigner: {
{Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha},
{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta},
{Version: version.MustParse("1.36"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
},
GangScheduling: {

2
test/compatibility_lifecycle/reference/feature_list.md
View file

@ -71,7 +71,7 @@
| EnvFiles | :ballot_box_with_check: 1.35+ | | 1.34 | 1.35 | | | | [code](https://cs.k8s.io/?q=%5CbEnvFiles%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbEnvFiles%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
| EventedPLEG | | | 1.26 | | | | | [code](https://cs.k8s.io/?q=%5CbEventedPLEG%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbEventedPLEG%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
| ExecProbeTimeout | :ballot_box_with_check: 1.20+ | :closed_lock_with_key: 1.35+ | | | 1.20 | | | [code](https://cs.k8s.io/?q=%5CbExecProbeTimeout%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbExecProbeTimeout%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
| ExternalServiceAccountTokenSigner | :ballot_box_with_check: 1.34+ | | 1.321.33 | 1.34 | | | | [code](https://cs.k8s.io/?q=%5CbExternalServiceAccountTokenSigner%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbExternalServiceAccountTokenSigner%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
| ExternalServiceAccountTokenSigner | :ballot_box_with_check: 1.34+ | :closed_lock_with_key: 1.36+ | 1.321.33 | 1.341.35 | 1.36 | | | [code](https://cs.k8s.io/?q=%5CbExternalServiceAccountTokenSigner%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbExternalServiceAccountTokenSigner%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
| GangScheduling | | | 1.35 | | | | GenericWorkload | [code](https://cs.k8s.io/?q=%5CbGangScheduling%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbGangScheduling%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
| GenericWorkload | | | 1.35 | | | | | [code](https://cs.k8s.io/?q=%5CbGenericWorkload%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbGenericWorkload%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
| GitRepoVolumeDriver | :ballot_box_with_check: 1.0+ | | | | 1.01.32 | 1.33 | | [code](https://cs.k8s.io/?q=%5CbGitRepoVolumeDriver%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbGitRepoVolumeDriver%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |

4
test/compatibility_lifecycle/reference/versioned_feature_list.yaml
View file

@ -599,6 +599,10 @@
lockToDefault: false
preRelease: Beta
version: "1.34"
- default: true
lockToDefault: true
preRelease: GA
version: "1.36"
- name: GangScheduling
versionedSpecs:
- default: false