Skip to content

Commit 01a3678

Browse files
committed
fix: use append instead of prepend in service-account-issuer
Changing `.cluster.controlPlane.endpoint=$NEW` will cause old tokens to be no longer valid. We want to ensure that new tokens are issued using the `.cluster.controlPlane.endpoint=$NEW` value, but all the existing tokens (issued using `.cluster.controlPlane.endpoint=$OLD`) are still accepted. Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
1 parent d195427 commit 01a3678

File tree

2 files changed

+4
-2
lines changed

2 files changed

+4
-2
lines changed

hack/release.toml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -141,7 +141,9 @@ BREAKING: If you were relying on the resources EtcdConfigs, KubeletConfigs, Cont
141141
[notes.serviceAccountIssuer]
142142
title = "Service Account Issuer configuration"
143143
description = """\
144-
In API Server, passing extra args with `service-account-issuer` will prepend them before default value.
144+
In API Server, passing extra args with `service-account-issuer` will append them after default value.
145+
This allows easy migration, e.g. by changing `.cluster.controlPlane.endpoint` to new value, and keeping the old value in
146+
`.cluster.apiServer.extraArgs["service-account-issuer"]`.
145147
"""
146148

147149
[make_deps]

internal/app/machined/pkg/controllers/k8s/control_plane_static_pod.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -429,7 +429,7 @@ func (ctrl *ControlPlaneStaticPodController) manageAPIServer(ctx context.Context
429429
"etcd-keyfile": argsbuilder.MergeDenied,
430430
"kubelet-client-certificate": argsbuilder.MergeDenied,
431431
"kubelet-client-key": argsbuilder.MergeDenied,
432-
"service-account-issuer": argsbuilder.MergePrepend,
432+
"service-account-issuer": argsbuilder.MergeAppend,
433433
"service-account-key-file": argsbuilder.MergeDenied,
434434
"service-account-signing-key-file": argsbuilder.MergeDenied,
435435
"tls-cert-file": argsbuilder.MergeDenied,

0 commit comments

Comments
 (0)