Remove global check for number of k8sSA provisioners.

This was causing a bug in the reload of the ca.
This commit is contained in:
Mariano Cano 2019-11-08 17:43:54 -08:00
parent e679deddd7
commit 69a7058ff0
2 changed files with 11 additions and 6 deletions

View file

@ -81,6 +81,17 @@ func (c *AuthConfig) Validate(audiences provisioner.Audiences) error {
return errors.New("authority.provisioners cannot be empty") return errors.New("authority.provisioners cannot be empty")
} }
// Check that only one K8sSA is enabled
var k8sCount int
for _, p := range c.Provisioners {
if p.GetType() == provisioner.TypeK8sSA {
k8sCount++
}
}
if k8sCount > 1 {
return errors.New("cannot have more than one kubernetes service account provisioner")
}
if c.Template == nil { if c.Template == nil {
c.Template = &x509util.ASN1DN{} c.Template = &x509util.ASN1DN{}
} }

View file

@ -25,9 +25,6 @@ const (
k8sSAIssuer = "kubernetes/serviceaccount" k8sSAIssuer = "kubernetes/serviceaccount"
) )
// This number must <= 1. We'll verify this in Init() below.
var numK8sSAProvisioners = 0
// jwtPayload extends jwt.Claims with step attributes. // jwtPayload extends jwt.Claims with step attributes.
type k8sSAPayload struct { type k8sSAPayload struct {
jose.Claims jose.Claims
@ -85,8 +82,6 @@ func (p *K8sSA) Init(config Config) (err error) {
return errors.New("provisioner type cannot be empty") return errors.New("provisioner type cannot be empty")
case p.Name == "": case p.Name == "":
return errors.New("provisioner name cannot be empty") return errors.New("provisioner name cannot be empty")
case numK8sSAProvisioners >= 1:
return errors.New("cannot have more than one kubernetes service account provisioner")
} }
if p.PubKeys != nil { if p.PubKeys != nil {
@ -134,7 +129,6 @@ func (p *K8sSA) Init(config Config) (err error) {
} }
p.audiences = config.Audiences p.audiences = config.Audiences
numK8sSAProvisioners++
return err return err
} }