Remove global check for number of k8sSA provisioners.

This was causing a bug in the reload of the ca.
This commit is contained in:
Mariano Cano 2019-11-08 17:43:54 -08:00 committed by max furman
parent 5788ac3f4f
commit cf592fa0e1
2 changed files with 11 additions and 6 deletions

View file

@ -81,6 +81,17 @@ func (c *AuthConfig) Validate(audiences provisioner.Audiences) error {
return errors.New("authority.provisioners cannot be empty")
}
// Check that only one K8sSA is enabled
var k8sCount int
for _, p := range c.Provisioners {
if p.GetType() == provisioner.TypeK8sSA {
k8sCount++
}
}
if k8sCount > 1 {
return errors.New("cannot have more than one kubernetes service account provisioner")
}
if c.Template == nil {
c.Template = &x509util.ASN1DN{}
}

View file

@ -25,9 +25,6 @@ const (
k8sSAIssuer = "kubernetes/serviceaccount"
)
// This number must <= 1. We'll verify this in Init() below.
var numK8sSAProvisioners = 0
// jwtPayload extends jwt.Claims with step attributes.
type k8sSAPayload struct {
jose.Claims
@ -85,8 +82,6 @@ func (p *K8sSA) Init(config Config) (err error) {
return errors.New("provisioner type cannot be empty")
case p.Name == "":
return errors.New("provisioner name cannot be empty")
case numK8sSAProvisioners >= 1:
return errors.New("cannot have more than one kubernetes service account provisioner")
}
if p.PubKeys != nil {
@ -134,7 +129,6 @@ func (p *K8sSA) Init(config Config) (err error) {
}
p.audiences = config.Audiences
numK8sSAProvisioners++
return err
}