forked from TrueCloudLab/certificates
Remove global check for number of k8sSA provisioners.
This was causing a bug in the reload of the ca.
This commit is contained in:
parent
5788ac3f4f
commit
cf592fa0e1
2 changed files with 11 additions and 6 deletions
|
@ -81,6 +81,17 @@ func (c *AuthConfig) Validate(audiences provisioner.Audiences) error {
|
|||
return errors.New("authority.provisioners cannot be empty")
|
||||
}
|
||||
|
||||
// Check that only one K8sSA is enabled
|
||||
var k8sCount int
|
||||
for _, p := range c.Provisioners {
|
||||
if p.GetType() == provisioner.TypeK8sSA {
|
||||
k8sCount++
|
||||
}
|
||||
}
|
||||
if k8sCount > 1 {
|
||||
return errors.New("cannot have more than one kubernetes service account provisioner")
|
||||
}
|
||||
|
||||
if c.Template == nil {
|
||||
c.Template = &x509util.ASN1DN{}
|
||||
}
|
||||
|
|
|
@ -25,9 +25,6 @@ const (
|
|||
k8sSAIssuer = "kubernetes/serviceaccount"
|
||||
)
|
||||
|
||||
// This number must <= 1. We'll verify this in Init() below.
|
||||
var numK8sSAProvisioners = 0
|
||||
|
||||
// jwtPayload extends jwt.Claims with step attributes.
|
||||
type k8sSAPayload struct {
|
||||
jose.Claims
|
||||
|
@ -85,8 +82,6 @@ func (p *K8sSA) Init(config Config) (err error) {
|
|||
return errors.New("provisioner type cannot be empty")
|
||||
case p.Name == "":
|
||||
return errors.New("provisioner name cannot be empty")
|
||||
case numK8sSAProvisioners >= 1:
|
||||
return errors.New("cannot have more than one kubernetes service account provisioner")
|
||||
}
|
||||
|
||||
if p.PubKeys != nil {
|
||||
|
@ -134,7 +129,6 @@ func (p *K8sSA) Init(config Config) (err error) {
|
|||
}
|
||||
|
||||
p.audiences = config.Audiences
|
||||
numK8sSAProvisioners++
|
||||
return err
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue