0b3b99c096
The conformance test for ServiceAccountIssuerDiscovery is currently configured with --in-cluster-discovery, which only supports token validation against in-cluster endpoints. Many cloud providers provide their own, external endpoints for OIDC discovery, and because the iss claim in tokens will point to these endpoints, but the client in this test only trusts the Cluster CA, it will fail to connect to the external discovery endpoints when validating the token. To ensure that the conformance test at least supports scenario where both the discovery doc endpoint and JWKS endpoint are cluster-local and the scenario where both endpoints are cluster-external, this PR has the test try both and requires at least one to pass. Caveat: The test still won't support a configuration where one endpoint is cluster-local and the other is external. We don't yet have evidence that this is a configuration that is used in practice, so this initial hotfix will at least fix the conformance test for the "both external" configuration we know providers already use. Note that if one endpoint is cluster-local, and the other is cluster-external, tokens can still only be validated in-cluster, because both endpoints must be accessible to Relying Parties that validate tokens.
2 lines
5 B
Plaintext
2 lines
5 B
Plaintext
2.32
|