Relax external signer path validation to allow relative paths

liggitt · liggitt · commit 48054afd6ac0 · 2025-04-30T13:41:22.000-04:00
diff --git a/pkg/controlplane/apiserver/options/validation.go b/pkg/controlplane/apiserver/options/validation.go
@@ -94,7 +94,7 @@ func validateUnknownVersionInteroperabilityProxyFlags(options *Options) []error
 	return err
 }
 
-var pathOrSocket = regexp.MustCompile(`(^(/[^/ ]*)+/?$)|(^@([a-zA-Z0-9_-]+\.)*[a-zA-Z0-9_-]+$)`)
+var abstractSocketRegex = regexp.MustCompile(`^@([a-zA-Z0-9_-]+\.)*[a-zA-Z0-9_-]+$`)
 
 func validateServiceAccountTokenSigningConfig(options *Options) []error {
 	if len(options.ServiceAccountSigningEndpoint) == 0 {
@@ -109,9 +109,9 @@ func validateServiceAccountTokenSigningConfig(options *Options) []error {
 	if !utilfeature.DefaultFeatureGate.Enabled(features.ExternalServiceAccountTokenSigner) {
 		errors = append(errors, fmt.Errorf("setting `--service-account-signing-endpoint` requires enabling ExternalServiceAccountTokenSigner feature gate"))
 	}
-	// Check if ServiceAccountSigningEndpoint is a linux file path or an abstract socket name.
-	if !pathOrSocket.MatchString(options.ServiceAccountSigningEndpoint) {
-		errors = append(errors, fmt.Errorf("invalid value %q passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace", options.ServiceAccountSigningEndpoint))
+	// Ensure ServiceAccountSigningEndpoint is a valid abstract socket name if prefixed with '@'.
+	if strings.HasPrefix(options.ServiceAccountSigningEndpoint, "@") && !abstractSocketRegex.MatchString(options.ServiceAccountSigningEndpoint) {
+		errors = append(errors, fmt.Errorf("invalid value %q passed for `--service-account-signing-endpoint`, when prefixed with @ must be a valid abstract socket name", options.ServiceAccountSigningEndpoint))
 	}
 
 	return errors
diff --git a/pkg/controlplane/apiserver/options/validation_test.go b/pkg/controlplane/apiserver/options/validation_test.go
@@ -303,11 +303,9 @@ func TestValidateServcieAccountTokenSigningConfig(t *testing.T) {
 			},
 		},
 		{
-			name:           "invalid external signer endpoint provided - 1",
+			name:           "relative external signer endpoint provided",
 			featureEnabled: true,
-			expectedErrors: []error{
-				fmt.Errorf("invalid value \"abc\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"),
-			},
+			expectedErrors: []error{},
 			options: &Options{
 				ServiceAccountSigningEndpoint: "abc",
 			},
@@ -316,7 +314,7 @@ func TestValidateServcieAccountTokenSigningConfig(t *testing.T) {
 			name:           "invalid external signer endpoint provided - 2",
 			featureEnabled: true,
 			expectedErrors: []error{
-				fmt.Errorf("invalid value \"@abc@\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"),
+				fmt.Errorf("invalid value \"@abc@\" passed for `--service-account-signing-endpoint`, when prefixed with @ must be a valid abstract socket name"),
 			},
 			options: &Options{
 				ServiceAccountSigningEndpoint: "@abc@",
@@ -326,32 +324,12 @@ func TestValidateServcieAccountTokenSigningConfig(t *testing.T) {
 			name:           "invalid external signer endpoint provided - 3",
 			featureEnabled: true,
 			expectedErrors: []error{
-				fmt.Errorf("invalid value \"@abc.abc  .ae\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"),
+				fmt.Errorf("invalid value \"@abc.abc  .ae\" passed for `--service-account-signing-endpoint`, when prefixed with @ must be a valid abstract socket name"),
 			},
 			options: &Options{
 				ServiceAccountSigningEndpoint: "@abc.abc  .ae",
 			},
 		},
-		{
-			name:           "invalid external signer endpoint provided - 4",
-			featureEnabled: true,
-			expectedErrors: []error{
-				fmt.Errorf("invalid value \"/@e_adnb/xyz /efg\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"),
-			},
-			options: &Options{
-				ServiceAccountSigningEndpoint: "/@e_adnb/xyz /efg",
-			},
-		},
-		{
-			name:           "invalid external signer endpoint provided - 5",
-			featureEnabled: true,
-			expectedErrors: []error{
-				fmt.Errorf("invalid value \"/e /xyz /efg\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"),
-			},
-			options: &Options{
-				ServiceAccountSigningEndpoint: "/e /xyz /efg",
-			},
-		},
 		{
 			name:           "valid external signer endpoint provided - 1",
 			featureEnabled: true,
@@ -382,10 +360,10 @@ func TestValidateServcieAccountTokenSigningConfig(t *testing.T) {
 			expectedErrors: []error{
 				fmt.Errorf("can't set `--service-account-signing-key-file` and/or `--service-account-key-file` with `--service-account-signing-endpoint` (They are mutually exclusive)"),
 				fmt.Errorf("setting `--service-account-signing-endpoint` requires enabling ExternalServiceAccountTokenSigner feature gate"),
-				fmt.Errorf("invalid value \"/e /xyz /efg\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"),
+				fmt.Errorf("invalid value \"@a@\" passed for `--service-account-signing-endpoint`, when prefixed with @ must be a valid abstract socket name"),
 			},
 			options: &Options{
-				ServiceAccountSigningEndpoint: "/e /xyz /efg",
+				ServiceAccountSigningEndpoint: "@a@",
 				ServiceAccountSigningKeyFile:  "/abc/efg",
 				Authentication: &kubeoptions.BuiltInAuthenticationOptions{
 					ServiceAccounts: &kubeoptions.ServiceAccountAuthenticationOptions{

Original file line number	Diff line number	Diff line change
`@@ -94,7 +94,7 @@ func validateUnknownVersionInteroperabilityProxyFlags(options *Options) []error`
`94`	`94`	`return err`
`95`	`95`	`}`
`96`	`96`
`97`		-var pathOrSocket = regexp.MustCompile(`(^(/[^/ ])+/?$)\|(^@([a-zA-Z0-9_-]+\.)[a-zA-Z0-9_-]+$)`)
	`97`	+var abstractSocketRegex = regexp.MustCompile(`^@([a-zA-Z0-9_-]+\.)*[a-zA-Z0-9_-]+$`)
`98`	`98`
`99`	`99`	`func validateServiceAccountTokenSigningConfig(options *Options) []error {`
`100`	`100`	`if len(options.ServiceAccountSigningEndpoint) == 0 {`
`@@ -109,9 +109,9 @@ func validateServiceAccountTokenSigningConfig(options *Options) []error {`
`109`	`109`	`if !utilfeature.DefaultFeatureGate.Enabled(features.ExternalServiceAccountTokenSigner) {`
`110`	`110`	errors = append(errors, fmt.Errorf("setting `--service-account-signing-endpoint` requires enabling ExternalServiceAccountTokenSigner feature gate"))
`111`	`111`	`}`
`112`		`- // Check if ServiceAccountSigningEndpoint is a linux file path or an abstract socket name.`
`113`		`- if !pathOrSocket.MatchString(options.ServiceAccountSigningEndpoint) {`
`114`		- errors = append(errors, fmt.Errorf("invalid value %q passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace", options.ServiceAccountSigningEndpoint))
	`112`	`+ // Ensure ServiceAccountSigningEndpoint is a valid abstract socket name if prefixed with '@'.`
	`113`	`+ if strings.HasPrefix(options.ServiceAccountSigningEndpoint, "@") && !abstractSocketRegex.MatchString(options.ServiceAccountSigningEndpoint) {`
	`114`	+ errors = append(errors, fmt.Errorf("invalid value %q passed for `--service-account-signing-endpoint`, when prefixed with @ must be a valid abstract socket name", options.ServiceAccountSigningEndpoint))
`115`	`115`	`}`
`116`	`116`
`117`	`117`	`return errors`