Remove global check for number of k8sSA provisioners.

This was causing a bug in the reload of the ca.
5 years ago · 69a7058ff0
parent e679deddd7
commit 69a7058ff0
2 changed files with 11 additions and 6 deletions
--- a/authority/config.go
+++ b/authority/config.go
@ -81,6 +81,17 @@ func (c *AuthConfig) Validate(audiences provisioner.Audiences) error {
 		return errors.New("authority.provisioners cannot be empty")
 	}

+	// Check that only one K8sSA is enabled
+	var k8sCount int
+	for _, p := range c.Provisioners {
+		if p.GetType() == provisioner.TypeK8sSA {
+			k8sCount++
+		}
+	}
+	if k8sCount > 1 {
+		return errors.New("cannot have more than one kubernetes service account provisioner")
+	}
+
 	if c.Template == nil {
 		c.Template = &x509util.ASN1DN{}
 	}
--- a/authority/provisioner/k8sSA.go
+++ b/authority/provisioner/k8sSA.go
@ -25,9 +25,6 @@ const (
 	k8sSAIssuer = "kubernetes/serviceaccount"
 )

-// This number must <= 1. We'll verify this in Init() below.
-var numK8sSAProvisioners = 0
-
 // jwtPayload extends jwt.Claims with step attributes.
 type k8sSAPayload struct {
 	jose.Claims
@ -85,8 +82,6 @@ func (p *K8sSA) Init(config Config) (err error) {
 		return errors.New("provisioner type cannot be empty")
 	case p.Name == "":
 		return errors.New("provisioner name cannot be empty")
-	case numK8sSAProvisioners >= 1:
-		return errors.New("cannot have more than one kubernetes service account provisioner")
 	}

 	if p.PubKeys != nil {
@ -134,7 +129,6 @@ func (p *K8sSA) Init(config Config) (err error) {
 	}

 	p.audiences = config.Audiences
-	numK8sSAProvisioners++
 	return err
 }