feat: add extraArgs from service-account-issuer

shanduur · shanduur · commit d1954278a1ba · 2026-01-16T11:21:00.000+01:00
In API Server, passing extra args with `service-account-issuer` will add them to default value. Fixes #11694 Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
diff --git a/hack/release.toml b/hack/release.toml
@@ -136,6 +136,12 @@ Several Talos configuration fields that previously accepted single string values
 This includes fields such as `.cluster.apiServer.extraArgs`.
 
 BREAKING: If you were relying on the resources EtcdConfigs, KubeletConfigs, ControllerManagerConfigs, SchedulerConfigs or APIServerConfigs, the protobuf format has changed from `map<string,string>` to `map<string,message>`.
+"""
+
+    [notes.serviceAccountIssuer]
+    title = "Service Account Issuer configuration"
+    description = """\
+In API Server, passing extra args with `service-account-issuer` will prepend them before default value.
 """
 
 [make_deps]
diff --git a/internal/app/machined/pkg/controllers/k8s/control_plane_static_pod.go b/internal/app/machined/pkg/controllers/k8s/control_plane_static_pod.go
@@ -429,6 +429,7 @@ func (ctrl *ControlPlaneStaticPodController) manageAPIServer(ctx context.Context
 		"etcd-keyfile":                     argsbuilder.MergeDenied,
 		"kubelet-client-certificate":       argsbuilder.MergeDenied,
 		"kubelet-client-key":               argsbuilder.MergeDenied,
+		"service-account-issuer":           argsbuilder.MergePrepend,
 		"service-account-key-file":         argsbuilder.MergeDenied,
 		"service-account-signing-key-file": argsbuilder.MergeDenied,
 		"tls-cert-file":                    argsbuilder.MergeDenied,
diff --git a/pkg/argsbuilder/argsbuilder_args.go b/pkg/argsbuilder/argsbuilder_args.go
@@ -53,6 +53,18 @@ func (a Args) Merge(args Args, setters ...MergeOption) error {
 		case MergeOverwrite:
 			a[key] = slices.Clone(val)
 
+		case MergeAppend:
+			existing := make([]string, 0, len(val)+len(a[key]))
+			existing = append(existing, a[key]...)
+			existing = append(existing, val...)
+			a[key] = existing
+
+		case MergePrepend:
+			existing := make([]string, 0, len(val)+len(a[key]))
+			existing = append(existing, val...)
+			existing = append(existing, a[key]...)
+			a[key] = existing
+
 		case MergeAdditive:
 			// 1. Join the existing []string slice into one string so we can Split it.
 			//    This handles cases where a[key] might be ["a", "b"] or ["a,b"].
diff --git a/pkg/argsbuilder/argsbuilder_interface.go b/pkg/argsbuilder/argsbuilder_interface.go
@@ -14,6 +14,10 @@ const (
 	MergeAdditive
 	// MergeDenied fail merge if another object has the arg defined.
 	MergeDenied
+	// MergePrepend prepends new values before existing ones.
+	MergePrepend
+	// MergeAppend appends new values after existing ones.
+	MergeAppend
 )
 
 // MergePolicies merge policy map.
diff --git a/pkg/argsbuilder/argsbuilder_test.go b/pkg/argsbuilder/argsbuilder_test.go
@@ -23,9 +23,10 @@ func (suite *ArgsbuilderSuite) TestMergeAdditive() {
 	}
 
 	suite.Require().NoError(
-		args.Merge(argsbuilder.Args{
-			"param": {"value2, value10"},
-		},
+		args.Merge(
+			argsbuilder.Args{
+				"param": {"value2, value10"},
+			},
 			argsbuilder.WithMergePolicies(argsbuilder.MergePolicies{
 				"param": argsbuilder.MergeAdditive,
 			}),
@@ -73,6 +74,72 @@ func (suite *ArgsbuilderSuite) TestMergeOverwrite() {
 	suite.Assert().Equal([]string{"--param=value10", "--param=value11"}, args.Args())
 }
 
+//nolint:dupl
+func (suite *ArgsbuilderSuite) TestMergePrepend() {
+	args := argsbuilder.Args{
+		"param": {"value1"},
+	}
+
+	suite.Require().NoError(
+		args.Merge(argsbuilder.Args{
+			"param": {"value2", "value3"},
+		},
+			argsbuilder.WithMergePolicies(argsbuilder.MergePolicies{
+				"param": argsbuilder.MergePrepend,
+			}),
+		),
+	)
+
+	suite.Require().Equal([]string{"value2", "value3", "value1"}, args["param"])
+	suite.Assert().Equal([]string{"--param=value2", "--param=value3", "--param=value1"}, args.Args())
+
+	suite.Require().NoError(
+		args.Merge(argsbuilder.Args{
+			"param": {"value4"},
+		},
+			argsbuilder.WithMergePolicies(argsbuilder.MergePolicies{
+				"param": argsbuilder.MergePrepend,
+			}),
+		),
+	)
+
+	suite.Require().Equal([]string{"value4", "value2", "value3", "value1"}, args["param"])
+	suite.Assert().Equal([]string{"--param=value4", "--param=value2", "--param=value3", "--param=value1"}, args.Args())
+}
+
+//nolint:dupl
+func (suite *ArgsbuilderSuite) TestMergeAppend() {
+	args := argsbuilder.Args{
+		"param": {"value1"},
+	}
+
+	suite.Require().NoError(
+		args.Merge(argsbuilder.Args{
+			"param": {"value2", "value3"},
+		},
+			argsbuilder.WithMergePolicies(argsbuilder.MergePolicies{
+				"param": argsbuilder.MergeAppend,
+			}),
+		),
+	)
+
+	suite.Require().Equal([]string{"value1", "value2", "value3"}, args["param"])
+	suite.Assert().Equal([]string{"--param=value1", "--param=value2", "--param=value3"}, args.Args())
+
+	suite.Require().NoError(
+		args.Merge(argsbuilder.Args{
+			"param": {"value4"},
+		},
+			argsbuilder.WithMergePolicies(argsbuilder.MergePolicies{
+				"param": argsbuilder.MergeAppend,
+			}),
+		),
+	)
+
+	suite.Require().Equal([]string{"value1", "value2", "value3", "value4"}, args["param"])
+	suite.Assert().Equal([]string{"--param=value1", "--param=value2", "--param=value3", "--param=value4"}, args.Args())
+}
+
 func (suite *ArgsbuilderSuite) TestMergeDenied() {
 	args := argsbuilder.Args{
 		"param": {"value1,value2"},
