add validation for single client id

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

staging/src/k8s.io/apiserver/pkg/authentication/config/validation/validation.go

@@ -82,6 +82,10 @@ func validateJWTAuthenticator(authenticator api.JWTAuthenticator, fldPath *field
 
 	if len(authenticator.Issuer.ClientIDs) == 0 {
 		allErrs = append(allErrs, field.Required(fldPath.Child("issuer", "clientIDs"), fmt.Sprintf(atLeastOneRequiredErrFmt, fldPath.Child("issuer", "clientIDs"))))
+	} else if len(authenticator.Issuer.ClientIDs) > 1 {
+		// This restriction is only for the parity with the current implementation using --oidc-client-id flag.
+		// We will relax this restriction in the follow up as we add support for multiple clientIDs.
+		allErrs = append(allErrs, field.Forbidden(fldPath.Child("issuer", "clientIDs"), "only one clientID is allowed"))
 	}
 
 	return allErrs

staging/src/k8s.io/apiserver/pkg/authentication/config/validation/validation_test.go

@@ -135,6 +135,18 @@ func TestValidateJWTAuthenticator(t *testing.T) {
 				field.Required(jwtField.Child("issuer", "clientIDs"), fmt.Sprintf(atLeastOneRequiredErrFmt, jwtField.Child("issuer", "clientIDs"))),
 			},
 		},
+		{
+			name: "more than one client id",
+			in: api.JWTAuthenticator{
+				Issuer: api.Issuer{
+					URL:       "https://issuer-url",
+					ClientIDs: []string{"client-id", "another-client-id"},
+				},
+			},
+			want: field.ErrorList{
+				field.Forbidden(jwtField.Child("issuer", "clientIDs"), "only one clientID is allowed"),
+			},
+		},
 		{
 			name: "valid jwt authenticator",
 			in: api.JWTAuthenticator{