kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Allow custom service account issuer without public bucket

This commit is contained in:
Ciprian Hacman 2023-01-13 09:59:12 +02:00
parent d543c9ad6f
commit 17d313e89f
1 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
pkg/model/issuerdiscovery.go
View File

@ -87,13 +87,22 @@ func (b *IssuerDiscoveryModelBuilder) Build(c *fi.CloudupModelBuilderContext) er
switch discoveryStore := discoveryStore.(type) {
case *vfs.S3Path:
isPublic, err := discoveryStore.IsBucketPublic(ctx)
discoveryStoreURL, err := discoveryStore.GetHTTPsUrl(b.Cluster.Spec.IsIPv6Only())
if err != nil {
return fmt.Errorf("checking if bucket was public: %w", err)
return err
}
if !isPublic {
klog.Infof("serviceAccountIssuers bucket %q is not public; will use object ACL", discoveryStore.Bucket())
publicFileACL = fi.PtrTo(true)
if discoveryStoreURL == fi.ValueOf(b.Cluster.Spec.KubeAPIServer.ServiceAccountIssuer) {
// Using Amazon S3 static website hosting requires public access
isPublic, err := discoveryStore.IsBucketPublic(ctx)
if err != nil {
return fmt.Errorf("checking if bucket was public: %w", err)
}
if !isPublic {
klog.Infof("serviceAccountIssuers bucket %q is not public; will use object ACL", discoveryStore.Bucket())
publicFileACL = fi.PtrTo(true)
}
} else {
klog.Infof("using user managed serviceAccountIssuers")
}
case *vfs.MemFSPath: