mirror of https://github.com/kubernetes/kops.git
Allow custom service account issuer without public bucket
This commit is contained in:
parent
d543c9ad6f
commit
17d313e89f
|
@ -87,6 +87,12 @@ func (b *IssuerDiscoveryModelBuilder) Build(c *fi.CloudupModelBuilderContext) er
|
||||||
|
|
||||||
switch discoveryStore := discoveryStore.(type) {
|
switch discoveryStore := discoveryStore.(type) {
|
||||||
case *vfs.S3Path:
|
case *vfs.S3Path:
|
||||||
|
discoveryStoreURL, err := discoveryStore.GetHTTPsUrl(b.Cluster.Spec.IsIPv6Only())
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if discoveryStoreURL == fi.ValueOf(b.Cluster.Spec.KubeAPIServer.ServiceAccountIssuer) {
|
||||||
|
// Using Amazon S3 static website hosting requires public access
|
||||||
isPublic, err := discoveryStore.IsBucketPublic(ctx)
|
isPublic, err := discoveryStore.IsBucketPublic(ctx)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("checking if bucket was public: %w", err)
|
return fmt.Errorf("checking if bucket was public: %w", err)
|
||||||
|
@ -95,6 +101,9 @@ func (b *IssuerDiscoveryModelBuilder) Build(c *fi.CloudupModelBuilderContext) er
|
||||||
klog.Infof("serviceAccountIssuers bucket %q is not public; will use object ACL", discoveryStore.Bucket())
|
klog.Infof("serviceAccountIssuers bucket %q is not public; will use object ACL", discoveryStore.Bucket())
|
||||||
publicFileACL = fi.PtrTo(true)
|
publicFileACL = fi.PtrTo(true)
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
klog.Infof("using user managed serviceAccountIssuers")
|
||||||
|
}
|
||||||
|
|
||||||
case *vfs.MemFSPath:
|
case *vfs.MemFSPath:
|
||||||
// ok
|
// ok
|
||||||
|
|
Loading…
Reference in New Issue