From 1b590f5111c57fd52e5ffbcbd5abddf49aa7efc3 Mon Sep 17 00:00:00 2001 From: John Gardiner Myers Date: Sat, 17 Dec 2022 10:01:02 -0800 Subject: [PATCH] Simplify --- docs/releases/1.26-NOTES.md | 2 ++ pkg/model/issuerdiscovery.go | 7 +++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/releases/1.26-NOTES.md b/docs/releases/1.26-NOTES.md index 637b50145e..594d38e273 100644 --- a/docs/releases/1.26-NOTES.md +++ b/docs/releases/1.26-NOTES.md @@ -33,6 +33,8 @@ with "control-plane-". The names of groups for existing clusters are unchanged. * Node Termination Handler, when in Queue-Processor mode, no longer drains on rebalance recommendations unless configured to do so. +* When an S3 bucket for Service Account Issuer Discovery (IRSA) is public, kOps no longer sets object-level ACLs on the files placed therein. + ## GCP * The default instance type is now `e2-medium` for control-plane and worker nodes, and `e2-micro` for bastions. diff --git a/pkg/model/issuerdiscovery.go b/pkg/model/issuerdiscovery.go index 88afcd63c2..9644874137 100644 --- a/pkg/model/issuerdiscovery.go +++ b/pkg/model/issuerdiscovery.go @@ -77,7 +77,7 @@ func (b *IssuerDiscoveryModelBuilder) Build(c *fi.ModelBuilderContext) error { return err } - publicFileACL := fi.PtrTo(true) + var publicFileACL *bool discoveryStorePath := b.Cluster.Spec.ServiceAccountIssuerDiscovery.DiscoveryStore discoveryStore, err := vfs.Context.BuildVfsPath(discoveryStorePath) @@ -92,9 +92,8 @@ func (b *IssuerDiscoveryModelBuilder) Build(c *fi.ModelBuilderContext) error { return fmt.Errorf("checking if bucket was public: %w", err) } if !isPublic { - klog.Infof("serviceAccountIssuers bucket %q is not public, will use object ACL", discoveryStore.Bucket()) - } else { - publicFileACL = nil + klog.Infof("serviceAccountIssuers bucket %q is not public; will use object ACL", discoveryStore.Bucket()) + publicFileACL = fi.PtrTo(true) } case *vfs.MemFSPath: