From e7508cc9733ab937f5d2914e3cc48a1be107f016 Mon Sep 17 00:00:00 2001
From: John Gardiner Myers <jgmyers@proofpoint.com>
Date: Fri, 4 Dec 2020 09:03:03 -0800
Subject: [PATCH] Use custom-configured ServiceAccountIssuer when present

---
 pkg/model/iam/subject.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/model/iam/subject.go b/pkg/model/iam/subject.go
index 6c050cce88..d8e8d51a1a 100644
--- a/pkg/model/iam/subject.go
+++ b/pkg/model/iam/subject.go
@@ -82,6 +82,9 @@ func BuildNodeRoleSubject(igRole kops.InstanceGroupRole) (Subject, error) {
 
 // ServiceAccountIssuer determines the issuer in the ServiceAccount JWTs
 func ServiceAccountIssuer(clusterName string, clusterSpec *kops.ClusterSpec) string {
+	if clusterSpec.KubeAPIServer != nil && clusterSpec.KubeAPIServer.ServiceAccountIssuer != nil {
+		return *clusterSpec.KubeAPIServer.ServiceAccountIssuer
+	}
 	return "https://api." + clusterName
 }