kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #14991 from hakman/custom_service-account-issuer_url 

Allow custom service account issuer without public bucket
This commit is contained in:
Kubernetes Prow Robot 2023-08-31 07:28:48 -07:00 committed by GitHub
parent d543c9ad6f 17d313e89f
commit 54ab9eab0f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
pkg/model/issuerdiscovery.go
View File

@ -87,13 +87,22 @@ func (b *IssuerDiscoveryModelBuilder) Build(c *fi.CloudupModelBuilderContext) er
switch discoveryStore := discoveryStore.(type) {
case *vfs.S3Path:
isPublic, err := discoveryStore.IsBucketPublic(ctx)
discoveryStoreURL, err := discoveryStore.GetHTTPsUrl(b.Cluster.Spec.IsIPv6Only())
if err != nil {
return fmt.Errorf("checking if bucket was public: %w", err)
return err
}
if !isPublic {
klog.Infof("serviceAccountIssuers bucket %q is not public; will use object ACL", discoveryStore.Bucket())
publicFileACL = fi.PtrTo(true)
if discoveryStoreURL == fi.ValueOf(b.Cluster.Spec.KubeAPIServer.ServiceAccountIssuer) {
// Using Amazon S3 static website hosting requires public access
isPublic, err := discoveryStore.IsBucketPublic(ctx)
if err != nil {
return fmt.Errorf("checking if bucket was public: %w", err)
}
if !isPublic {
klog.Infof("serviceAccountIssuers bucket %q is not public; will use object ACL", discoveryStore.Bucket())
publicFileACL = fi.PtrTo(true)
}
} else {
klog.Infof("using user managed serviceAccountIssuers")
}
case *vfs.MemFSPath: