Fix irsa for k8s < 1.20

2022-02-09 08:52:06 +01:00 · 2022-02-09 08:52:06 +01:00 · 74e9a6cd18
parent 7f9bf4ecab
commit 74e9a6cd18
2 changed files with 37 additions and 20 deletions
--- a/pkg/apis/kops/validation/legacy.go
+++ b/pkg/apis/kops/validation/legacy.go
@ -375,28 +375,39 @@ func ValidateCluster(c *kops.Cluster, strict bool) field.ErrorList {
 	}

 	said := c.Spec.ServiceAccountIssuerDiscovery
-	if said != nil && said.DiscoveryStore != "" {
+	if said != nil {
 		saidStore := said.DiscoveryStore
-		saidStoreField := fieldSpec.Child("serviceAccountIssuerDiscovery", "discoveryStore")
-		base, err := vfs.Context.BuildVfsPath(saidStore)
-		if err != nil {
-			allErrs = append(allErrs, field.Invalid(saidStoreField, saidStore, "not a valid VFS path"))
-		} else {
-			switch base := base.(type) {
-			case *vfs.S3Path:
-				// OK
-			case *vfs.MemFSPath:
-				// memfs is ok for tests; not OK otherwise
-				if !base.IsClusterReadable() {
-					// (If this _is_ a test, we should call MarkClusterReadable)
+		if saidStore != "" {
+			saidStoreField := fieldSpec.Child("serviceAccountIssuerDiscovery", "discoveryStore")
+			base, err := vfs.Context.BuildVfsPath(saidStore)
+			if err != nil {
+				allErrs = append(allErrs, field.Invalid(saidStoreField, saidStore, "not a valid VFS path"))
+			} else {
+				switch base := base.(type) {
+				case *vfs.S3Path:
+					// OK
+				case *vfs.MemFSPath:
+					// memfs is ok for tests; not OK otherwise
+					if !base.IsClusterReadable() {
+						// (If this _is_ a test, we should call MarkClusterReadable)
+						allErrs = append(allErrs, field.Invalid(saidStoreField, saidStore, "S3 is the only supported VFS for discoveryStore"))
+					}
+				default:
 					allErrs = append(allErrs, field.Invalid(saidStoreField, saidStore, "S3 is the only supported VFS for discoveryStore"))
 				}
-			default:
-				allErrs = append(allErrs, field.Invalid(saidStoreField, saidStore, "S3 is the only supported VFS for discoveryStore"))
 			}
 		}
-	}
+		if said.EnableAWSOIDCProvider {
+			enableOIDCField := fieldSpec.Child("serviceAccountIssuerDiscovery", "enableAWSOIDCProvider")
+			if c.IsKubernetesLT("1.18") {
+				allErrs = append(allErrs, field.Forbidden(enableOIDCField, "AWS OIDC Provider requires kubernetes 1.18 or greates"))
+			}
+			if saidStore == "" {
+				allErrs = append(allErrs, field.Forbidden(enableOIDCField, "AWS OIDC Provider requires a discovery store"))
+			}
+		}

+	}
 	return allErrs
 }

--- a/pkg/model/components/apiserver.go
+++ b/pkg/model/components/apiserver.go
@ -177,11 +177,11 @@ func (b *KubeAPIServerOptionsBuilder) BuildOptions(o interface{}) error {
 		}
 	}

-	if clusterSpec.CloudConfig != nil && clusterSpec.CloudConfig.AWSEBSCSIDriver != nil && fi.BoolValue(clusterSpec.CloudConfig.AWSEBSCSIDriver.Enabled) {
+	if c.FeatureGates == nil {
+		c.FeatureGates = make(map[string]string)
+	}

-		if c.FeatureGates == nil {
-			c.FeatureGates = make(map[string]string)
-		}
+	if clusterSpec.CloudConfig != nil && clusterSpec.CloudConfig.AWSEBSCSIDriver != nil && fi.BoolValue(clusterSpec.CloudConfig.AWSEBSCSIDriver.Enabled) {

 		if b.IsKubernetesLT("1.21.0") {
 			if _, found := c.FeatureGates["CSIMigrationAWSComplete"]; !found {
@ -198,6 +198,12 @@ func (b *KubeAPIServerOptionsBuilder) BuildOptions(o interface{}) error {
 		}
 	}

+	if b.IsKubernetesLT("1.20") && clusterSpec.ServiceAccountIssuerDiscovery != nil && fi.BoolValue(&clusterSpec.ServiceAccountIssuerDiscovery.EnableAWSOIDCProvider) {
+		if _, found := c.FeatureGates["ServiceAccountIssuerDiscovery"]; !found {
+			c.FeatureGates["ServiceAccountIssuerDiscovery"] = "true"
+		}
+	}
+
 	return nil
 }