From 17d313e89f7fb59d0d093bf5f7ce6f0d33d27305 Mon Sep 17 00:00:00 2001 From: Ciprian Hacman Date: Fri, 13 Jan 2023 09:59:12 +0200 Subject: [PATCH] Allow custom service account issuer without public bucket --- pkg/model/issuerdiscovery.go | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/pkg/model/issuerdiscovery.go b/pkg/model/issuerdiscovery.go index e0b750a7c1e78..4a561fd23e4a1 100644 --- a/pkg/model/issuerdiscovery.go +++ b/pkg/model/issuerdiscovery.go @@ -87,13 +87,22 @@ func (b *IssuerDiscoveryModelBuilder) Build(c *fi.CloudupModelBuilderContext) er switch discoveryStore := discoveryStore.(type) { case *vfs.S3Path: - isPublic, err := discoveryStore.IsBucketPublic(ctx) + discoveryStoreURL, err := discoveryStore.GetHTTPsUrl(b.Cluster.Spec.IsIPv6Only()) if err != nil { - return fmt.Errorf("checking if bucket was public: %w", err) + return err } - if !isPublic { - klog.Infof("serviceAccountIssuers bucket %q is not public; will use object ACL", discoveryStore.Bucket()) - publicFileACL = fi.PtrTo(true) + if discoveryStoreURL == fi.ValueOf(b.Cluster.Spec.KubeAPIServer.ServiceAccountIssuer) { + // Using Amazon S3 static website hosting requires public access + isPublic, err := discoveryStore.IsBucketPublic(ctx) + if err != nil { + return fmt.Errorf("checking if bucket was public: %w", err) + } + if !isPublic { + klog.Infof("serviceAccountIssuers bucket %q is not public; will use object ACL", discoveryStore.Bucket()) + publicFileACL = fi.PtrTo(true) + } + } else { + klog.Infof("using user managed serviceAccountIssuers") } case *vfs.MemFSPath: