mirror of https://github.com/k3s-io/k3s.git
Disable the ServiceAccountIssuerDiscovery feature-gate.
We're not setting ``--service-account-issuer` to a https URL, which causes an error message at startup when the feature gate is enabled. From the docs on that flag: > If this option is not a valid URI per the OpenID Discovery 1.0 spec, the > ServiceAccountIssuerDiscovery feature will remain disabled, even if the > feature gate is set to true. It is highly recommended that this value > comply with the OpenID spec: > https://openid.net/specs/openid-connect-discovery-1_0.html. In practice, > this means that service-account-issuer must be an https URL. It is also > highly recommended that this URL be capable of serving OpenID discovery > documents at {service-account-issuer}/.well-known/openid-configuration. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
This commit is contained in:
parent
63f2211b31
commit
c5aad1b5ed
|
@ -220,6 +220,7 @@ func apiServer(ctx context.Context, cfg *config.Control, runtime *config.Control
|
|||
argsMap["enable-admission-plugins"] = "NodeRestriction"
|
||||
argsMap["anonymous-auth"] = "false"
|
||||
argsMap["profiling"] = "false"
|
||||
argsMap["feature-gates=ServiceAccountIssuerDiscovery"] = "false"
|
||||
if cfg.EncryptSecrets {
|
||||
argsMap["encryption-provider-config"] = runtime.EncryptionConfig
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue