Disable the ServiceAccountIssuerDiscovery feature-gate.

We're not setting ``--service-account-issuer` to a https URL, which causes an error message at startup when the feature gate is enabled. From the docs on that flag: > If this option is not a valid URI per the OpenID Discovery 1.0 spec, the > ServiceAccountIssuerDiscovery feature will remain disabled, even if the > feature gate is set to true. It is highly recommended that this value > comply with the OpenID spec: > https://openid.net/specs/openid-connect-discovery-1_0.html. In practice, > this means that service-account-issuer must be an https URL. It is also > highly recommended that this URL be capable of serving OpenID discovery > documents at {service-account-issuer}/.well-known/openid-configuration. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-12-03 14:19:09 -08:00 · 2020-12-03 14:19:09 -08:00 · c5aad1b5ed
parent 63f2211b31
commit c5aad1b5ed
1 changed files with 1 additions and 0 deletions
--- a/pkg/daemons/control/server.go
+++ b/pkg/daemons/control/server.go
@ -220,6 +220,7 @@ func apiServer(ctx context.Context, cfg *config.Control, runtime *config.Control
 	argsMap["enable-admission-plugins"] = "NodeRestriction"
 	argsMap["anonymous-auth"] = "false"
 	argsMap["profiling"] = "false"
+	argsMap["feature-gates=ServiceAccountIssuerDiscovery"] = "false"
 	if cfg.EncryptSecrets {
 		argsMap["encryption-provider-config"] = runtime.EncryptionConfig
 	}