Commit c5aad1b5 authored by Brad Davidson's avatar Brad Davidson Committed by Brad Davidson

Disable the ServiceAccountIssuerDiscovery feature-gate.

We're not setting ``--service-account-issuer` to a https URL, which causes an error message at startup when the feature gate is enabled. From the docs on that flag: > If this option is not a valid URI per the OpenID Discovery 1.0 spec, the > ServiceAccountIssuerDiscovery feature will remain disabled, even if the > feature gate is set to true. It is highly recommended that this value > comply with the OpenID spec: > https://openid.net/specs/openid-connect-discovery-1_0.html. In practice, > this means that service-account-issuer must be an https URL. It is also > highly recommended that this URL be capable of serving OpenID discovery > documents at {service-account-issuer}/.well-known/openid-configuration. Signed-off-by: 's avatarBrad Davidson <brad.davidson@rancher.com>
parent 63f2211b
...@@ -220,6 +220,7 @@ func apiServer(ctx context.Context, cfg *config.Control, runtime *config.Control ...@@ -220,6 +220,7 @@ func apiServer(ctx context.Context, cfg *config.Control, runtime *config.Control
argsMap["enable-admission-plugins"] = "NodeRestriction" argsMap["enable-admission-plugins"] = "NodeRestriction"
argsMap["anonymous-auth"] = "false" argsMap["anonymous-auth"] = "false"
argsMap["profiling"] = "false" argsMap["profiling"] = "false"
argsMap["feature-gates=ServiceAccountIssuerDiscovery"] = "false"
if cfg.EncryptSecrets { if cfg.EncryptSecrets {
argsMap["encryption-provider-config"] = runtime.EncryptionConfig argsMap["encryption-provider-config"] = runtime.EncryptionConfig
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment