Commit c5aad1b5 authored by Brad Davidson's avatar Brad Davidson Committed by Brad Davidson
Browse files

Disable the ServiceAccountIssuerDiscovery feature-gate.

We're not setting ``--service-account-issuer` to a https URL, which causes an
error message at startup when the feature gate is enabled. From the
docs on that flag:

> If this option is not a valid URI per the OpenID Discovery 1.0 spec, the
> ServiceAccountIssuerDiscovery feature will remain disabled, even if the
> feature gate is set to true. It is highly recommended that this value
> comply with the OpenID spec:
> https://openid.net/specs/openid-connect-discovery-1_0.html

. In practice,
> this means that service-account-issuer must be an https URL. It is also
> highly recommended that this URL be capable of serving OpenID discovery
> documents at {service-account-issuer}/.well-known/openid-configuration.
Signed-off-by: default avatarBrad Davidson <brad.davidson@rancher.com>
parent 63f2211b
......@@ -220,6 +220,7 @@ func apiServer(ctx context.Context, cfg *config.Control, runtime *config.Control
argsMap["enable-admission-plugins"] = "NodeRestriction"
argsMap["anonymous-auth"] = "false"
argsMap["profiling"] = "false"
argsMap["feature-gates=ServiceAccountIssuerDiscovery"] = "false"
if cfg.EncryptSecrets {
argsMap["encryption-provider-config"] = runtime.EncryptionConfig
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment