Fix issuer and jwks object path and url for IRSA

kubernetes · Jun 1, 2021 · dfe286c · dfe286c
1 parent 77b1bfc
commit dfe286c
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 9 deletions.
diff --git a/pkg/model/iam/subject.go b/pkg/model/iam/subject.go
@@ -122,17 +122,13 @@ func ServiceAccountIssuer(clusterSpec *kops.ClusterSpec) (string, error) {
 		}
 		switch base := base.(type) {
 		case *vfs.S3Path:
-			baseURL, err := base.GetHTTPsUrl()
-			if err != nil {
-				return "", err
-			}
-			return baseURL + "/oidc", nil
+			return base.GetHTTPsUrl()
 		case *vfs.MemFSPath:
 			if !base.IsClusterReadable() {
 				// If this _is_ a test, we should call MarkClusterReadable
 				return "", fmt.Errorf("locationStore=%q is only supported in tests", store)
 			}
-			return strings.Replace(base.Path(), "memfs://", "https://", 1) + "/oidc", nil
+			return strings.Replace(base.Path(), "memfs://", "https://", 1), nil
 		default:
 			return "", fmt.Errorf("locationStore=%q is of unexpected type %T", store, base)
 		}

diff --git a/pkg/model/issuerdiscovery.go b/pkg/model/issuerdiscovery.go
@@ -80,7 +80,7 @@ func (b *IssuerDiscoveryModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	keysFile := &fitasks.ManagedFile{
 		Contents:  keys,
 		Lifecycle: b.Lifecycle,
-		Location:  fi.String("/openid/v1/jwks"),
+		Location:  fi.String("openid/v1/jwks"),
 		Name:      fi.String("keys.json"),
 		Base:      fi.String(b.Cluster.Spec.ServiceAccountIssuerDiscovery.DiscoveryStore),
 		Public:    fi.Bool(true),
@@ -90,7 +90,7 @@ func (b *IssuerDiscoveryModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	discoveryFile := &fitasks.ManagedFile{
 		Contents:  fi.NewBytesResource(discovery),
 		Lifecycle: b.Lifecycle,
-		Location:  fi.String("oidc/.well-known/openid-configuration"),
+		Location:  fi.String(".well-known/openid-configuration"),
 		Name:      fi.String("discovery.json"),
 		Base:      fi.String(b.Cluster.Spec.ServiceAccountIssuerDiscovery.DiscoveryStore),
 		Public:    fi.Bool(true),

diff --git a/util/pkg/vfs/s3fs.go b/util/pkg/vfs/s3fs.go
@@ -447,7 +447,8 @@ func (p *S3Path) GetHTTPsUrl() (string, error) {
 		}
 		p.bucketDetails = bucketDetails
 	}
-	return fmt.Sprintf("https://%s.s3.%s.amazonaws.com/%s", p.bucketDetails.name, p.bucketDetails.region, p.Key()), nil
+	baseURL := fmt.Sprintf("https://%s.s3.%s.amazonaws.com", p.bucketDetails.name, p.bucketDetails.region)
+	return path.Join(baseURL, p.Key()), nil
 }
 
 // AWSErrorCode returns the aws error code, if it is an awserr.Error, otherwise ""