Skip to content

Commit

Permalink
Add service_account_issuer variable for kube-apiserver
Browse files Browse the repository at this point in the history 
* Allow the service account token issuer to be adjusted or served
from a public bucket or static cache
* Output the public key used to sign service account tokens so that
it can be used to compute JWKS (JSON Web Key Sets) if desired

Docs: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-issuer-discovery
  • Loading branch information
@dghubble
dghubble committed Feb 7, 2025
1 parent 997f601 commit c500714
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 6 deletions.
10 changes: 6 additions & 4 deletions manifests.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,12 @@ locals {
kube_controller_manager_image = var.container_images["kube_controller_manager"]
kube_scheduler_image = var.container_images["kube_scheduler"]

etcd_servers = join(",", formatlist("https://%s:2379", var.etcd_servers))
pod_cidr = var.pod_cidr
service_cidr = var.service_cidr
aggregation_flags = var.enable_aggregation ? indent(4, local.aggregation_flags) : ""
etcd_servers = join(",", formatlist("https://%s:2379", var.etcd_servers))
pod_cidr = var.pod_cidr
service_cidr = var.service_cidr

service_account_issuer = var.service_account_issuer
aggregation_flags = var.enable_aggregation ? indent(4, local.aggregation_flags) : ""
}
)
}
Expand Down
6 changes: 6 additions & 0 deletions outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,3 +68,9 @@ output "etcd_peer_key" {
value = tls_private_key.peer.private_key_pem
sensitive = true
}

# Kubernetes TLS assets

output "service_account_public_key" {
value = tls_private_key.service-account.public_key_pem
}
4 changes: 2 additions & 2 deletions resources/static-manifests/kube-apiserver.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,8 @@ spec:
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname${aggregation_flags}
- --runtime-config=admissionregistration.k8s.io/v1alpha1=true
- --secure-port=6443
- --service-account-issuer=https://kubernetes.default.svc.cluster.local
- --service-account-jwks-uri=https://kubernetes.default.svc.cluster.local/openid/v1/jwks
- --service-account-issuer=${service_account_issuer}
- --service-account-jwks-uri=${service_account_issuer}/openid/v1/jwks
- --service-account-key-file=/etc/kubernetes/pki/service-account.pub
- --service-account-signing-key-file=/etc/kubernetes/pki/service-account.key
- --service-cluster-ip-range=${service_cidr}
Expand Down
6 changes: 6 additions & 0 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,3 +132,9 @@ variable "components" {
# sets it to null.
nullable = false
}

variable "service_account_issuer" {
type = string
description = "kube-apiserver service account token issuer (used as an identifier in 'iss' claims)"
default = "https://kubernetes.default.svc.cluster.local"
}

0 comments on commit c500714

Please sign in to comment.