From c50071487ccd9a29f25767a5fa79dca260be7b86 Mon Sep 17 00:00:00 2001
From: Dalton Hubble <dghubble@gmail.com>
Date: Wed, 5 Feb 2025 09:26:32 -0800
Subject: [PATCH] Add service_account_issuer variable for kube-apiserver

* Allow the service account token issuer to be adjusted or served
from a public bucket or static cache
* Output the public key used to sign service account tokens so that
it can be used to compute JWKS (JSON Web Key Sets) if desired

Docs: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-issuer-discovery
---
 manifests.tf                                   | 10 ++++++----
 outputs.tf                                     |  6 ++++++
 resources/static-manifests/kube-apiserver.yaml |  4 ++--
 variables.tf                                   |  6 ++++++
 4 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/manifests.tf b/manifests.tf
index fc57714..941587d 100644
--- a/manifests.tf
+++ b/manifests.tf
@@ -10,10 +10,12 @@ locals {
         kube_controller_manager_image = var.container_images["kube_controller_manager"]
         kube_scheduler_image          = var.container_images["kube_scheduler"]
 
-        etcd_servers      = join(",", formatlist("https://%s:2379", var.etcd_servers))
-        pod_cidr          = var.pod_cidr
-        service_cidr      = var.service_cidr
-        aggregation_flags = var.enable_aggregation ? indent(4, local.aggregation_flags) : ""
+        etcd_servers = join(",", formatlist("https://%s:2379", var.etcd_servers))
+        pod_cidr     = var.pod_cidr
+        service_cidr = var.service_cidr
+
+        service_account_issuer = var.service_account_issuer
+        aggregation_flags      = var.enable_aggregation ? indent(4, local.aggregation_flags) : ""
       }
     )
   }
diff --git a/outputs.tf b/outputs.tf
index ac7fc56..c953357 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -68,3 +68,9 @@ output "etcd_peer_key" {
   value     = tls_private_key.peer.private_key_pem
   sensitive = true
 }
+
+# Kubernetes TLS assets
+
+output "service_account_public_key" {
+  value = tls_private_key.service-account.public_key_pem
+}
diff --git a/resources/static-manifests/kube-apiserver.yaml b/resources/static-manifests/kube-apiserver.yaml
index fd69713..26c6cb2 100644
--- a/resources/static-manifests/kube-apiserver.yaml
+++ b/resources/static-manifests/kube-apiserver.yaml
@@ -36,8 +36,8 @@ spec:
     - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname${aggregation_flags}
     - --runtime-config=admissionregistration.k8s.io/v1alpha1=true
     - --secure-port=6443
-    - --service-account-issuer=https://kubernetes.default.svc.cluster.local
-    - --service-account-jwks-uri=https://kubernetes.default.svc.cluster.local/openid/v1/jwks
+    - --service-account-issuer=${service_account_issuer}
+    - --service-account-jwks-uri=${service_account_issuer}/openid/v1/jwks
     - --service-account-key-file=/etc/kubernetes/pki/service-account.pub
     - --service-account-signing-key-file=/etc/kubernetes/pki/service-account.key
     - --service-cluster-ip-range=${service_cidr}
diff --git a/variables.tf b/variables.tf
index 5219c24..89daf23 100644
--- a/variables.tf
+++ b/variables.tf
@@ -132,3 +132,9 @@ variable "components" {
   # sets it to null.
   nullable = false
 }
+
+variable "service_account_issuer" {
+  type        = string
+  description = "kube-apiserver service account token issuer (used as an identifier in 'iss' claims)"
+  default     = "https://kubernetes.default.svc.cluster.local"
+}