From cdf4ef700e9b5b666ed9313db4303792cc013cda Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Fri, 7 Feb 2025 12:47:48 -0800 Subject: [PATCH] Add service_account_issuer variable for kube-apiserver * Allow the service account token issuer to be adjusted or served from a public bucket or static cache Docs: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-issuer-discovery Rel: https://github.com/poseidon/terraform-render-bootstrap/pull/405 --- CHANGES.md | 3 +++ aws/fedora-coreos/kubernetes/bootstrap.tf | 19 ++++++++++--------- aws/fedora-coreos/kubernetes/variables.tf | 6 ++++++ aws/flatcar-linux/kubernetes/bootstrap.tf | 19 ++++++++++--------- aws/flatcar-linux/kubernetes/variables.tf | 6 ++++++ azure/fedora-coreos/kubernetes/bootstrap.tf | 15 ++++++++------- azure/fedora-coreos/kubernetes/variables.tf | 6 ++++++ azure/flatcar-linux/kubernetes/bootstrap.tf | 13 +++++++------ azure/flatcar-linux/kubernetes/variables.tf | 6 ++++++ .../fedora-coreos/kubernetes/bootstrap.tf | 17 +++++++++-------- .../fedora-coreos/kubernetes/variables.tf | 6 ++++++ .../flatcar-linux/kubernetes/bootstrap.tf | 17 +++++++++-------- .../flatcar-linux/kubernetes/variables.tf | 6 ++++++ .../fedora-coreos/kubernetes/bootstrap.tf | 11 ++++++----- .../fedora-coreos/kubernetes/variables.tf | 6 ++++++ .../flatcar-linux/kubernetes/bootstrap.tf | 2 +- .../flatcar-linux/kubernetes/variables.tf | 6 ++++++ .../fedora-coreos/kubernetes/bootstrap.tf | 19 ++++++++++--------- .../fedora-coreos/kubernetes/variables.tf | 6 ++++++ .../flatcar-linux/kubernetes/bootstrap.tf | 19 ++++++++++--------- .../flatcar-linux/kubernetes/variables.tf | 6 ++++++ 21 files changed, 143 insertions(+), 71 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 4ba942cb..331203c7 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -4,6 +4,9 @@ Notable changes between versions. ## Latest +* Allow `kube-apiserver` service account token issuer `iss` to be adjusted with the `service_account_issuer` variable + * Allows OpenID Connect discovery to be served from an external endpoint + ## v1.32.1 * Kubernetes [v1.32.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.32.md#v1321) diff --git a/aws/fedora-coreos/kubernetes/bootstrap.tf b/aws/fedora-coreos/kubernetes/bootstrap.tf index 443e26b9..08284734 100644 --- a/aws/fedora-coreos/kubernetes/bootstrap.tf +++ b/aws/fedora-coreos/kubernetes/bootstrap.tf @@ -1,14 +1,15 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=997f6012b540617f7fda1603d169e6ec92be125c" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c50071487ccd9a29f25767a5fa79dca260be7b86" - cluster_name = var.cluster_name - api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] - etcd_servers = aws_route53_record.etcds.*.fqdn - networking = var.networking - pod_cidr = var.pod_cidr - service_cidr = var.service_cidr - daemonset_tolerations = var.daemonset_tolerations - components = var.components + cluster_name = var.cluster_name + api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] + service_account_issuer = var.service_account_issuer + etcd_servers = aws_route53_record.etcds.*.fqdn + networking = var.networking + pod_cidr = var.pod_cidr + service_cidr = var.service_cidr + daemonset_tolerations = var.daemonset_tolerations + components = var.components } diff --git a/aws/fedora-coreos/kubernetes/variables.tf b/aws/fedora-coreos/kubernetes/variables.tf index 49adf35a..3020437c 100644 --- a/aws/fedora-coreos/kubernetes/variables.tf +++ b/aws/fedora-coreos/kubernetes/variables.tf @@ -206,3 +206,9 @@ variable "components" { }) default = null } + +variable "service_account_issuer" { + type = string + description = "kube-apiserver service account token issuer (used as an identifier in 'iss' claims)" + default = "https://kubernetes.default.svc.cluster.local" +} diff --git a/aws/flatcar-linux/kubernetes/bootstrap.tf b/aws/flatcar-linux/kubernetes/bootstrap.tf index 443e26b9..08284734 100644 --- a/aws/flatcar-linux/kubernetes/bootstrap.tf +++ b/aws/flatcar-linux/kubernetes/bootstrap.tf @@ -1,14 +1,15 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=997f6012b540617f7fda1603d169e6ec92be125c" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c50071487ccd9a29f25767a5fa79dca260be7b86" - cluster_name = var.cluster_name - api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] - etcd_servers = aws_route53_record.etcds.*.fqdn - networking = var.networking - pod_cidr = var.pod_cidr - service_cidr = var.service_cidr - daemonset_tolerations = var.daemonset_tolerations - components = var.components + cluster_name = var.cluster_name + api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] + service_account_issuer = var.service_account_issuer + etcd_servers = aws_route53_record.etcds.*.fqdn + networking = var.networking + pod_cidr = var.pod_cidr + service_cidr = var.service_cidr + daemonset_tolerations = var.daemonset_tolerations + components = var.components } diff --git a/aws/flatcar-linux/kubernetes/variables.tf b/aws/flatcar-linux/kubernetes/variables.tf index 15d4ec3e..7d2bac48 100644 --- a/aws/flatcar-linux/kubernetes/variables.tf +++ b/aws/flatcar-linux/kubernetes/variables.tf @@ -206,3 +206,9 @@ variable "components" { }) default = null } + +variable "service_account_issuer" { + type = string + description = "kube-apiserver service account token issuer (used as an identifier in 'iss' claims)" + default = "https://kubernetes.default.svc.cluster.local" +} diff --git a/azure/fedora-coreos/kubernetes/bootstrap.tf b/azure/fedora-coreos/kubernetes/bootstrap.tf index 03b583e5..41158532 100644 --- a/azure/fedora-coreos/kubernetes/bootstrap.tf +++ b/azure/fedora-coreos/kubernetes/bootstrap.tf @@ -1,15 +1,16 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=997f6012b540617f7fda1603d169e6ec92be125c" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c50071487ccd9a29f25767a5fa79dca260be7b86" cluster_name = var.cluster_name - api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] etcd_servers = formatlist("%s.%s", azurerm_dns_a_record.etcds.*.name, var.dns_zone) + api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] - networking = var.networking - pod_cidr = var.pod_cidr - service_cidr = var.service_cidr - daemonset_tolerations = var.daemonset_tolerations - components = var.components + service_account_issuer = var.service_account_issuer + networking = var.networking + pod_cidr = var.pod_cidr + service_cidr = var.service_cidr + daemonset_tolerations = var.daemonset_tolerations + components = var.components } diff --git a/azure/fedora-coreos/kubernetes/variables.tf b/azure/fedora-coreos/kubernetes/variables.tf index 0a63b6d8..b4ac7219 100644 --- a/azure/fedora-coreos/kubernetes/variables.tf +++ b/azure/fedora-coreos/kubernetes/variables.tf @@ -177,3 +177,9 @@ variable "components" { }) default = null } + +variable "service_account_issuer" { + type = string + description = "kube-apiserver service account token issuer (used as an identifier in 'iss' claims)" + default = "https://kubernetes.default.svc.cluster.local" +} diff --git a/azure/flatcar-linux/kubernetes/bootstrap.tf b/azure/flatcar-linux/kubernetes/bootstrap.tf index 03b583e5..1721d879 100644 --- a/azure/flatcar-linux/kubernetes/bootstrap.tf +++ b/azure/flatcar-linux/kubernetes/bootstrap.tf @@ -1,15 +1,16 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=997f6012b540617f7fda1603d169e6ec92be125c" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c50071487ccd9a29f25767a5fa79dca260be7b86" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] etcd_servers = formatlist("%s.%s", azurerm_dns_a_record.etcds.*.name, var.dns_zone) - networking = var.networking - pod_cidr = var.pod_cidr - service_cidr = var.service_cidr - daemonset_tolerations = var.daemonset_tolerations - components = var.components + service_account_issuer = var.service_account_issuer + networking = var.networking + pod_cidr = var.pod_cidr + service_cidr = var.service_cidr + daemonset_tolerations = var.daemonset_tolerations + components = var.components } diff --git a/azure/flatcar-linux/kubernetes/variables.tf b/azure/flatcar-linux/kubernetes/variables.tf index 680e71a0..0ff953de 100644 --- a/azure/flatcar-linux/kubernetes/variables.tf +++ b/azure/flatcar-linux/kubernetes/variables.tf @@ -203,3 +203,9 @@ variable "components" { }) default = null } + +variable "service_account_issuer" { + type = string + description = "kube-apiserver service account token issuer (used as an identifier in 'iss' claims)" + default = "https://kubernetes.default.svc.cluster.local" +} diff --git a/bare-metal/fedora-coreos/kubernetes/bootstrap.tf b/bare-metal/fedora-coreos/kubernetes/bootstrap.tf index 8108a62e..b6a6b642 100644 --- a/bare-metal/fedora-coreos/kubernetes/bootstrap.tf +++ b/bare-metal/fedora-coreos/kubernetes/bootstrap.tf @@ -1,14 +1,15 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=997f6012b540617f7fda1603d169e6ec92be125c" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c50071487ccd9a29f25767a5fa79dca260be7b86" - cluster_name = var.cluster_name - api_servers = [var.k8s_domain_name] - etcd_servers = var.controllers.*.domain - networking = var.networking - pod_cidr = var.pod_cidr - service_cidr = var.service_cidr - components = var.components + cluster_name = var.cluster_name + api_servers = [var.k8s_domain_name] + service_account_issuer = var.service_account_issuer + etcd_servers = var.controllers.*.domain + networking = var.networking + pod_cidr = var.pod_cidr + service_cidr = var.service_cidr + components = var.components } diff --git a/bare-metal/fedora-coreos/kubernetes/variables.tf b/bare-metal/fedora-coreos/kubernetes/variables.tf index c5ca8c52..3904f7d1 100644 --- a/bare-metal/fedora-coreos/kubernetes/variables.tf +++ b/bare-metal/fedora-coreos/kubernetes/variables.tf @@ -143,3 +143,9 @@ variable "components" { }) default = null } + +variable "service_account_issuer" { + type = string + description = "kube-apiserver service account token issuer (used as an identifier in 'iss' claims)" + default = "https://kubernetes.default.svc.cluster.local" +} diff --git a/bare-metal/flatcar-linux/kubernetes/bootstrap.tf b/bare-metal/flatcar-linux/kubernetes/bootstrap.tf index 4643fde8..9bda1837 100644 --- a/bare-metal/flatcar-linux/kubernetes/bootstrap.tf +++ b/bare-metal/flatcar-linux/kubernetes/bootstrap.tf @@ -1,13 +1,14 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=997f6012b540617f7fda1603d169e6ec92be125c" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c50071487ccd9a29f25767a5fa79dca260be7b86" - cluster_name = var.cluster_name - api_servers = [var.k8s_domain_name] - etcd_servers = var.controllers.*.domain - networking = var.networking - pod_cidr = var.pod_cidr - service_cidr = var.service_cidr - components = var.components + cluster_name = var.cluster_name + api_servers = [var.k8s_domain_name] + service_account_issuer = var.service_account_issuer + etcd_servers = var.controllers.*.domain + networking = var.networking + pod_cidr = var.pod_cidr + service_cidr = var.service_cidr + components = var.components } diff --git a/bare-metal/flatcar-linux/kubernetes/variables.tf b/bare-metal/flatcar-linux/kubernetes/variables.tf index 3c309e5a..ad3c5b0f 100644 --- a/bare-metal/flatcar-linux/kubernetes/variables.tf +++ b/bare-metal/flatcar-linux/kubernetes/variables.tf @@ -159,3 +159,9 @@ variable "components" { }) default = null } + +variable "service_account_issuer" { + type = string + description = "kube-apiserver service account token issuer (used as an identifier in 'iss' claims)" + default = "https://kubernetes.default.svc.cluster.local" +} diff --git a/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf b/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf index 718f3b1c..29089003 100644 --- a/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf +++ b/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf @@ -1,14 +1,15 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=997f6012b540617f7fda1603d169e6ec92be125c" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c50071487ccd9a29f25767a5fa79dca260be7b86" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] etcd_servers = digitalocean_record.etcds.*.fqdn - networking = var.networking - pod_cidr = var.pod_cidr - service_cidr = var.service_cidr - components = var.components + service_account_issuer = var.service_account_issuer + networking = var.networking + pod_cidr = var.pod_cidr + service_cidr = var.service_cidr + components = var.components } diff --git a/digital-ocean/fedora-coreos/kubernetes/variables.tf b/digital-ocean/fedora-coreos/kubernetes/variables.tf index 4dc1315e..383246cb 100644 --- a/digital-ocean/fedora-coreos/kubernetes/variables.tf +++ b/digital-ocean/fedora-coreos/kubernetes/variables.tf @@ -102,3 +102,9 @@ variable "components" { }) default = null } + +variable "service_account_issuer" { + type = string + description = "kube-apiserver service account token issuer (used as an identifier in 'iss' claims)" + default = "https://kubernetes.default.svc.cluster.local" +} diff --git a/digital-ocean/flatcar-linux/kubernetes/bootstrap.tf b/digital-ocean/flatcar-linux/kubernetes/bootstrap.tf index 718f3b1c..dd227d6e 100644 --- a/digital-ocean/flatcar-linux/kubernetes/bootstrap.tf +++ b/digital-ocean/flatcar-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=997f6012b540617f7fda1603d169e6ec92be125c" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c50071487ccd9a29f25767a5fa79dca260be7b86" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/digital-ocean/flatcar-linux/kubernetes/variables.tf b/digital-ocean/flatcar-linux/kubernetes/variables.tf index c6b7502e..ad0ed8f6 100644 --- a/digital-ocean/flatcar-linux/kubernetes/variables.tf +++ b/digital-ocean/flatcar-linux/kubernetes/variables.tf @@ -102,3 +102,9 @@ variable "components" { }) default = null } + +variable "service_account_issuer" { + type = string + description = "kube-apiserver service account token issuer (used as an identifier in 'iss' claims)" + default = "https://kubernetes.default.svc.cluster.local" +} diff --git a/google-cloud/fedora-coreos/kubernetes/bootstrap.tf b/google-cloud/fedora-coreos/kubernetes/bootstrap.tf index 76b1d6ec..31206043 100644 --- a/google-cloud/fedora-coreos/kubernetes/bootstrap.tf +++ b/google-cloud/fedora-coreos/kubernetes/bootstrap.tf @@ -1,15 +1,16 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=997f6012b540617f7fda1603d169e6ec92be125c" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c50071487ccd9a29f25767a5fa79dca260be7b86" - cluster_name = var.cluster_name - api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] - etcd_servers = [for fqdn in google_dns_record_set.etcds.*.name : trimsuffix(fqdn, ".")] - networking = var.networking - pod_cidr = var.pod_cidr - service_cidr = var.service_cidr - daemonset_tolerations = var.daemonset_tolerations - components = var.components + cluster_name = var.cluster_name + etcd_servers = [for fqdn in google_dns_record_set.etcds.*.name : trimsuffix(fqdn, ".")] + api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] + service_account_issuer = var.service_account_issuer + networking = var.networking + pod_cidr = var.pod_cidr + service_cidr = var.service_cidr + daemonset_tolerations = var.daemonset_tolerations + components = var.components // temporary external_apiserver_port = 443 diff --git a/google-cloud/fedora-coreos/kubernetes/variables.tf b/google-cloud/fedora-coreos/kubernetes/variables.tf index 96f2e70a..ea2c8520 100644 --- a/google-cloud/fedora-coreos/kubernetes/variables.tf +++ b/google-cloud/fedora-coreos/kubernetes/variables.tf @@ -163,3 +163,9 @@ variable "components" { }) default = null } + +variable "service_account_issuer" { + type = string + description = "kube-apiserver service account token issuer (used as an identifier in 'iss' claims)" + default = "https://kubernetes.default.svc.cluster.local" +} diff --git a/google-cloud/flatcar-linux/kubernetes/bootstrap.tf b/google-cloud/flatcar-linux/kubernetes/bootstrap.tf index 76b1d6ec..31206043 100644 --- a/google-cloud/flatcar-linux/kubernetes/bootstrap.tf +++ b/google-cloud/flatcar-linux/kubernetes/bootstrap.tf @@ -1,15 +1,16 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=997f6012b540617f7fda1603d169e6ec92be125c" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c50071487ccd9a29f25767a5fa79dca260be7b86" - cluster_name = var.cluster_name - api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] - etcd_servers = [for fqdn in google_dns_record_set.etcds.*.name : trimsuffix(fqdn, ".")] - networking = var.networking - pod_cidr = var.pod_cidr - service_cidr = var.service_cidr - daemonset_tolerations = var.daemonset_tolerations - components = var.components + cluster_name = var.cluster_name + etcd_servers = [for fqdn in google_dns_record_set.etcds.*.name : trimsuffix(fqdn, ".")] + api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] + service_account_issuer = var.service_account_issuer + networking = var.networking + pod_cidr = var.pod_cidr + service_cidr = var.service_cidr + daemonset_tolerations = var.daemonset_tolerations + components = var.components // temporary external_apiserver_port = 443 diff --git a/google-cloud/flatcar-linux/kubernetes/variables.tf b/google-cloud/flatcar-linux/kubernetes/variables.tf index 6261a329..225f485b 100644 --- a/google-cloud/flatcar-linux/kubernetes/variables.tf +++ b/google-cloud/flatcar-linux/kubernetes/variables.tf @@ -163,3 +163,9 @@ variable "components" { }) default = null } + +variable "service_account_issuer" { + type = string + description = "kube-apiserver service account token issuer (used as an identifier in 'iss' claims)" + default = "https://kubernetes.default.svc.cluster.local" +}