fix: make k3s issuer config readable

[xnoto]

Summary

• set service-account-issuer.yaml cloud-init permissions to 0644
• matches the existing non-secret k3s config drop-in mode and avoids warning logs from k3s kubectl invocations as the non-root user

Validation

• cloud-init YAML parse
• tofu fmt -recursive
• tofu init -backend=false -reconfigure -upgrade -input=false -no-color
• tofu validate -no-color
• canonical tfroot pre-commit config

Live state

• Applied the same mode fix on the k3s VM after installing the issuer config and restarting k3s.
• Read-only validation confirmed discovery now reports issuer https://makeitwork.cloud/oidc.

[github-actions]

OpenTofu Plan

OpenTofu will perform the following actions:

  # module.k3s.libvirt_cloudinit_disk.commoninit will be created
  + resource "libvirt_cloudinit_disk" "commoninit" {
      + id             = (known after apply)
      + meta_data      = <<-EOT
            instance-id: k3s
            local-hostname: k3s
        EOT
      + name           = "k3s_commoninit"
      + network_config = <<-EOT
            version: 2
            ethernets:
              enp1s0:
                dhcp4: true
              enp2s0:
                dhcp4: false
                addresses:
                  - 192.168.102.2/24
        EOT
      + path           = (known after apply)
      + size           = (known after apply)
      + user_data      = (sensitive value)
    }

  # module.k3s.libvirt_volume.cloudinit will be replaced due to changes in replace_triggered_by
-/+ resource "libvirt_volume" "cloudinit" {
      ~ allocation = 53248 -> (known after apply)
      ~ capacity   = 51200 -> (known after apply)
      ~ create     = {
          ~ content = {
              ~ url = "/tmp/terraform-provider-libvirt-cloudinit/cloudinit-6506fb4136326cc1.iso" -> (known after apply)
            }
        }
      ~ id         = "/mnt/nvme/cluster/k3s_cloudinit.iso" -> (known after apply)
      ~ key        = "/mnt/nvme/cluster/k3s_cloudinit.iso" -> (known after apply)
        name       = "k3s_cloudinit.iso"
      ~ path       = "/mnt/nvme/cluster/k3s_cloudinit.iso" -> (known after apply)
      ~ physical   = 51200 -> (known after apply)
        # (1 unchanged attribute hidden)
    }

  # module.k3s.terraform_data.cloudinit_content will be updated in-place
  ~ resource "terraform_data" "cloudinit_content" {
        id     = "5b88fd98-5e5c-89c7-2a69-42d8bf7cdce2"
      ~ input  = (sensitive value)
      ~ output = "f6be305fa1b065feef1244cd9c599c539c82b7b5f7afe609c1a5c80b89020e51" -> (known after apply)
    }

  # module.runner.libvirt_cloudinit_disk.commoninit will be created
  + resource "libvirt_cloudinit_disk" "commoninit" {
      + id             = (known after apply)
      + meta_data      = <<-EOT
            instance-id: runner
            local-hostname: runner
        EOT
      + name           = "runner_commoninit"
      + network_config = (sensitive value)
      + path           = (known after apply)
      + size           = (known after apply)
      + user_data      = (sensitive value)
    }

Plan: 3 to add, 1 to change, 1 to destroy.