feat: configure k3s service account issuer

[xnoto]

Summary

• add a k3s config drop-in for Kubernetes ServiceAccount token issuer discovery
• set the future issuer to https://makeitwork.cloud/oidc for projected pod tokens
• keep the current k3s default issuer accepted during transition
• set the public JWKS URI to the static endpoint in makeitworkcloud/www

Validation

• parsed cloud-init YAML with Python/YAML
• tofu fmt -recursive
• tofu init -backend=false -reconfigure -upgrade -input=false -no-color
• tofu validate -no-color
• PCT_TFPATH=$(command -v tofu) pre-commit run --all-files --config /home/user/git/makeitworkcloud/images/tfroot-runner/pre-commit-config.yaml

Notes / caveats

• No live tofu plan/apply was run locally; PR CI should produce the plan.
• This updates cloud-init desired state. It will not change the existing k3s VM until the cloud-init path is re-applied or the equivalent host file is installed and k3s is restarted.
• Follow-up work still needs the public JWKS populated in www, AWS IAM OIDC provider/role trust in tfroot-aws, and sops-secrets-operator web-identity wiring in kustomize-cluster.

[github-actions]

OpenTofu Plan

OpenTofu will perform the following actions:

  # module.k3s.libvirt_cloudinit_disk.commoninit will be created
  + resource "libvirt_cloudinit_disk" "commoninit" {
      + id             = (known after apply)
      + meta_data      = <<-EOT
            instance-id: k3s
            local-hostname: k3s
        EOT
      + name           = "k3s_commoninit"
      + network_config = <<-EOT
            version: 2
            ethernets:
              enp1s0:
                dhcp4: true
              enp2s0:
                dhcp4: false
                addresses:
                  - 192.168.102.2/24
        EOT
      + path           = (known after apply)
      + size           = (known after apply)
      + user_data      = (sensitive value)
    }

  # module.k3s.libvirt_volume.cloudinit will be replaced due to changes in replace_triggered_by
-/+ resource "libvirt_volume" "cloudinit" {
      ~ allocation = 49152 -> (known after apply)
      ~ capacity   = 49152 -> (known after apply)
      ~ create     = {
          ~ content = {
              ~ url = "/home/user/terraform-provider-libvirt-cloudinit/cloudinit-16de859e0abe38bb.iso" -> (known after apply)
            }
        }
      ~ id         = "/mnt/nvme/cluster/k3s_cloudinit.iso" -> (known after apply)
      ~ key        = "/mnt/nvme/cluster/k3s_cloudinit.iso" -> (known after apply)
        name       = "k3s_cloudinit.iso"
      ~ path       = "/mnt/nvme/cluster/k3s_cloudinit.iso" -> (known after apply)
      ~ physical   = 49152 -> (known after apply)
        # (1 unchanged attribute hidden)
    }

  # module.k3s.terraform_data.cloudinit_content will be updated in-place
  ~ resource "terraform_data" "cloudinit_content" {
        id     = "5b88fd98-5e5c-89c7-2a69-42d8bf7cdce2"
      ~ input  = (sensitive value)
      ~ output = "d937151a0020e84c0d3a6a15c8d96a2df72f18dacee79f1b5377b6e8862b9c98" -> (known after apply)
    }

  # module.runner.libvirt_cloudinit_disk.commoninit will be created
  + resource "libvirt_cloudinit_disk" "commoninit" {
      + id             = (known after apply)
      + meta_data      = <<-EOT
            instance-id: runner
            local-hostname: runner
        EOT
      + name           = "runner_commoninit"
      + network_config = (sensitive value)
      + path           = (known after apply)
      + size           = (known after apply)
      + user_data      = (sensitive value)
    }

Plan: 3 to add, 1 to change, 1 to destroy.