From 6b3044fa470f2e0575258b53aee316ee7ed85859 Mon Sep 17 00:00:00 2001
From: xnoto <steven@makeitwork.cloud>
Date: Fri, 19 Jun 2026 00:43:09 -0600
Subject: [PATCH] feat: configure k3s service account issuer

---
 cloud-init/k3s/cloud_init.cfg | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/cloud-init/k3s/cloud_init.cfg b/cloud-init/k3s/cloud_init.cfg
index c30206c..cc3f84a 100644
--- a/cloud-init/k3s/cloud_init.cfg
+++ b/cloud-init/k3s/cloud_init.cfg
@@ -21,6 +21,20 @@ write_files:
         - oidc-client-id=headlamp
         - oidc-username-claim=email
         - oidc-groups-claim=groups
+  # Kubernetes ServiceAccount issuer for projected pod tokens. This is separate
+  # from the Dex OIDC config above, which validates human/user login tokens.
+  # AWS STS will use the public static discovery/JWKS documents served by www
+  # at https://makeitwork.cloud/oidc to validate sops-secrets-operator tokens.
+  - path: /etc/rancher/k3s/config.yaml.d/service-account-issuer.yaml
+    permissions: '0600'
+    content: |
+      kube-apiserver-arg:
+        # First issuer signs new ServiceAccount tokens.
+        - service-account-issuer=https://makeitwork.cloud/oidc
+        # Keep the k3s default issuer accepted during transition.
+        - service-account-issuer=https://kubernetes.default.svc.cluster.local
+        - service-account-jwks-uri=https://makeitwork.cloud/oidc/openid/v1/jwks
+        - api-audiences=https://makeitwork.cloud/oidc,https://kubernetes.default.svc.cluster.local
 
 groups:
   - default