From a6e42de1e698005e49f6be6a0f33572ec014556f Mon Sep 17 00:00:00 2001 From: xnoto Date: Fri, 19 Jun 2026 00:46:41 -0600 Subject: [PATCH] feat: publish k3s service account JWKS --- README.md | 5 ++--- makeitwork.cloud/oidc/openid/v1/jwks | 11 ++++++++++- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 370715a..ef1c93a 100644 --- a/README.md +++ b/README.md @@ -19,13 +19,12 @@ Serverless web content with GitHub Actions pushing changes to S3. # Static OIDC issuer `makeitwork.cloud/oidc/` hosts public static Kubernetes ServiceAccount OIDC -discovery metadata for future AWS STS web-identity authentication from the k3s -cluster. +discovery metadata for AWS STS web-identity authentication from the k3s cluster. - Issuer: `https://makeitwork.cloud/oidc` - Discovery: `https://makeitwork.cloud/oidc/.well-known/openid-configuration` - JWKS: `https://makeitwork.cloud/oidc/openid/v1/jwks` -The JWKS file must contain only public key material for the k3s ServiceAccount +The JWKS file contains only public key material from the k3s ServiceAccount token signing key. Never commit the private signing key, AWS credentials, KMS key IDs, kubeconfigs, or decrypted SOPS values here. diff --git a/makeitwork.cloud/oidc/openid/v1/jwks b/makeitwork.cloud/oidc/openid/v1/jwks index faf87ec..5122b8a 100644 --- a/makeitwork.cloud/oidc/openid/v1/jwks +++ b/makeitwork.cloud/oidc/openid/v1/jwks @@ -1,3 +1,12 @@ { - "keys": [] + "keys": [ + { + "alg": "RS256", + "e": "AQAB", + "kid": "INImbqvzmPK6jGaGaRRsZM2PXN8d2sU-oFdDcxl3-1A", + "kty": "RSA", + "n": "v5ROv3NlaVWXMBDyabdk8jAx2Quizlg1rFPSgcxMp3GubFRWUKK2wA2hSNaKTbCeyg8L3lqzYP9IJEM3YXRafWNlEBiyaotY6XSV9NaIT5tbJ30Ksb87qOuGzHL1NCRm60jOSXF8JabPyCEFim-3gLB2re3o0FC4En5TGDPpEMYZmy81YBWfdWDXcYDtnChs5WKiArHxas_6JwEiEpmXydSeFvu7NhDPqb4zbGFzdSWlwyvWkRDKMSSgXrfxdlDQ1PQftdfXp6S9j4zi39tffgtaRgOPm61J8gJMXKfeBkKfcRicYJJNcx0YkXFleO1-fg22Mmll63RGl1xIx5S_jw", + "use": "sig" + } + ] }