feat: publish k3s service account JWKS

README.md

@@ -19,13 +19,12 @@ Serverless web content with GitHub Actions pushing changes to S3.
 # Static OIDC issuer
 
 `makeitwork.cloud/oidc/` hosts public static Kubernetes ServiceAccount OIDC
-discovery metadata for future AWS STS web-identity authentication from the k3s
-cluster.
+discovery metadata for AWS STS web-identity authentication from the k3s cluster.
 
 - Issuer: `https://makeitwork.cloud/oidc`
 - Discovery: `https://makeitwork.cloud/oidc/.well-known/openid-configuration`
 - JWKS: `https://makeitwork.cloud/oidc/openid/v1/jwks`
 
-The JWKS file must contain only public key material for the k3s ServiceAccount
+The JWKS file contains only public key material from the k3s ServiceAccount
 token signing key. Never commit the private signing key, AWS credentials, KMS key
 IDs, kubeconfigs, or decrypted SOPS values here.

makeitwork.cloud/oidc/openid/v1/jwks

@@ -1,3 +1,12 @@
 {
-  "keys": []
+  "keys": [
+    {
+      "alg": "RS256",
+      "e": "AQAB",
+      "kid": "INImbqvzmPK6jGaGaRRsZM2PXN8d2sU-oFdDcxl3-1A",
+      "kty": "RSA",
+      "n": "v5ROv3NlaVWXMBDyabdk8jAx2Quizlg1rFPSgcxMp3GubFRWUKK2wA2hSNaKTbCeyg8L3lqzYP9IJEM3YXRafWNlEBiyaotY6XSV9NaIT5tbJ30Ksb87qOuGzHL1NCRm60jOSXF8JabPyCEFim-3gLB2re3o0FC4En5TGDPpEMYZmy81YBWfdWDXcYDtnChs5WKiArHxas_6JwEiEpmXydSeFvu7NhDPqb4zbGFzdSWlwyvWkRDKMSSgXrfxdlDQ1PQftdfXp6S9j4zi39tffgtaRgOPm61J8gJMXKfeBkKfcRicYJJNcx0YkXFleO1-fg22Mmll63RGl1xIx5S_jw",
+      "use": "sig"
+    }
+  ]
 }