I’m working through implementing IAM Roles for Service Accounts on a RKE2 deployment which requires updates to some of the arguments in the kube-apiserver.yaml file.
These arguments are as follows:
spec: containers: - command: - kube-apiserver - --service-account-issuer=<OIDC provider URL> - --service-account-key-file=/var/lib/rancher/rke2/server/irsa/sa-signer-pkcs8.pub - --service-account-key-file=/var/lib/rancher/rke2/server/tls/service.key - --service-account-signing-key-file=/var/lib/rancher/rke2/server/irsa/sa-signer.key
What I am not sure of is if I need to keep the default service-account-key-file that comes with RKE2 deployments or if I can just replace it outright with the key I generate for the OIDC S3 bucket without breaking anything within RKE2.
Currently I use the RKE2 cloud enabled deployment here: https://github.com/rancherfederal/rke2-aws-tf/tree/master/examples/cloud-enabled and modify the kube-apiserver.yaml file with the following arguments.
kube-apiserver-arg: - "service-account-issuer=<OIDC provider URL>" - "api-audiences=https://kubernetes.default.svc.cluster.local,rke2,sts.amazon.com" - "service-account-key-file=/var/lib/rancher/rke2/server/irsa/sa-signer-pkcs8.pub" # - "service-account-key-file=/var/lib/rancher/rke2/server/tls/service.key" - "service-account-signing-key-file=/var/lib/rancher/rke2/server/irsa/sa-signer.key"
As you can see I have the default service-account-key-file commented out because the method for injecting those values in the kube-apiserver.yaml doesn’t seem to support specifying multiple service-account-key-files without one of them overwriting the other. (https://docs.rke2.io/install/install_options/server_config/)
In short, does the default service-account-key-file matter in the grand scheme of things if I replace it with my own?