I’m trying to configure a Hashicorp Vault setup to use JWT with the service account verifier public key so it can authenticate Service Account tokens w/o needing to use the TokenReview API (which is inaccessible from our Vault instance).
Most writeups recommend you use the /.well-known/openid-configuration path in the k8s API server to obtain the public keys used to review, but RKE1 does not seem to present this path at all. I’m digging around looking for the “right” key to present but from what I see in /etc/kubernetes/ssl, the keys are all “private” keys, are there public keys created by RKE1 that can be used to review service account JWT tokens?
E.g. the kube-apiserver is running with:
–service-account-key-file=/etc/kubernetes/ssl/kube-service-account-token-key.pem
Would it be appropriate to simply create a public key from this private key (openssl rsa -in kube-service-account-token-key.pem -pubout) and use that?