cd ~/workspace/sa-key-rotation
cd jwks
go run jwks.go ../../aws-pod-identity-webhook/sa-signer-pkcs8.pub ../../cloud-credential-operator/new/serviceaccount-signer.public
cat keys.json
S3_BUCKET_NAME=btofel-sts-test && aws s3 cp keys.json s3://${S3_BUCKET_NAME} --profile redhat-openshift-dev --acl public-read
PRIVKEY=`base64 -i ../cloud-credential-operator/new/serviceaccount-signer.private`
PUBKEY=`base64 -i ../cloud-credential-operator/new/serviceaccount-signer.public`
oc patch secret next-bound-service-account-signing-key -n openshift-kube-apiserver-operator --type=json -p '[{"op":"replace","path":"/data/service-account.key","value":"'"$PRIVKEY"'"},{"op":"replace","path":"/data/service-account.pub","value":"'"$PUBKEY"'"}]'
kubectl cp nginx-6db496d57f-5cmmf:/var/run/secrets/kubernetes.io/serviceaccount/..data/token /tmp/token -n default
cd validatejwt
go run validatejwt.go /tmp/token ../../cloud-credential-operator/new/serviceaccount-signer.public
oc get configmap bound-sa-token-signing-certs -n openshift-kube-apiserver -o yaml
Created
March 21, 2023 16:23
-
-
Save bentito/25bb673fec44b831dc876604ea7edad7 to your computer and use it in GitHub Desktop.
SA Key Rotation Notes
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment