Use internal api url for jwks

pkg/model/iam/subject.go

@@ -23,6 +23,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/wellknownusers"
+	"k8s.io/kops/upup/pkg/fi"
 )
 
 // Subject represents an IAM identity, to which permissions are granted.
@@ -85,7 +86,22 @@ func ServiceAccountIssuer(clusterName string, clusterSpec *kops.ClusterSpec) str
 	if clusterSpec.KubeAPIServer != nil && clusterSpec.KubeAPIServer.ServiceAccountIssuer != nil {
 		return *clusterSpec.KubeAPIServer.ServiceAccountIssuer
 	}
-	return "https://api." + clusterName
+	if supportsPublicJWKS(clusterSpec) {
+		return "https://api." + clusterName
+	}
+	return "https://api.internal." + clusterName
+}
+
+func supportsPublicJWKS(clusterSpec *kops.ClusterSpec) bool {
+	if !fi.BoolValue(clusterSpec.KubeAPIServer.AnonymousAuth) {
+		return false
+	}
+	for _, cidr := range clusterSpec.KubernetesAPIAccess {
+		if cidr == "0.0.0.0/0" {
+			return true
+		}
+	}
+	return false
 }
 
 // AddServiceAccountRole adds the appropriate mounts / env vars to enable a pod to use a service-account role

tests/integration/update_cluster/bastionadditional_user-data/data/aws_launch_template_master-us-test-1a.masters.bastionuserdata.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.bastionuserdata.example.com
-  serviceAccountJWKSURI: https://api.bastionuserdata.example.com/openid/v1/jwks
+  serviceAccountIssuer: https://api.internal.bastionuserdata.example.com
+  serviceAccountJWKSURI: https://api.internal.bastionuserdata.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/complex/cloudformation.json.extracted.yaml

@@ -220,8 +220,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amasterscomplexexamplecom.Properties.
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.complex.example.com
-    serviceAccountJWKSURI: https://api.complex.example.com/openid/v1/jwks
+    serviceAccountIssuer: https://api.internal.complex.example.com
+    serviceAccountJWKSURI: https://api.internal.complex.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     serviceNodePortRange: 28000-32767
     storageBackend: etcd3

tests/integration/update_cluster/complex/data/aws_launch_template_master-us-test-1a.masters.complex.example.com_user_data

@@ -219,8 +219,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.complex.example.com
-  serviceAccountJWKSURI: https://api.complex.example.com/openid/v1/jwks
+  serviceAccountIssuer: https://api.internal.complex.example.com
+  serviceAccountJWKSURI: https://api.internal.complex.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   serviceNodePortRange: 28000-32767
   storageBackend: etcd3

tests/integration/update_cluster/compress/data/aws_launch_template_master-us-test-1a.masters.compress.example.com_user_data

@@ -144,7 +144,7 @@ function download-release() {
 echo "== nodeup node config starting =="
 ensure-install-dir
 
-echo "H4sIAAAAAAAA/+xWbW/bthN/709B9I+ibxrJSvLvNqEF5jnd4jXpPLsPA4ZioMmzzJki1SOpxMM+/HCkbMtOsm7ry80GbPGeeA+/u5PQNsixNUtVlQPGam54BXNvkVcw1tw5cCXzGGAgrPFcGcBZMF7VULIdRe6ZkqyIaO+HFhCVhJL9PmCMsRbQKWvYC3Y6iISfGx0qZdyHdNwTskfKZnuTWYWNyNoiE6ge7YT/mniP3tP827oZpqDdgZF/boYexIcDU4x1zF/8pgH2gh2ZJI2sPX00ONL6LBcy23hlqQTs6DPfOA+1HFdoQ8NeJAwwpm11BS3okimztINdVUtWZOfZ2UBasQYkELi1aibGea51hyAwAjfxvg5wzAStB+CFHOvgPKAjRWjB+PjUs36WnWfFWUSoMvfz1mEBo+lkDtgmD7jW9maKqlUaKpDlNgZurNnUNrhR8KuSLbl2kdyoUZAKjIB4+wkji2jAg8tcKzIJSx60T6LpmrENxpesIFrwK4vqN04BXlvC/Ujf8I0bkRsDxhbKyJGUCM6VbJjFLzULdeAUbaskYMn4jaMcGL7QMJK1chTjNJU4efWa1+AaLuBKLUFshIZIvlK18jNuKsB4JgeVgJEQ5GMkTSljzoPx76wONVzxBejIuUih9Ru/T39jNWAMbA7CGpmY18Fzr0y1c/M9LFbWriPzHddKPsx+bSXMwHlUgsxG2gycDSjgx2A9pyR4IVOau8hX3jdlnhenX8TsFeX5cFgcCm6HTqeRJzD97z7N0wFjquYVlGz9pcsqgZmyOdX8hDfKJRi1RXaa6kQMDX6KsARE2JbyzabZXjYxHtBwPZnG46V13vA6VeflbY+3byLyAeFjAOdXwCVgBAvIWONklVcVQsW9xWPZl7ce+WV8JK/U7Vblp5MZ1NbDSZQ4Odb7jlo66R0rRNax/FtHrtdwvwpxqd1BBISpRV+y8/OzSOkDcOJcIHxTJVyZ57xRmbB1QznM4JbXjQYi3FH8/v2r+dvZ5NOauW3AKJm3Rf7rzdrtDXXDZTKN3VGyYjjMnp0TEPI4UlxC/TdcrMHIMsIpjZOxNR6t1oDXcTHuxorgHgjC48nFzO0Hi/dcrC6AfmfUKEJpmG+MmAIqK0tW1EP3UMuL5CVZTC5+9Sy5WOyZBAvau/emLW3dgDAm8zMbPO3u7XR7AOliF+FJ3YW4h7xOMNMQezRN3R6tvLsUCM/BweHsGSNIMF5xvU0VXT1Fe7spPxl4E2YJi5FHca66vtq/Xzz5mt+4Jw8H2cSrenH1/CWBuViBDDqV9wEbbifzefnpxkj58B4SceVeoKL5w1zawzv6zFpfsvwTKLp4Pe/hvBj2ODZu0O0xIyzr3ca5gEWoKmWqS26kpmbfxgBtmtSXHGXJaqgtbjLecqVJ73kxHF6rp8ZKWLoD8uMtUdG/+xYBnv//8dOY5TuiW+qB7J+XnPKZkD/llMW85Zhrtci7ROd7gTtINeBvLK7Tdu16yyhiWHPN3ccAyFOPHw4NSmdj5TU3agnOdxeDF/n+jSGvO64b1Jwy/eq/wv/bCk97tKIXLuwmDMW7rfcfAAAA//8BAAD//5CIzc16DQAA" | base64 -d | gzip -d > conf/cluster_spec.yaml
+echo "H4sIAAAAAAAA/+xW648bNRD/nr/CKqr6pbebvTsKrFqJkCtc6N0Rkj6QUIUce7Ix8drbsb13QfzxaOzN8y6U0o+QSMl6Xp7Hb2ZWaBvk0Jq5qsoeYzU3vIKpt8grGGruHLiSeQzQE9Z4rgzgJBivaijZhiK3TElWRLT3UwuISkLJ/uwxxlgL6JQ17AU77UXCr40OlTLufTpuCdkjZbOtyazCRmRtkQlUjzbC/0x8h76j+cm6Gaag3Z6Rf2+GHsT7PVOMdczf/KoB9oIdmCSNrD191DvQ+iwXMtt4ZakE7OAzXTkPtRxWaEPDXiQMMKZtdQUt6JIpM7e9TVVLVmTn2VlPWrEEJBC4pWpGxnmudYcgMAJX8b4OcMwErXvghRzq4DygI0Vowfj4tGP9LDvPirOIUGUe5i3DDAbj0RSwTR5wre3tGFWrNFQgy3UM3Fizqm1wg+AXJZtz7SK5UYMgFRgB8fYTRhbRgAeXuVZkEuY8aJ9E0zVDG4wvWUG04BcW1R+cAry2hPuBvuUrNyA3eozNlJEDKRGcK1k/i19qFurAMdpWScCS8VtHOTB8pmEga+UoxnEqcfLqhtfgGi7gSs1BrISGSL5StfITbirAeCYHlYCBEORjJI0pY86D8W+tDjVc8RnoyLlIoe02/i79tdWAMbApCGtkYl4Hz70y1cbNdzBbWLuMzLdcK3mcfWMlTMB5VILMRtoEnA0o4OdgPackeCFTmrvIF943ZZ4Xp1/F7BXleb9f7Auuh06nkScwffGQ5mmPMVXzCkq2/NpllcBM2ZxqfsIb5RKM2iI7TXUihgY/RpgDIqxL+XrVrC8bGQ9ouB6N4/HSOm94narz8m6Ht20i8gHhQwDnF8AlYAQLyFjjZJVXFULFvcVD2Zd3HvllfCSv1N1a5ZeTCdTWw0mUODnU+4FaOukdKkTWofwbR67X8LAKcandQQSEsUVfsvPzs0jZBeDIuUD4pkq4Ms95ozLVJSwTtm4omRnc8brRQIR7Fn5892r6ZjL6BBO5bcAombdF/vvt0m0tduNmNI79UrKi38+enRM08jhkXOqD77hYgpFlBFgaMENrPFqtAa/jqtwMGsE9EKiHo4uJ244a77lYXAD9Tqh1hNIwXRkxBlRWlqyo++7YEBDJS7KYXPzmWXKx2DIJKLSJH8xf2sMBYUjmJzZ42ubreXcE+2IT4UndhbhtAp2ApyF2bZrDO7Ty/poghAcH+9NoiCDBeMX1OlV09Rjt3ar8aOBNmCR0Rh7Fueg6bfvG8eRbfuueHA+yiVftxLXjLwlMxQJk0Km8R2y4jczn5acbLOXxzSTiEr5ARROJubSZN/SJtb5k+UdQdHEz3cF50d/h2LhT18eMsKw3O+gCZqGqlKkuuZGa2n8dA7Rpdl9ylCWroba4ynjLlSa950W/f62eGith7vbIj9dERf/uewR4/uXjpzHL90TX1D3Zvy855TMhf8wpi3nLMddqlneJzrcC95BqwN9aXKZ92/WWUcSw5pq7DwGQpx7fHxqUzsbKa27UHJzvLgYv8u07RF53XNerOWX61f+F/68VnjZrRa9g2E0Yindd778AAAD//wEAAP//mzuXKIwNAAA=" | base64 -d | gzip -d > conf/cluster_spec.yaml
 
 echo "H4sIAAAAAAAA/6qu5QIAAAD//wEAAP//BrCh3QMAAAA=" | base64 -d | gzip -d > conf/ig_spec.yaml
 

tests/integration/update_cluster/containerd-custom/cloudformation.json.extracted.yaml

@@ -224,8 +224,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amasterscontainerdexamplecom.Properti
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.containerd.example.com
-    serviceAccountJWKSURI: https://api.containerd.example.com/openid/v1/jwks
+    serviceAccountIssuer: https://api.internal.containerd.example.com
+    serviceAccountJWKSURI: https://api.internal.containerd.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/containerd/cloudformation.json.extracted.yaml

@@ -206,8 +206,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amasterscontainerdexamplecom.Properti
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.containerd.example.com
-    serviceAccountJWKSURI: https://api.containerd.example.com/openid/v1/jwks
+    serviceAccountIssuer: https://api.internal.containerd.example.com
+    serviceAccountJWKSURI: https://api.internal.containerd.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/docker-custom/cloudformation.json.extracted.yaml

@@ -206,8 +206,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersdockerexamplecom.Properties.L
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.docker.example.com
-    serviceAccountJWKSURI: https://api.docker.example.com/openid/v1/jwks
+    serviceAccountIssuer: https://api.internal.docker.example.com
+    serviceAccountJWKSURI: https://api.internal.docker.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/existing_iam/data/aws_launch_template_master-us-test-1a.masters.existing-iam.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.existing-iam.example.com
-  serviceAccountJWKSURI: https://api.existing-iam.example.com/openid/v1/jwks
+  serviceAccountIssuer: https://api.internal.existing-iam.example.com
+  serviceAccountJWKSURI: https://api.internal.existing-iam.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/existing_iam/data/aws_launch_template_master-us-test-1b.masters.existing-iam.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.existing-iam.example.com
-  serviceAccountJWKSURI: https://api.existing-iam.example.com/openid/v1/jwks
+  serviceAccountIssuer: https://api.internal.existing-iam.example.com
+  serviceAccountJWKSURI: https://api.internal.existing-iam.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/existing_iam/data/aws_launch_template_master-us-test-1c.masters.existing-iam.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.existing-iam.example.com
-  serviceAccountJWKSURI: https://api.existing-iam.example.com/openid/v1/jwks
+  serviceAccountIssuer: https://api.internal.existing-iam.example.com
+  serviceAccountJWKSURI: https://api.internal.existing-iam.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/existing_iam_cloudformation/cloudformation.json.extracted.yaml

@@ -206,8 +206,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersminimalexamplecom.Properties.
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.minimal.example.com
-    serviceAccountJWKSURI: https://api.minimal.example.com/openid/v1/jwks
+    serviceAccountIssuer: https://api.internal.minimal.example.com
+    serviceAccountJWKSURI: https://api.internal.minimal.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/existing_sg/data/aws_launch_template_master-us-test-1a.masters.existingsg.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.existingsg.example.com
-  serviceAccountJWKSURI: https://api.existingsg.example.com/openid/v1/jwks
+  serviceAccountIssuer: https://api.internal.existingsg.example.com
+  serviceAccountJWKSURI: https://api.internal.existingsg.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/existing_sg/data/aws_launch_template_master-us-test-1b.masters.existingsg.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.existingsg.example.com
-  serviceAccountJWKSURI: https://api.existingsg.example.com/openid/v1/jwks
+  serviceAccountIssuer: https://api.internal.existingsg.example.com
+  serviceAccountJWKSURI: https://api.internal.existingsg.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/existing_sg/data/aws_launch_template_master-us-test-1c.masters.existingsg.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.existingsg.example.com
-  serviceAccountJWKSURI: https://api.existingsg.example.com/openid/v1/jwks
+  serviceAccountIssuer: https://api.internal.existingsg.example.com
+  serviceAccountJWKSURI: https://api.internal.existingsg.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/externallb/cloudformation.json.extracted.yaml

@@ -206,8 +206,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersexternallbexamplecom.Properti
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.externallb.example.com
-    serviceAccountJWKSURI: https://api.externallb.example.com/openid/v1/jwks
+    serviceAccountIssuer: https://api.internal.externallb.example.com
+    serviceAccountJWKSURI: https://api.internal.externallb.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/externallb/data/aws_launch_template_master-us-test-1a.masters.externallb.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.externallb.example.com
-  serviceAccountJWKSURI: https://api.externallb.example.com/openid/v1/jwks
+  serviceAccountIssuer: https://api.internal.externallb.example.com
+  serviceAccountJWKSURI: https://api.internal.externallb.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/externalpolicies/data/aws_launch_template_master-us-test-1a.masters.externalpolicies.example.com_user_data

@@ -206,8 +206,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.externalpolicies.example.com
-  serviceAccountJWKSURI: https://api.externalpolicies.example.com/openid/v1/jwks
+  serviceAccountIssuer: https://api.internal.externalpolicies.example.com
+  serviceAccountJWKSURI: https://api.internal.externalpolicies.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   serviceNodePortRange: 28000-32767
   storageBackend: etcd3

tests/integration/update_cluster/ha/data/aws_launch_template_master-us-test-1a.masters.ha.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.ha.example.com
-  serviceAccountJWKSURI: https://api.ha.example.com/openid/v1/jwks
+  serviceAccountIssuer: https://api.internal.ha.example.com
+  serviceAccountJWKSURI: https://api.internal.ha.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/ha/data/aws_launch_template_master-us-test-1b.masters.ha.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.ha.example.com
-  serviceAccountJWKSURI: https://api.ha.example.com/openid/v1/jwks
+  serviceAccountIssuer: https://api.internal.ha.example.com
+  serviceAccountJWKSURI: https://api.internal.ha.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/ha/data/aws_launch_template_master-us-test-1c.masters.ha.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.ha.example.com
-  serviceAccountJWKSURI: https://api.ha.example.com/openid/v1/jwks
+  serviceAccountIssuer: https://api.internal.ha.example.com
+  serviceAccountJWKSURI: https://api.internal.ha.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/ha_gce/data/google_compute_instance_template_master-us-test1-a-ha-gce-example-com_metadata_startup-script

@@ -207,8 +207,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.ha-gce.example.com
-  serviceAccountJWKSURI: https://api.ha-gce.example.com/openid/v1/jwks
+  serviceAccountIssuer: https://api.internal.ha-gce.example.com
+  serviceAccountJWKSURI: https://api.internal.ha-gce.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/ha_gce/data/google_compute_instance_template_master-us-test1-b-ha-gce-example-com_metadata_startup-script

@@ -207,8 +207,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.ha-gce.example.com
-  serviceAccountJWKSURI: https://api.ha-gce.example.com/openid/v1/jwks
+  serviceAccountIssuer: https://api.internal.ha-gce.example.com
+  serviceAccountJWKSURI: https://api.internal.ha-gce.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/ha_gce/data/google_compute_instance_template_master-us-test1-c-ha-gce-example-com_metadata_startup-script

@@ -207,8 +207,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.ha-gce.example.com
-  serviceAccountJWKSURI: https://api.ha-gce.example.com/openid/v1/jwks
+  serviceAccountIssuer: https://api.internal.ha-gce.example.com
+  serviceAccountJWKSURI: https://api.internal.ha-gce.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/launch_templates/cloudformation.json.extracted.yaml

@@ -206,8 +206,8 @@ Resources.AWSAutoScalingLaunchConfigurationmasterustest1amasterslaunchtemplatese
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.launchtemplates.example.com
-    serviceAccountJWKSURI: https://api.launchtemplates.example.com/openid/v1/jwks
+    serviceAccountIssuer: https://api.internal.launchtemplates.example.com
+    serviceAccountJWKSURI: https://api.internal.launchtemplates.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:
@@ -546,8 +546,8 @@ Resources.AWSAutoScalingLaunchConfigurationmasterustest1bmasterslaunchtemplatese
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.launchtemplates.example.com
-    serviceAccountJWKSURI: https://api.launchtemplates.example.com/openid/v1/jwks
+    serviceAccountIssuer: https://api.internal.launchtemplates.example.com
+    serviceAccountJWKSURI: https://api.internal.launchtemplates.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:
@@ -886,8 +886,8 @@ Resources.AWSAutoScalingLaunchConfigurationmasterustest1cmasterslaunchtemplatese
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.launchtemplates.example.com
-    serviceAccountJWKSURI: https://api.launchtemplates.example.com/openid/v1/jwks
+    serviceAccountIssuer: https://api.internal.launchtemplates.example.com
+    serviceAccountJWKSURI: https://api.internal.launchtemplates.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/launch_templates/data/aws_launch_configuration_master-us-test-1a.masters.launchtemplates.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.launchtemplates.example.com
-  serviceAccountJWKSURI: https://api.launchtemplates.example.com/openid/v1/jwks
+  serviceAccountIssuer: https://api.internal.launchtemplates.example.com
+  serviceAccountJWKSURI: https://api.internal.launchtemplates.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/launch_templates/data/aws_launch_configuration_master-us-test-1b.masters.launchtemplates.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.launchtemplates.example.com
-  serviceAccountJWKSURI: https://api.launchtemplates.example.com/openid/v1/jwks
+  serviceAccountIssuer: https://api.internal.launchtemplates.example.com
+  serviceAccountJWKSURI: https://api.internal.launchtemplates.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/launch_templates/data/aws_launch_configuration_master-us-test-1c.masters.launchtemplates.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.launchtemplates.example.com
-  serviceAccountJWKSURI: https://api.launchtemplates.example.com/openid/v1/jwks
+  serviceAccountIssuer: https://api.internal.launchtemplates.example.com
+  serviceAccountJWKSURI: https://api.internal.launchtemplates.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/minimal-cloudformation/cloudformation.json.extracted.yaml

@@ -206,8 +206,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersminimalexamplecom.Properties.
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.minimal.example.com
-    serviceAccountJWKSURI: https://api.minimal.example.com/openid/v1/jwks
+    serviceAccountIssuer: https://api.internal.minimal.example.com
+    serviceAccountJWKSURI: https://api.internal.minimal.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/minimal-gp3/cloudformation.json.extracted.yaml

@@ -206,8 +206,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersminimalexamplecom.Properties.
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.minimal.example.com
-    serviceAccountJWKSURI: https://api.minimal.example.com/openid/v1/jwks
+    serviceAccountIssuer: https://api.internal.minimal.example.com
+    serviceAccountJWKSURI: https://api.internal.minimal.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager: