specify the service account issuer

Signed-off-by: Hector Fernandez <hector@chainguard.dev>
sigstore · Aug 9, 2023 · cb6e80a · cb6e80a
1 parent 145502d
commit cb6e80a
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 8 deletions.
diff --git a/.github/workflows/add-remove-new-fulcio.yaml b/.github/workflows/add-remove-new-fulcio.yaml
@@ -73,12 +73,13 @@ jobs:
     - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
 
     - name: Setup Cluster
-      uses: chainguard-dev/actions/setup-kind@cc7afeaca6e5871be191ecc1b8bce10274bc1ee4
+      uses: chainguard-dev/actions/setup-kind@main
       id: kind
       with:
         k8s-version: ${{ matrix.k8s-version }}
         registry-authority: registry.local:5000
         cluster-suffix: cluster.local
+        service-account-issuer: https://kubernetes.default.svc.cluster.local
 
     - name: Setup Knative
       uses: chainguard-dev/actions/setup-knative@main
@@ -163,7 +164,7 @@ jobs:
         cosign verify --rekor-url "${{ env.REKOR_URL }}" \
         --allow-insecure-registry "${{ env.demoimage }}" \
         --certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \
-        --certificate-oidc-issuer "https://kubernetes.default.svc"
+        --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
 
     - name: Spin up a new Fulcio with new keys
       run: |

diff --git a/.github/workflows/fulcio-rekor-kind.yaml b/.github/workflows/fulcio-rekor-kind.yaml
@@ -76,12 +76,13 @@ jobs:
     - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
 
     - name: Setup Cluster
-      uses: chainguard-dev/actions/setup-kind@cc7afeaca6e5871be191ecc1b8bce10274bc1ee4
+      uses: chainguard-dev/actions/setup-kind@main
       id: kind
       with:
         k8s-version: ${{ matrix.k8s-version }}
         registry-authority: registry.local:5000
         cluster-suffix: cluster.local
+        service-account-issuer: https://kubernetes.default.svc.cluster.local
 
     - name: Setup Knative
       uses: chainguard-dev/actions/setup-knative@main
@@ -171,7 +172,7 @@ jobs:
         cosign verify --rekor-url "${{ env.REKOR_URL }}" \
         --allow-insecure-registry "${{ env.demoimage }}" \
         --certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \
-        --certificate-oidc-issuer "https://kubernetes.default.svc"
+        --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
 
     # Test with cosign in 'airgapped mode'
     # Uncomment these once modified cosign goes in.

diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml
@@ -52,12 +52,13 @@ jobs:
 
     - name: Setup Cluster
       # TODO: update after next release.
-      uses: chainguard-dev/actions/setup-kind@52eca3baf7c09ec1dbc4195449779fa59cc618e6
+      uses: chainguard-dev/actions/setup-kind@main
       id: kind
       with:
         k8s-version: ${{ matrix.k8s-version }}
         registry-authority: registry.local:5000
         cluster-suffix: cluster.local
+        service-account-issuer: https://kubernetes.default.svc.cluster.local
 
     - name: Setup Knative
       uses: chainguard-dev/actions/setup-knative@main

diff --git a/config/fulcio/fulcio/200-configmap.yaml b/config/fulcio/fulcio/200-configmap.yaml
@@ -9,7 +9,7 @@ data:
     {
       "OIDCIssuers": {
         "https://kubernetes.default.svc.cluster.local": {
-          "IssuerURL": "https://kubernetes.default.svc",
+          "IssuerURL": "https://kubernetes.default.svc.cluster.local",
           "ClientID": "sigstore",
           "Type": "kubernetes"
         },

diff --git a/hack/setup-kind.sh b/hack/setup-kind.sh
@@ -169,7 +169,7 @@ kubeadmConfigPatches:
       name: config
     apiServer:
       extraArgs:
-        "service-account-issuer": "https://kubernetes.default.svc"
+        "service-account-issuer": "https://kubernetes.default.svc.cluster.local"
         "service-account-key-file": "/etc/kubernetes/pki/sa.pub"
         "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key"
         "service-account-api-audiences": "api,spire-server"

diff --git a/hack/setup-scaffolding-from-release.sh b/hack/setup-scaffolding-from-release.sh
@@ -95,7 +95,7 @@ if [ "${NEED_TO_UPDATE_FULCIO_CONFIG}" == "true" ]; then
   echo "Fixing Fulcio config for < 1.23.X Kubernetes"
   curl -Ls "${FULCIO}" | sed 's@https://kubernetes.default.svc.cluster.local@https://kubernetes.default.svc@' | kubectl apply -f -
 else
-  curl -Ls "${FULCIO}" | sed 's@"IssuerURL": "https://kubernetes.default.svc",@"IssuerURL": "https://kubernetes.default.svc.cluster.local",@' | kubectl apply -f -
+  curl -Ls "${FULCIO}" | sed 's@"IssuerURL": "https://kubernetes.default.svc.cluster.local",@"IssuerURL": "https://kubernetes.default.svc.cluster.local",@' | kubectl apply -f -
 fi
 
 kubectl get -n fulcio-system cm fulcio-config -o json