This message was deleted.
# k3s
a
This message was deleted.
1
h
I think
/var/lib/rancher/k3s/server/tls
🤘 1
Yup looks like it
h
Thx Austin - do you know where I can find the sa.pub? Doesn't look like the ServiceAccount certs are stored there
h
I’m not sure, but looking at this hardening guide I see options like this pointing to the same directory
Copy code
--service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key            # 1.2.28
    --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key
Otherwise
Copy code
/var/lib/rancher/k3s/server/cred/
looks interesting?
h
interesting - yes... that looks like the private key?
h
I’ve never come across ServiceAccounts public keys in my work, it’s always just tokens. So I am probably unable to give you much more direction
h
thanks Austin - I was able to derive the public key from the private key... definitely got me closer than I was before 🙂
🎉 1
i'll try using that derived public key to see if it works
c
I believe you can also pull the signing cert from the apiservers embedded public oidc discovery endpoint?
It's been a while since I looked at it though
h
I think you’re right BrandonD - but have to convert the JWKS to get the public key I think… anybody know of any good CLI based JWKS => RSA Public Key tools?
c
There's a web based tool out there somewhere for troubleshooting oidc that will decode the tokens for you
What are you trying to accomplish?
h
Need to automate harvesting of the
serviceaccount
public key but the web based JWKS decoder is throwing me for a loop
c
do you need it in a form other than what you can get from the apiserver with
kubectl get --raw /openid/v1/jwks
? There is also
/.well-known/openid-configuration
as per the docs, the normal flow is
The JWKS response contains public keys that a relying party can use to validate the Kubernetes service account tokens. Relying parties first query for the OpenID Provider Configuration, and use the
jwks_uri
field in the response to find the JWKS.
👍 1
h
I need it in pem
c
there’s a web-based tool to do that at https://8gwifi.org/jwkconvertfunctions.jsp and a python example at https://github.com/jpf/okta-jwks-to-pem
🤘 1
you can probably find other examples in your language of choice
h
Thank you BrandonD