https://rancher.com/ logo
Title
h

high-fall-28740

07/05/2022, 11:55 PM
Hello - Is there a K3s equivalent for a path location where certs are stored? E.g. /etc/kubernetes/pki/ ?
1
h

hundreds-state-15112

07/05/2022, 11:56 PM
I think
/var/lib/rancher/k3s/server/tls
🤘 1
Yup looks like it
h

high-fall-28740

07/06/2022, 12:00 AM
Thx Austin - do you know where I can find the sa.pub? Doesn't look like the ServiceAccount certs are stored there
h

hundreds-state-15112

07/06/2022, 12:04 AM
I’m not sure, but looking at this hardening guide I see options like this pointing to the same directory
--service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key            # 1.2.28
    --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key
Otherwise
/var/lib/rancher/k3s/server/cred/
looks interesting?
h

high-fall-28740

07/06/2022, 12:07 AM
interesting - yes... that looks like the private key?
h

hundreds-state-15112

07/06/2022, 12:09 AM
I’ve never come across ServiceAccounts public keys in my work, it’s always just tokens. So I am probably unable to give you much more direction
h

high-fall-28740

07/06/2022, 12:10 AM
thanks Austin - I was able to derive the public key from the private key... definitely got me closer than I was before 🙂
🎉 1
i'll try using that derived public key to see if it works
c

creamy-pencil-82913

07/06/2022, 4:35 AM
I believe you can also pull the signing cert from the apiservers embedded public oidc discovery endpoint?
It's been a while since I looked at it though
h

high-fall-28740

07/06/2022, 5:04 AM
I think you’re right BrandonD - but have to convert the JWKS to get the public key I think… anybody know of any good CLI based JWKS => RSA Public Key tools?
c

creamy-pencil-82913

07/06/2022, 8:12 AM
There's a web based tool out there somewhere for troubleshooting oidc that will decode the tokens for you
What are you trying to accomplish?
h

high-fall-28740

07/06/2022, 3:44 PM
Need to automate harvesting of the
serviceaccount
public key but the web based JWKS decoder is throwing me for a loop
c

creamy-pencil-82913

07/06/2022, 5:19 PM
do you need it in a form other than what you can get from the apiserver with
kubectl get --raw /openid/v1/jwks
? There is also
/.well-known/openid-configuration
as per the docs, the normal flow is
The JWKS response contains public keys that a relying party can use to validate the Kubernetes service account tokens. Relying parties first query for the OpenID Provider Configuration, and use the
jwks_uri
field in the response to find the JWKS.
👍 1
h

high-fall-28740

07/06/2022, 5:48 PM
I need it in pem
c

creamy-pencil-82913

07/06/2022, 6:06 PM
there’s a web-based tool to do that at https://8gwifi.org/jwkconvertfunctions.jsp and a python example at https://github.com/jpf/okta-jwks-to-pem
🤘 1
you can probably find other examples in your language of choice
h

high-fall-28740

07/06/2022, 8:24 PM
Thank you BrandonD