diff --git a/docs/book/src/topics/workload-identity.md b/docs/book/src/topics/workload-identity.md index c6cbc3e6e9e..1fded34e81d 100644 --- a/docs/book/src/topics/workload-identity.md +++ b/docs/book/src/topics/workload-identity.md @@ -42,6 +42,7 @@ you have access to Azure cloud services. - `SERVICE_ACCOUNT_NAME`: Name of the capz-manager or azureserviceoperator-default k8s service account. Default is `capz-manager` for CAPZ and `azureserviceoperator-default` for ASO. - `SERVICE_ACCOUNT_ISSUER`: Path of the Azure storage container created in the previous step, specifically: - `"https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${AZURE_STORAGE_CONTAINER}/"` + - If unset, the cluster template falls back to kubeadm's default `https://kubernetes.default.svc.cluster.local`. Set it to your Azure storage container URL when running `clusterctl generate cluster ...` so projected service account tokens in the workload cluster are signed with an AAD-discoverable issuer. Create two federated identity credentials, one for CAPZ and one for ASO, by following [these instructions](https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html). You'll need to set `SERVICE_ACCOUNT_NAME` and `SERVICE_ACCOUNT_NAMESPACE` to different values for each credential. Use either `user-assigned-identity` or `AD application` when creating the credentials, and add the `contributor` role to each. diff --git a/templates/cluster-template-aad.yaml b/templates/cluster-template-aad.yaml index 4a2a4ba7bdb..079e7c69f89 100644 --- a/templates/cluster-template-aad.yaml +++ b/templates/cluster-template-aad.yaml @@ -54,6 +54,7 @@ spec: oidc-issuer-url: https://sts.windows.net/${AZURE_TENANT_ID}/ oidc-username-claim: oid oidc-username-prefix: '-' + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/cluster-template-apiserver-ilb.yaml b/templates/cluster-template-apiserver-ilb.yaml index 4dbd15c6550..cfc33f273e2 100644 --- a/templates/cluster-template-apiserver-ilb.yaml +++ b/templates/cluster-template-apiserver-ilb.yaml @@ -62,7 +62,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/cluster-template-azure-bastion.yaml b/templates/cluster-template-azure-bastion.yaml index 0da65077598..0473eea2d64 100644 --- a/templates/cluster-template-azure-bastion.yaml +++ b/templates/cluster-template-azure-bastion.yaml @@ -50,7 +50,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/cluster-template-azure-cni-v1.yaml b/templates/cluster-template-azure-cni-v1.yaml index b0d0af42ef8..c63415e3a45 100644 --- a/templates/cluster-template-azure-cni-v1.yaml +++ b/templates/cluster-template-azure-cni-v1.yaml @@ -48,7 +48,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/cluster-template-dual-stack.yaml b/templates/cluster-template-dual-stack.yaml index 626680c024f..97669e69165 100644 --- a/templates/cluster-template-dual-stack.yaml +++ b/templates/cluster-template-dual-stack.yaml @@ -64,7 +64,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/cluster-template-edgezone.yaml b/templates/cluster-template-edgezone.yaml index ce59da67964..1cb9e566289 100644 --- a/templates/cluster-template-edgezone.yaml +++ b/templates/cluster-template-edgezone.yaml @@ -51,7 +51,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/cluster-template-ephemeral.yaml b/templates/cluster-template-ephemeral.yaml index bef4bb61436..1362f788e0c 100644 --- a/templates/cluster-template-ephemeral.yaml +++ b/templates/cluster-template-ephemeral.yaml @@ -48,7 +48,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/cluster-template-flatcar-sysext.yaml b/templates/cluster-template-flatcar-sysext.yaml index 07f6ced9178..0e1eb3567e2 100644 --- a/templates/cluster-template-flatcar-sysext.yaml +++ b/templates/cluster-template-flatcar-sysext.yaml @@ -129,7 +129,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/cluster-template-flatcar.yaml b/templates/cluster-template-flatcar.yaml index 367076f0910..9c4c6600a30 100644 --- a/templates/cluster-template-flatcar.yaml +++ b/templates/cluster-template-flatcar.yaml @@ -48,7 +48,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/cluster-template-ipv6.yaml b/templates/cluster-template-ipv6.yaml index 97c622ec3ec..37fcd6fe9b3 100644 --- a/templates/cluster-template-ipv6.yaml +++ b/templates/cluster-template-ipv6.yaml @@ -62,6 +62,7 @@ spec: apiServer: extraArgs: bind-address: '::' + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/cluster-template-machinepool-windows.yaml b/templates/cluster-template-machinepool-windows.yaml index f5e8ce9fe5c..dd6f47cfddf 100644 --- a/templates/cluster-template-machinepool-windows.yaml +++ b/templates/cluster-template-machinepool-windows.yaml @@ -52,7 +52,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/cluster-template-machinepool.yaml b/templates/cluster-template-machinepool.yaml index 97830128b27..9ab218b1396 100644 --- a/templates/cluster-template-machinepool.yaml +++ b/templates/cluster-template-machinepool.yaml @@ -48,7 +48,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/cluster-template-nvidia-gpu.yaml b/templates/cluster-template-nvidia-gpu.yaml index 21f06495aa8..d02120f1b26 100644 --- a/templates/cluster-template-nvidia-gpu.yaml +++ b/templates/cluster-template-nvidia-gpu.yaml @@ -48,7 +48,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/cluster-template-private.yaml b/templates/cluster-template-private.yaml index 786b6d52fc2..5aaf3ee57ae 100644 --- a/templates/cluster-template-private.yaml +++ b/templates/cluster-template-private.yaml @@ -57,7 +57,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/cluster-template-windows-apiserver-ilb.yaml b/templates/cluster-template-windows-apiserver-ilb.yaml index 2613ab07ad8..89f051a5347 100644 --- a/templates/cluster-template-windows-apiserver-ilb.yaml +++ b/templates/cluster-template-windows-apiserver-ilb.yaml @@ -66,7 +66,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/cluster-template-windows.yaml b/templates/cluster-template-windows.yaml index a704c6040af..852e11f605e 100644 --- a/templates/cluster-template-windows.yaml +++ b/templates/cluster-template-windows.yaml @@ -52,7 +52,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/cluster-template.yaml b/templates/cluster-template.yaml index c6ec37941fc..e9f64b4c8d2 100644 --- a/templates/cluster-template.yaml +++ b/templates/cluster-template.yaml @@ -48,7 +48,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/flavors/base/cluster-template.yaml b/templates/flavors/base/cluster-template.yaml index 13bf2a5aabc..753fccce62e 100644 --- a/templates/flavors/base/cluster-template.yaml +++ b/templates/flavors/base/cluster-template.yaml @@ -58,7 +58,8 @@ spec: clusterConfiguration: apiServer: timeoutForControlPlane: 20m - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} controllerManager: extraArgs: allocate-node-cidrs: "false" diff --git a/templates/test/ci/cluster-template-prow-apiserver-ilb-custom-images.yaml b/templates/test/ci/cluster-template-prow-apiserver-ilb-custom-images.yaml index 630287b07ac..4b065dd4eaf 100644 --- a/templates/test/ci/cluster-template-prow-apiserver-ilb-custom-images.yaml +++ b/templates/test/ci/cluster-template-prow-apiserver-ilb-custom-images.yaml @@ -69,7 +69,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-apiserver-ilb.yaml b/templates/test/ci/cluster-template-prow-apiserver-ilb.yaml index e09b4ce6ec1..6a4074ee823 100644 --- a/templates/test/ci/cluster-template-prow-apiserver-ilb.yaml +++ b/templates/test/ci/cluster-template-prow-apiserver-ilb.yaml @@ -69,7 +69,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-azl3.yaml b/templates/test/ci/cluster-template-prow-azl3.yaml index 657277af397..546a10bc466 100644 --- a/templates/test/ci/cluster-template-prow-azl3.yaml +++ b/templates/test/ci/cluster-template-prow-azl3.yaml @@ -55,7 +55,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-azure-cni-v1.yaml b/templates/test/ci/cluster-template-prow-azure-cni-v1.yaml index e326a3b2f55..8049287550a 100644 --- a/templates/test/ci/cluster-template-prow-azure-cni-v1.yaml +++ b/templates/test/ci/cluster-template-prow-azure-cni-v1.yaml @@ -54,7 +54,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-ci-version-azl3.yaml b/templates/test/ci/cluster-template-prow-ci-version-azl3.yaml index 04a8517e750..8677a05e94e 100644 --- a/templates/test/ci/cluster-template-prow-ci-version-azl3.yaml +++ b/templates/test/ci/cluster-template-prow-ci-version-azl3.yaml @@ -56,7 +56,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-ci-version-dra.yaml b/templates/test/ci/cluster-template-prow-ci-version-dra.yaml index 94e505c90de..67d4d46f7b8 100644 --- a/templates/test/ci/cluster-template-prow-ci-version-dra.yaml +++ b/templates/test/ci/cluster-template-prow-ci-version-dra.yaml @@ -58,6 +58,7 @@ spec: extraArgs: feature-gates: ${K8S_FEATURE_GATES:-"DynamicResourceAllocation=true,DRADeviceTaints=true,DRADeviceTaintRules=true"} runtime-config: resource.k8s.io/v1beta1=true,resource.k8s.io/v1beta2=true + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-ci-version-dual-stack.yaml b/templates/test/ci/cluster-template-prow-ci-version-dual-stack.yaml index 41e64f48556..00dd8db59be 100644 --- a/templates/test/ci/cluster-template-prow-ci-version-dual-stack.yaml +++ b/templates/test/ci/cluster-template-prow-ci-version-dual-stack.yaml @@ -70,7 +70,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-ci-version-ipv6.yaml b/templates/test/ci/cluster-template-prow-ci-version-ipv6.yaml index d986830669b..9706c8e459c 100644 --- a/templates/test/ci/cluster-template-prow-ci-version-ipv6.yaml +++ b/templates/test/ci/cluster-template-prow-ci-version-ipv6.yaml @@ -74,6 +74,7 @@ spec: extraArgs: bind-address: '::' feature-gates: ${K8S_FEATURE_GATES:-""} + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-ci-version-md-and-mp.yaml b/templates/test/ci/cluster-template-prow-ci-version-md-and-mp.yaml index de1b713e66a..04292078e24 100644 --- a/templates/test/ci/cluster-template-prow-ci-version-md-and-mp.yaml +++ b/templates/test/ci/cluster-template-prow-ci-version-md-and-mp.yaml @@ -59,6 +59,7 @@ spec: extraArgs: feature-gates: ${K8S_FEATURE_GATES:-"AllAlpha=true,AllBeta=true"} runtime-config: api/all=true + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-ci-version-windows.yaml b/templates/test/ci/cluster-template-prow-ci-version-windows.yaml index 1a251c525c3..4b96a52ce2b 100644 --- a/templates/test/ci/cluster-template-prow-ci-version-windows.yaml +++ b/templates/test/ci/cluster-template-prow-ci-version-windows.yaml @@ -61,6 +61,7 @@ spec: apiServer: extraArgs: feature-gates: ${K8S_FEATURE_GATES:-""} + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-ci-version.yaml b/templates/test/ci/cluster-template-prow-ci-version.yaml index 9e986c27d47..7b38f9ffbe8 100644 --- a/templates/test/ci/cluster-template-prow-ci-version.yaml +++ b/templates/test/ci/cluster-template-prow-ci-version.yaml @@ -56,7 +56,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-custom-vnet.yaml b/templates/test/ci/cluster-template-prow-custom-vnet.yaml index 2c8fca7738b..a52289998de 100644 --- a/templates/test/ci/cluster-template-prow-custom-vnet.yaml +++ b/templates/test/ci/cluster-template-prow-custom-vnet.yaml @@ -62,7 +62,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-dalec-custom-builds.yaml b/templates/test/ci/cluster-template-prow-dalec-custom-builds.yaml index 618e885c186..6e5313c160f 100644 --- a/templates/test/ci/cluster-template-prow-dalec-custom-builds.yaml +++ b/templates/test/ci/cluster-template-prow-dalec-custom-builds.yaml @@ -69,7 +69,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-dual-stack.yaml b/templates/test/ci/cluster-template-prow-dual-stack.yaml index 924c5e996d2..c5ff22dff7c 100644 --- a/templates/test/ci/cluster-template-prow-dual-stack.yaml +++ b/templates/test/ci/cluster-template-prow-dual-stack.yaml @@ -69,7 +69,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-edgezone.yaml b/templates/test/ci/cluster-template-prow-edgezone.yaml index e5257557ee1..0ec49cc56be 100644 --- a/templates/test/ci/cluster-template-prow-edgezone.yaml +++ b/templates/test/ci/cluster-template-prow-edgezone.yaml @@ -58,7 +58,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-flatcar-sysext.yaml b/templates/test/ci/cluster-template-prow-flatcar-sysext.yaml index f9814e761b3..a764db0d693 100644 --- a/templates/test/ci/cluster-template-prow-flatcar-sysext.yaml +++ b/templates/test/ci/cluster-template-prow-flatcar-sysext.yaml @@ -258,7 +258,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-ipv6.yaml b/templates/test/ci/cluster-template-prow-ipv6.yaml index afbfd871215..8f05a437d0b 100644 --- a/templates/test/ci/cluster-template-prow-ipv6.yaml +++ b/templates/test/ci/cluster-template-prow-ipv6.yaml @@ -69,6 +69,7 @@ spec: apiServer: extraArgs: bind-address: '::' + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-machine-pool-ci-version-multi-zone.yaml b/templates/test/ci/cluster-template-prow-machine-pool-ci-version-multi-zone.yaml index a123b7b77b7..a038da074d8 100644 --- a/templates/test/ci/cluster-template-prow-machine-pool-ci-version-multi-zone.yaml +++ b/templates/test/ci/cluster-template-prow-machine-pool-ci-version-multi-zone.yaml @@ -55,7 +55,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-machine-pool-ci-version-windows.yaml b/templates/test/ci/cluster-template-prow-machine-pool-ci-version-windows.yaml index 04c83f93058..5a9a9863202 100644 --- a/templates/test/ci/cluster-template-prow-machine-pool-ci-version-windows.yaml +++ b/templates/test/ci/cluster-template-prow-machine-pool-ci-version-windows.yaml @@ -59,7 +59,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml b/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml index 1f9656aa900..2e1e4cdbe9a 100644 --- a/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml +++ b/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml @@ -55,7 +55,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-machine-pool-flex.yaml b/templates/test/ci/cluster-template-prow-machine-pool-flex.yaml index 17f149e8b47..6b0339f65fc 100644 --- a/templates/test/ci/cluster-template-prow-machine-pool-flex.yaml +++ b/templates/test/ci/cluster-template-prow-machine-pool-flex.yaml @@ -55,7 +55,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-machine-pool-windows.yaml b/templates/test/ci/cluster-template-prow-machine-pool-windows.yaml index fad34c0b614..a8427086498 100644 --- a/templates/test/ci/cluster-template-prow-machine-pool-windows.yaml +++ b/templates/test/ci/cluster-template-prow-machine-pool-windows.yaml @@ -59,7 +59,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-machine-pool.yaml b/templates/test/ci/cluster-template-prow-machine-pool.yaml index 27d34935e6f..3b9d4ebad18 100644 --- a/templates/test/ci/cluster-template-prow-machine-pool.yaml +++ b/templates/test/ci/cluster-template-prow-machine-pool.yaml @@ -55,7 +55,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-nvidia-gpu.yaml b/templates/test/ci/cluster-template-prow-nvidia-gpu.yaml index 224efd3d617..52e657482de 100644 --- a/templates/test/ci/cluster-template-prow-nvidia-gpu.yaml +++ b/templates/test/ci/cluster-template-prow-nvidia-gpu.yaml @@ -56,7 +56,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-private.yaml b/templates/test/ci/cluster-template-prow-private.yaml index 26910fdcb43..33a58fa267e 100644 --- a/templates/test/ci/cluster-template-prow-private.yaml +++ b/templates/test/ci/cluster-template-prow-private.yaml @@ -86,7 +86,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-spot.yaml b/templates/test/ci/cluster-template-prow-spot.yaml index 32ca12e3ba0..f6976ac39d9 100644 --- a/templates/test/ci/cluster-template-prow-spot.yaml +++ b/templates/test/ci/cluster-template-prow-spot.yaml @@ -55,7 +55,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow-windows.yaml b/templates/test/ci/cluster-template-prow-windows.yaml index 85d8e32f4bb..a0421bda001 100644 --- a/templates/test/ci/cluster-template-prow-windows.yaml +++ b/templates/test/ci/cluster-template-prow-windows.yaml @@ -60,6 +60,7 @@ spec: apiServer: extraArgs: feature-gates: ${K8S_FEATURE_GATES:-""} + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/ci/cluster-template-prow.yaml b/templates/test/ci/cluster-template-prow.yaml index 80f8824828c..ce770c1b069 100644 --- a/templates/test/ci/cluster-template-prow.yaml +++ b/templates/test/ci/cluster-template-prow.yaml @@ -55,7 +55,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/dev/cluster-template-custom-builds-dra.yaml b/templates/test/dev/cluster-template-custom-builds-dra.yaml index aef108a6965..966ab36723d 100644 --- a/templates/test/dev/cluster-template-custom-builds-dra.yaml +++ b/templates/test/dev/cluster-template-custom-builds-dra.yaml @@ -60,6 +60,7 @@ spec: extraArgs: feature-gates: ${K8S_FEATURE_GATES:-"DynamicResourceAllocation=true,DRADeviceTaints=true,DRADeviceTaintRules=true"} runtime-config: resource.k8s.io/v1beta1=true,resource.k8s.io/v1beta2=true + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/dev/cluster-template-custom-builds-load-dra.yaml b/templates/test/dev/cluster-template-custom-builds-load-dra.yaml index 4f88a9fb6a7..d5a41ef5c9b 100644 --- a/templates/test/dev/cluster-template-custom-builds-load-dra.yaml +++ b/templates/test/dev/cluster-template-custom-builds-load-dra.yaml @@ -63,6 +63,7 @@ spec: extraArgs: feature-gates: ${K8S_FEATURE_GATES:-"DynamicResourceAllocation=true,DRADeviceTaints=true,DRADeviceTaintRules=true"} runtime-config: resource.k8s.io/v1beta1=true,resource.k8s.io/v1beta2=true + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/dev/cluster-template-custom-builds-load.yaml b/templates/test/dev/cluster-template-custom-builds-load.yaml index 1db9e30ef56..b473a7c5919 100644 --- a/templates/test/dev/cluster-template-custom-builds-load.yaml +++ b/templates/test/dev/cluster-template-custom-builds-load.yaml @@ -63,6 +63,7 @@ spec: extraArgs: feature-gates: ${K8S_FEATURE_GATES:-"AllAlpha=true,AllBeta=true"} runtime-config: api/all=true + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/dev/cluster-template-custom-builds-machine-pool-load-dra.yaml b/templates/test/dev/cluster-template-custom-builds-machine-pool-load-dra.yaml index 11e733450a1..173947d0133 100644 --- a/templates/test/dev/cluster-template-custom-builds-machine-pool-load-dra.yaml +++ b/templates/test/dev/cluster-template-custom-builds-machine-pool-load-dra.yaml @@ -62,6 +62,7 @@ spec: extraArgs: feature-gates: ${K8S_FEATURE_GATES:-"DynamicResourceAllocation=true,DRADeviceTaints=true,DRADeviceTaintRules=true"} runtime-config: resource.k8s.io/v1beta1=true,resource.k8s.io/v1beta2=true + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/dev/cluster-template-custom-builds-machine-pool-load.yaml b/templates/test/dev/cluster-template-custom-builds-machine-pool-load.yaml index 92b7f17d40d..e5180f6fe27 100644 --- a/templates/test/dev/cluster-template-custom-builds-machine-pool-load.yaml +++ b/templates/test/dev/cluster-template-custom-builds-machine-pool-load.yaml @@ -59,7 +59,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/dev/cluster-template-custom-builds-machine-pool-windows.yaml b/templates/test/dev/cluster-template-custom-builds-machine-pool-windows.yaml index 86d77991eea..41c15da2df1 100644 --- a/templates/test/dev/cluster-template-custom-builds-machine-pool-windows.yaml +++ b/templates/test/dev/cluster-template-custom-builds-machine-pool-windows.yaml @@ -61,7 +61,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml b/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml index 1145808676e..eeda131aa8d 100644 --- a/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml +++ b/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml @@ -57,7 +57,8 @@ spec: kubeadmConfigSpec: clusterConfiguration: apiServer: - extraArgs: {} + extraArgs: + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/dev/cluster-template-custom-builds-windows.yaml b/templates/test/dev/cluster-template-custom-builds-windows.yaml index 6e4b0ccb6ac..e28ea93d3f8 100644 --- a/templates/test/dev/cluster-template-custom-builds-windows.yaml +++ b/templates/test/dev/cluster-template-custom-builds-windows.yaml @@ -63,6 +63,7 @@ spec: apiServer: extraArgs: feature-gates: ${K8S_FEATURE_GATES:-""} + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: diff --git a/templates/test/dev/cluster-template-custom-builds.yaml b/templates/test/dev/cluster-template-custom-builds.yaml index a4faa09634e..8d7721f8de8 100644 --- a/templates/test/dev/cluster-template-custom-builds.yaml +++ b/templates/test/dev/cluster-template-custom-builds.yaml @@ -61,6 +61,7 @@ spec: extraArgs: feature-gates: ${K8S_FEATURE_GATES:-"AllAlpha=true,AllBeta=true"} runtime-config: api/all=true + service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local} timeoutForControlPlane: 20m controllerManager: extraArgs: