Serve openid configuration and public key used for service account token signing to enable support for workload identity

kubernetes/argocd/stacks/workload-identity/openid-configuration-serve.yml

@@ -0,0 +1,152 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: workload-identity-system
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-conf
+  namespace: workload-identity-system
+data:
+  nginx.conf: |
+    server {
+        listen       80;
+        listen  [::]:80;
+        server_name  localhost;
+        default_type appliction/json;
+
+        location / {
+            root   /usr/share/nginx/html;
+        }
+    }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: workload-identity-system
+  name: nginx-deployment
+  labels:
+    app.kubernetes.io/name: k8s-oidc
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: k8s-oidc
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: k8s-oidc
+    spec:
+      tolerations:
+        - key: "node-role.kubernetes.io/control-plane"
+          operator: "Exists"
+          effect: "NoSchedule"
+      containers:
+      - name: nginx
+        image: nginx
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        volumeMounts:
+        - name: serve-volume
+          mountPath: /usr/share/nginx/html
+          readOnly: true
+        - name: nginx-conf
+          mountPath: /etc/nginx/conf.d/default.conf
+          subPath: nginx.conf
+          readOnly: true
+        readinessProbe:
+          httpGet:
+            path: /.well-known/openid-configuration
+            port: 80
+            scheme: HTTP
+          initialDelaySeconds: 5
+          periodSeconds: 10
+          timeoutSeconds: 5
+        livenessProbe:
+          httpGet:
+            path: /.well-known/openid-configuration
+            port: 80
+            scheme: HTTP
+          initialDelaySeconds: 5
+          periodSeconds: 10
+          timeoutSeconds: 5
+      initContainers:
+      - name: init-azwi
+        image: bitnami/kubectl
+        command: ["/bin/sh", "-c"]
+        args: 
+        - |
+          mkdir -p /serve/openid/v1 /serve/.well-known
+          kubectl get --raw '/.well-known/openid-configuration' | jq > /serve/.well-known/openid-configuration
+          kubectl get --raw '/openid/v1/jwks' | jq > /serve/openid/v1/jwks
+        volumeMounts:
+        - name: serve-volume
+          mountPath: /serve
+      volumes:
+      - name: serve-volume
+        emptyDir: {}
+      - name: nginx-conf
+        configMap:
+          name: nginx-conf
+          items:
+            - key: nginx.conf
+              path: nginx.conf
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: k8s-oidc
+  namespace: workload-identity-system
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: k8s-oidc
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: k8s-oidc
+  namespace: workload-identity-system
+  annotations:
+    external-dns.alpha.kubernetes.io/target: app.acmuic.org
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`k8s-oidc.acmuic.org`)
+      services:
+        - kind: Service
+          name: k8s-oidc
+          namespace: workload-identity-system
+          passHostHeader: true
+          port: 80
+          responseForwarding:
+            flushInterval: 1ms
+          scheme: http
+          strategy: RoundRobin
+          weight: 10
+  tls:
+    secretName: k8s-oidc-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: k8s-oidc-tls
+  namespace: workload-identity-system
+spec:
+  dnsNames:
+    - k8s-oidc.acmuic.org
+  secretName: k8s-oidc-tls
+  issuerRef:
+    kind: ClusterIssuer
+    name: letsencrypt
+---