Use internal api url for jwks when required

The public api url cannot be used by pods and nodes if access is restricted. So by default we need to use the internal one.
This should finally pass the OIDC e2e test

For public access, api server must be publically available and anonymous
auth must be enabled

pkg/model/iam/subject.go

@@ -23,6 +23,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/wellknownusers"
+	"k8s.io/kops/upup/pkg/fi"
 )
 
 // Subject represents an IAM identity, to which permissions are granted.
@@ -85,7 +86,22 @@ func ServiceAccountIssuer(clusterName string, clusterSpec *kops.ClusterSpec) str
 	if clusterSpec.KubeAPIServer != nil && clusterSpec.KubeAPIServer.ServiceAccountIssuer != nil {
 		return *clusterSpec.KubeAPIServer.ServiceAccountIssuer
 	}
-	return "https://api." + clusterName
+	if supportsPublicJWKS(clusterSpec) {
+		return "https://api." + clusterName
+	}
+	return "https://api.internal." + clusterName
+}
+
+func supportsPublicJWKS(clusterSpec *kops.ClusterSpec) bool {
+	if !fi.BoolValue(clusterSpec.KubeAPIServer.AnonymousAuth) {
+		return false
+	}
+	for _, cidr := range clusterSpec.KubernetesAPIAccess {
+		if cidr == "0.0.0.0/0" {
+			return true
+		}
+	}
+	return false
 }
 
 // AddServiceAccountRole adds the appropriate mounts / env vars to enable a pod to use a service-account role

tests/integration/update_cluster/bastionadditional_user-data/data/aws_launch_template_master-us-test-1a.masters.bastionuserdata.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.bastionuserdata.example.com
+  serviceAccountIssuer: https://api.internal.bastionuserdata.example.com
-  serviceAccountJWKSURI: https://api.bastionuserdata.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.bastionuserdata.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/complex/cloudformation.json.extracted.yaml

@@ -220,8 +220,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amasterscomplexexamplecom.Properties.
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.complex.example.com
+    serviceAccountIssuer: https://api.internal.complex.example.com
-    serviceAccountJWKSURI: https://api.complex.example.com/openid/v1/jwks
+    serviceAccountJWKSURI: https://api.internal.complex.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     serviceNodePortRange: 28000-32767
     storageBackend: etcd3

tests/integration/update_cluster/complex/data/aws_launch_template_master-us-test-1a.masters.complex.example.com_user_data

@@ -219,8 +219,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.complex.example.com
+  serviceAccountIssuer: https://api.internal.complex.example.com
-  serviceAccountJWKSURI: https://api.complex.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.complex.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   serviceNodePortRange: 28000-32767
   storageBackend: etcd3

tests/integration/update_cluster/compress/data/aws_launch_template_master-us-test-1a.masters.compress.example.com_user_data

@@ -144,7 +144,7 @@ function download-release() {
 echo "== nodeup node config starting =="
 ensure-install-dir
 
-echo "H4sIAAAAAAAA/+xWbW/bthN/709B9I+ibxrJSvLvNqEF5jnd4jXpPLsPA4ZioMmzzJki1SOpxMM+/HCkbMtOsm7ry80GbPGeeA+/u5PQNsixNUtVlQPGam54BXNvkVcw1tw5cCXzGGAgrPFcGcBZMF7VULIdRe6ZkqyIaO+HFhCVhJL9PmCMsRbQKWvYC3Y6iISfGx0qZdyHdNwTskfKZnuTWYWNyNoiE6ge7YT/mniP3tP827oZpqDdgZF/boYexIcDU4x1zF/8pgH2gh2ZJI2sPX00ONL6LBcy23hlqQTs6DPfOA+1HFdoQ8NeJAwwpm11BS3okimztINdVUtWZOfZ2UBasQYkELi1aibGea51hyAwAjfxvg5wzAStB+CFHOvgPKAjRWjB+PjUs36WnWfFWUSoMvfz1mEBo+lkDtgmD7jW9maKqlUaKpDlNgZurNnUNrhR8KuSLbl2kdyoUZAKjIB4+wkji2jAg8tcKzIJSx60T6LpmrENxpesIFrwK4vqN04BXlvC/Ujf8I0bkRsDxhbKyJGUCM6VbJjFLzULdeAUbaskYMn4jaMcGL7QMJK1chTjNJU4efWa1+AaLuBKLUFshIZIvlK18jNuKsB4JgeVgJEQ5GMkTSljzoPx76wONVzxBejIuUih9Ru/T39jNWAMbA7CGpmY18Fzr0y1c/M9LFbWriPzHddKPsx+bSXMwHlUgsxG2gycDSjgx2A9pyR4IVOau8hX3jdlnhenX8TsFeX5cFgcCm6HTqeRJzD97z7N0wFjquYVlGz9pcsqgZmyOdX8hDfKJRi1RXaa6kQMDX6KsARE2JbyzabZXjYxHtBwPZnG46V13vA6VeflbY+3byLyAeFjAOdXwCVgBAvIWONklVcVQsW9xWPZl7ce+WV8JK/U7Vblp5MZ1NbDSZQ4Odb7jlo66R0rRNax/FtHrtdwvwpxqd1BBISpRV+y8/OzSOkDcOJcIHxTJVyZ57xRmbB1QznM4JbXjQYi3FH8/v2r+dvZ5NOauW3AKJm3Rf7rzdrtDXXDZTKN3VGyYjjMnp0TEPI4UlxC/TdcrMHIMsIpjZOxNR6t1oDXcTHuxorgHgjC48nFzO0Hi/dcrC6AfmfUKEJpmG+MmAIqK0tW1EP3UMuL5CVZTC5+9Sy5WOyZBAvau/emLW3dgDAm8zMbPO3u7XR7AOliF+FJ3YW4h7xOMNMQezRN3R6tvLsUCM/BweHsGSNIMF5xvU0VXT1Fe7spPxl4E2YJi5FHca66vtq/Xzz5mt+4Jw8H2cSrenH1/CWBuViBDDqV9wEbbifzefnpxkj58B4SceVeoKL5w1zawzv6zFpfsvwTKLp4Pe/hvBj2ODZu0O0xIyzr3ca5gEWoKmWqS26kpmbfxgBtmtSXHGXJaqgtbjLecqVJ73kxHF6rp8ZKWLoD8uMtUdG/+xYBnv//8dOY5TuiW+qB7J+XnPKZkD/llMW85Zhrtci7ROd7gTtINeBvLK7Tdu16yyhiWHPN3ccAyFOPHw4NSmdj5TU3agnOdxeDF/n+jSGvO64b1Jwy/eq/wv/bCk97tKIXLuwmDMW7rfcfAAAA//8BAAD//5CIzc16DQAA" | base64 -d | gzip -d > conf/cluster_spec.yaml
+echo "H4sIAAAAAAAA/+xW648bNRD/nr/CKqr6pbebvTsKrFqJkCtc6N0Rkj6QUIUce7Ix8drbsb13QfzxaOzN8y6U0o+QSMl6Xp7Hb2ZWaBvk0Jq5qsoeYzU3vIKpt8grGGruHLiSeQzQE9Z4rgzgJBivaijZhiK3TElWRLT3UwuISkLJ/uwxxlgL6JQ17AU77UXCr40OlTLufTpuCdkjZbOtyazCRmRtkQlUjzbC/0x8h76j+cm6Gaag3Z6Rf2+GHsT7PVOMdczf/KoB9oIdmCSNrD191DvQ+iwXMtt4ZakE7OAzXTkPtRxWaEPDXiQMMKZtdQUt6JIpM7e9TVVLVmTn2VlPWrEEJBC4pWpGxnmudYcgMAJX8b4OcMwErXvghRzq4DygI0Vowfj4tGP9LDvPirOIUGUe5i3DDAbj0RSwTR5wre3tGFWrNFQgy3UM3Fizqm1wg+AXJZtz7SK5UYMgFRgB8fYTRhbRgAeXuVZkEuY8aJ9E0zVDG4wvWUG04BcW1R+cAry2hPuBvuUrNyA3eozNlJEDKRGcK1k/i19qFurAMdpWScCS8VtHOTB8pmEga+UoxnEqcfLqhtfgGi7gSs1BrISGSL5StfITbirAeCYHlYCBEORjJI0pY86D8W+tDjVc8RnoyLlIoe02/i79tdWAMbApCGtkYl4Hz70y1cbNdzBbWLuMzLdcK3mcfWMlTMB5VILMRtoEnA0o4OdgPackeCFTmrvIF943ZZ4Xp1/F7BXleb9f7Auuh06nkScwffGQ5mmPMVXzCkq2/NpllcBM2ZxqfsIb5RKM2iI7TXUihgY/RpgDIqxL+XrVrC8bGQ9ouB6N4/HSOm94narz8m6Ht20i8gHhQwDnF8AlYAQLyFjjZJVXFULFvcVD2Zd3HvllfCSv1N1a5ZeTCdTWw0mUODnU+4FaOukdKkTWofwbR67X8LAKcandQQSEsUVfsvPzs0jZBeDIuUD4pkq4Ms95ozLVJSwTtm4omRnc8brRQIR7Fn5892r6ZjL6BBO5bcAombdF/vvt0m0tduNmNI79UrKi38+enRM08jhkXOqD77hYgpFlBFgaMENrPFqtAa/jqtwMGsE9EKiHo4uJ244a77lYXAD9Tqh1hNIwXRkxBlRWlqyo++7YEBDJS7KYXPzmWXKx2DIJKLSJH8xf2sMBYUjmJzZ42ubreXcE+2IT4UndhbhtAp2ApyF2bZrDO7Ty/poghAcH+9NoiCDBeMX1OlV09Rjt3ar8aOBNmCR0Rh7Fueg6bfvG8eRbfuueHA+yiVftxLXjLwlMxQJk0Km8R2y4jczn5acbLOXxzSTiEr5ARROJubSZN/SJtb5k+UdQdHEz3cF50d/h2LhT18eMsKw3O+gCZqGqlKkuuZGa2n8dA7Rpdl9ylCWroba4ynjLlSa950W/f62eGith7vbIj9dERf/uewR4/uXjpzHL90TX1D3Zvy855TMhf8wpi3nLMddqlneJzrcC95BqwN9aXKZ92/WWUcSw5pq7DwGQpx7fHxqUzsbKa27UHJzvLgYv8u07RF53XNerOWX61f+F/68VnjZrRa9g2E0Yindd778AAAD//wEAAP//mzuXKIwNAAA=" | base64 -d | gzip -d > conf/cluster_spec.yaml
 
 echo "H4sIAAAAAAAA/6qu5QIAAAD//wEAAP//BrCh3QMAAAA=" | base64 -d | gzip -d > conf/ig_spec.yaml
 

tests/integration/update_cluster/containerd-custom/cloudformation.json.extracted.yaml

@@ -224,8 +224,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amasterscontainerdexamplecom.Properti
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.containerd.example.com
+    serviceAccountIssuer: https://api.internal.containerd.example.com
-    serviceAccountJWKSURI: https://api.containerd.example.com/openid/v1/jwks
+    serviceAccountJWKSURI: https://api.internal.containerd.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/containerd/cloudformation.json.extracted.yaml

@@ -206,8 +206,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amasterscontainerdexamplecom.Properti
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.containerd.example.com
+    serviceAccountIssuer: https://api.internal.containerd.example.com
-    serviceAccountJWKSURI: https://api.containerd.example.com/openid/v1/jwks
+    serviceAccountJWKSURI: https://api.internal.containerd.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/docker-custom/cloudformation.json.extracted.yaml

@@ -206,8 +206,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersdockerexamplecom.Properties.L
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.docker.example.com
+    serviceAccountIssuer: https://api.internal.docker.example.com
-    serviceAccountJWKSURI: https://api.docker.example.com/openid/v1/jwks
+    serviceAccountJWKSURI: https://api.internal.docker.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/existing_iam/data/aws_launch_template_master-us-test-1a.masters.existing-iam.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.existing-iam.example.com
+  serviceAccountIssuer: https://api.internal.existing-iam.example.com
-  serviceAccountJWKSURI: https://api.existing-iam.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.existing-iam.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/existing_iam/data/aws_launch_template_master-us-test-1b.masters.existing-iam.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.existing-iam.example.com
+  serviceAccountIssuer: https://api.internal.existing-iam.example.com
-  serviceAccountJWKSURI: https://api.existing-iam.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.existing-iam.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/existing_iam/data/aws_launch_template_master-us-test-1c.masters.existing-iam.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.existing-iam.example.com
+  serviceAccountIssuer: https://api.internal.existing-iam.example.com
-  serviceAccountJWKSURI: https://api.existing-iam.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.existing-iam.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/existing_iam_cloudformation/cloudformation.json.extracted.yaml

@@ -206,8 +206,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersminimalexamplecom.Properties.
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.minimal.example.com
+    serviceAccountIssuer: https://api.internal.minimal.example.com
-    serviceAccountJWKSURI: https://api.minimal.example.com/openid/v1/jwks
+    serviceAccountJWKSURI: https://api.internal.minimal.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/existing_sg/data/aws_launch_template_master-us-test-1a.masters.existingsg.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.existingsg.example.com
+  serviceAccountIssuer: https://api.internal.existingsg.example.com
-  serviceAccountJWKSURI: https://api.existingsg.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.existingsg.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/existing_sg/data/aws_launch_template_master-us-test-1b.masters.existingsg.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.existingsg.example.com
+  serviceAccountIssuer: https://api.internal.existingsg.example.com
-  serviceAccountJWKSURI: https://api.existingsg.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.existingsg.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/existing_sg/data/aws_launch_template_master-us-test-1c.masters.existingsg.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.existingsg.example.com
+  serviceAccountIssuer: https://api.internal.existingsg.example.com
-  serviceAccountJWKSURI: https://api.existingsg.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.existingsg.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/externallb/cloudformation.json.extracted.yaml

@@ -206,8 +206,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersexternallbexamplecom.Properti
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.externallb.example.com
+    serviceAccountIssuer: https://api.internal.externallb.example.com
-    serviceAccountJWKSURI: https://api.externallb.example.com/openid/v1/jwks
+    serviceAccountJWKSURI: https://api.internal.externallb.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/externallb/data/aws_launch_template_master-us-test-1a.masters.externallb.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.externallb.example.com
+  serviceAccountIssuer: https://api.internal.externallb.example.com
-  serviceAccountJWKSURI: https://api.externallb.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.externallb.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/externalpolicies/data/aws_launch_template_master-us-test-1a.masters.externalpolicies.example.com_user_data

@@ -206,8 +206,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.externalpolicies.example.com
+  serviceAccountIssuer: https://api.internal.externalpolicies.example.com
-  serviceAccountJWKSURI: https://api.externalpolicies.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.externalpolicies.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   serviceNodePortRange: 28000-32767
   storageBackend: etcd3

tests/integration/update_cluster/ha/data/aws_launch_template_master-us-test-1a.masters.ha.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.ha.example.com
+  serviceAccountIssuer: https://api.internal.ha.example.com
-  serviceAccountJWKSURI: https://api.ha.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.ha.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/ha/data/aws_launch_template_master-us-test-1b.masters.ha.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.ha.example.com
+  serviceAccountIssuer: https://api.internal.ha.example.com
-  serviceAccountJWKSURI: https://api.ha.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.ha.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/ha/data/aws_launch_template_master-us-test-1c.masters.ha.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.ha.example.com
+  serviceAccountIssuer: https://api.internal.ha.example.com
-  serviceAccountJWKSURI: https://api.ha.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.ha.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/ha_gce/data/google_compute_instance_template_master-us-test1-a-ha-gce-example-com_metadata_startup-script

@@ -207,8 +207,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.ha-gce.example.com
+  serviceAccountIssuer: https://api.internal.ha-gce.example.com
-  serviceAccountJWKSURI: https://api.ha-gce.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.ha-gce.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/ha_gce/data/google_compute_instance_template_master-us-test1-b-ha-gce-example-com_metadata_startup-script

@@ -207,8 +207,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.ha-gce.example.com
+  serviceAccountIssuer: https://api.internal.ha-gce.example.com
-  serviceAccountJWKSURI: https://api.ha-gce.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.ha-gce.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/ha_gce/data/google_compute_instance_template_master-us-test1-c-ha-gce-example-com_metadata_startup-script

@@ -207,8 +207,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.ha-gce.example.com
+  serviceAccountIssuer: https://api.internal.ha-gce.example.com
-  serviceAccountJWKSURI: https://api.ha-gce.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.ha-gce.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/launch_templates/cloudformation.json.extracted.yaml

@@ -206,8 +206,8 @@ Resources.AWSAutoScalingLaunchConfigurationmasterustest1amasterslaunchtemplatese
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.launchtemplates.example.com
+    serviceAccountIssuer: https://api.internal.launchtemplates.example.com
-    serviceAccountJWKSURI: https://api.launchtemplates.example.com/openid/v1/jwks
+    serviceAccountJWKSURI: https://api.internal.launchtemplates.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:
@@ -546,8 +546,8 @@ Resources.AWSAutoScalingLaunchConfigurationmasterustest1bmasterslaunchtemplatese
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.launchtemplates.example.com
+    serviceAccountIssuer: https://api.internal.launchtemplates.example.com
-    serviceAccountJWKSURI: https://api.launchtemplates.example.com/openid/v1/jwks
+    serviceAccountJWKSURI: https://api.internal.launchtemplates.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:
@@ -886,8 +886,8 @@ Resources.AWSAutoScalingLaunchConfigurationmasterustest1cmasterslaunchtemplatese
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.launchtemplates.example.com
+    serviceAccountIssuer: https://api.internal.launchtemplates.example.com
-    serviceAccountJWKSURI: https://api.launchtemplates.example.com/openid/v1/jwks
+    serviceAccountJWKSURI: https://api.internal.launchtemplates.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/launch_templates/data/aws_launch_configuration_master-us-test-1a.masters.launchtemplates.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.launchtemplates.example.com
+  serviceAccountIssuer: https://api.internal.launchtemplates.example.com
-  serviceAccountJWKSURI: https://api.launchtemplates.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.launchtemplates.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/launch_templates/data/aws_launch_configuration_master-us-test-1b.masters.launchtemplates.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.launchtemplates.example.com
+  serviceAccountIssuer: https://api.internal.launchtemplates.example.com
-  serviceAccountJWKSURI: https://api.launchtemplates.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.launchtemplates.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/launch_templates/data/aws_launch_configuration_master-us-test-1c.masters.launchtemplates.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.launchtemplates.example.com
+  serviceAccountIssuer: https://api.internal.launchtemplates.example.com
-  serviceAccountJWKSURI: https://api.launchtemplates.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.launchtemplates.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/minimal-cloudformation/cloudformation.json.extracted.yaml

@@ -206,8 +206,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersminimalexamplecom.Properties.
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.minimal.example.com
+    serviceAccountIssuer: https://api.internal.minimal.example.com
-    serviceAccountJWKSURI: https://api.minimal.example.com/openid/v1/jwks
+    serviceAccountJWKSURI: https://api.internal.minimal.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/minimal-gp3/cloudformation.json.extracted.yaml

@@ -206,8 +206,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersminimalexamplecom.Properties.
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.minimal.example.com
+    serviceAccountIssuer: https://api.internal.minimal.example.com
-    serviceAccountJWKSURI: https://api.minimal.example.com/openid/v1/jwks
+    serviceAccountJWKSURI: https://api.internal.minimal.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/minimal-gp3/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.minimal.example.com
+  serviceAccountIssuer: https://api.internal.minimal.example.com
-  serviceAccountJWKSURI: https://api.minimal.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.minimal.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/minimal/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.minimal.example.com
+  serviceAccountIssuer: https://api.internal.minimal.example.com
-  serviceAccountJWKSURI: https://api.minimal.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.minimal.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/minimal_gce/data/google_compute_instance_template_master-us-test1-a-minimal-gce-example-com_metadata_startup-script

@@ -207,8 +207,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.minimal-gce.example.com
+  serviceAccountIssuer: https://api.internal.minimal-gce.example.com
-  serviceAccountJWKSURI: https://api.minimal-gce.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.minimal-gce.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/mixed_instances/cloudformation.json.extracted.yaml

@@ -206,8 +206,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersmixedinstancesexamplecom.Prop
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.mixedinstances.example.com
+    serviceAccountIssuer: https://api.internal.mixedinstances.example.com
-    serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
+    serviceAccountJWKSURI: https://api.internal.mixedinstances.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:
@@ -546,8 +546,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1bmastersmixedinstancesexamplecom.Prop
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.mixedinstances.example.com
+    serviceAccountIssuer: https://api.internal.mixedinstances.example.com
-    serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
+    serviceAccountJWKSURI: https://api.internal.mixedinstances.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:
@@ -886,8 +886,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1cmastersmixedinstancesexamplecom.Prop
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.mixedinstances.example.com
+    serviceAccountIssuer: https://api.internal.mixedinstances.example.com
-    serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
+    serviceAccountJWKSURI: https://api.internal.mixedinstances.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/mixed_instances/data/aws_launch_template_master-us-test-1a.masters.mixedinstances.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.mixedinstances.example.com
+  serviceAccountIssuer: https://api.internal.mixedinstances.example.com
-  serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.mixedinstances.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/mixed_instances/data/aws_launch_template_master-us-test-1b.masters.mixedinstances.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.mixedinstances.example.com
+  serviceAccountIssuer: https://api.internal.mixedinstances.example.com
-  serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.mixedinstances.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/mixed_instances/data/aws_launch_template_master-us-test-1c.masters.mixedinstances.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.mixedinstances.example.com
+  serviceAccountIssuer: https://api.internal.mixedinstances.example.com
-  serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.mixedinstances.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/mixed_instances_spot/cloudformation.json.extracted.yaml

@@ -206,8 +206,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersmixedinstancesexamplecom.Prop
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.mixedinstances.example.com
+    serviceAccountIssuer: https://api.internal.mixedinstances.example.com
-    serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
+    serviceAccountJWKSURI: https://api.internal.mixedinstances.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:
@@ -546,8 +546,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1bmastersmixedinstancesexamplecom.Prop
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.mixedinstances.example.com
+    serviceAccountIssuer: https://api.internal.mixedinstances.example.com
-    serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
+    serviceAccountJWKSURI: https://api.internal.mixedinstances.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:
@@ -886,8 +886,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1cmastersmixedinstancesexamplecom.Prop
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.mixedinstances.example.com
+    serviceAccountIssuer: https://api.internal.mixedinstances.example.com
-    serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
+    serviceAccountJWKSURI: https://api.internal.mixedinstances.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/mixed_instances_spot/data/aws_launch_template_master-us-test-1a.masters.mixedinstances.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.mixedinstances.example.com
+  serviceAccountIssuer: https://api.internal.mixedinstances.example.com
-  serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.mixedinstances.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/mixed_instances_spot/data/aws_launch_template_master-us-test-1b.masters.mixedinstances.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.mixedinstances.example.com
+  serviceAccountIssuer: https://api.internal.mixedinstances.example.com
-  serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.mixedinstances.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/mixed_instances_spot/data/aws_launch_template_master-us-test-1c.masters.mixedinstances.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.mixedinstances.example.com
+  serviceAccountIssuer: https://api.internal.mixedinstances.example.com
-  serviceAccountJWKSURI: https://api.mixedinstances.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.mixedinstances.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/private-shared-ip/cloudformation.json.extracted.yaml

@@ -207,8 +207,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersprivatesharedipexamplecom.Pro
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.private-shared-ip.example.com
+    serviceAccountIssuer: https://api.internal.private-shared-ip.example.com
-    serviceAccountJWKSURI: https://api.private-shared-ip.example.com/openid/v1/jwks
+    serviceAccountJWKSURI: https://api.internal.private-shared-ip.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/private-shared-ip/data/aws_launch_template_master-us-test-1a.masters.private-shared-ip.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.private-shared-ip.example.com
+  serviceAccountIssuer: https://api.internal.private-shared-ip.example.com
-  serviceAccountJWKSURI: https://api.private-shared-ip.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.private-shared-ip.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/private-shared-subnet/data/aws_launch_template_master-us-test-1a.masters.private-shared-subnet.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.private-shared-subnet.example.com
+  serviceAccountIssuer: https://api.internal.private-shared-subnet.example.com
-  serviceAccountJWKSURI: https://api.private-shared-subnet.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.private-shared-subnet.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/privatecalico/cloudformation.json.extracted.yaml

@@ -207,8 +207,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersprivatecalicoexamplecom.Prope
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.privatecalico.example.com
+    serviceAccountIssuer: https://api.internal.privatecalico.example.com
-    serviceAccountJWKSURI: https://api.privatecalico.example.com/openid/v1/jwks
+    serviceAccountJWKSURI: https://api.internal.privatecalico.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/privatecalico/data/aws_launch_template_master-us-test-1a.masters.privatecalico.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.privatecalico.example.com
+  serviceAccountIssuer: https://api.internal.privatecalico.example.com
-  serviceAccountJWKSURI: https://api.privatecalico.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.privatecalico.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/privatecanal/data/aws_launch_template_master-us-test-1a.masters.privatecanal.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.privatecanal.example.com
+  serviceAccountIssuer: https://api.internal.privatecanal.example.com
-  serviceAccountJWKSURI: https://api.privatecanal.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.privatecanal.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/privatecilium/cloudformation.json.extracted.yaml

@@ -207,8 +207,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersprivateciliumexamplecom.Prope
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.privatecilium.example.com
+    serviceAccountIssuer: https://api.internal.privatecilium.example.com
-    serviceAccountJWKSURI: https://api.privatecilium.example.com/openid/v1/jwks
+    serviceAccountJWKSURI: https://api.internal.privatecilium.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/privatecilium/data/aws_launch_template_master-us-test-1a.masters.privatecilium.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.privatecilium.example.com
+  serviceAccountIssuer: https://api.internal.privatecilium.example.com
-  serviceAccountJWKSURI: https://api.privatecilium.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.privatecilium.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/privateciliumadvanced/cloudformation.json.extracted.yaml

@@ -209,8 +209,8 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersprivateciliumadvancedexamplec
     requestheaderUsernameHeaders:
     - X-Remote-User
     securePort: 443
-    serviceAccountIssuer: https://api.privateciliumadvanced.example.com
+    serviceAccountIssuer: https://api.internal.privateciliumadvanced.example.com
-    serviceAccountJWKSURI: https://api.privateciliumadvanced.example.com/openid/v1/jwks
+    serviceAccountJWKSURI: https://api.internal.privateciliumadvanced.example.com/openid/v1/jwks
     serviceClusterIPRange: 100.64.0.0/13
     storageBackend: etcd3
   kubeControllerManager:

tests/integration/update_cluster/privateciliumadvanced/data/aws_launch_template_master-us-test-1a.masters.privateciliumadvanced.example.com_user_data

@@ -207,8 +207,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.privateciliumadvanced.example.com
+  serviceAccountIssuer: https://api.internal.privateciliumadvanced.example.com
-  serviceAccountJWKSURI: https://api.privateciliumadvanced.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.privateciliumadvanced.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/privatedns1/data/aws_launch_template_master-us-test-1a.masters.privatedns1.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.privatedns1.example.com
+  serviceAccountIssuer: https://api.internal.privatedns1.example.com
-  serviceAccountJWKSURI: https://api.privatedns1.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.privatedns1.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/privatedns2/data/aws_launch_template_master-us-test-1a.masters.privatedns2.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.privatedns2.example.com
+  serviceAccountIssuer: https://api.internal.privatedns2.example.com
-  serviceAccountJWKSURI: https://api.privatedns2.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.privatedns2.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/privateflannel/data/aws_launch_template_master-us-test-1a.masters.privateflannel.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.privateflannel.example.com
+  serviceAccountIssuer: https://api.internal.privateflannel.example.com
-  serviceAccountJWKSURI: https://api.privateflannel.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.privateflannel.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/privatekopeio/data/aws_launch_template_master-us-test-1a.masters.privatekopeio.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.privatekopeio.example.com
+  serviceAccountIssuer: https://api.internal.privatekopeio.example.com
-  serviceAccountJWKSURI: https://api.privatekopeio.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.privatekopeio.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/privateweave/data/aws_launch_template_master-us-test-1a.masters.privateweave.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.privateweave.example.com
+  serviceAccountIssuer: https://api.internal.privateweave.example.com
-  serviceAccountJWKSURI: https://api.privateweave.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.privateweave.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/shared_subnet/data/aws_launch_template_master-us-test-1a.masters.sharedsubnet.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.sharedsubnet.example.com
+  serviceAccountIssuer: https://api.internal.sharedsubnet.example.com
-  serviceAccountJWKSURI: https://api.sharedsubnet.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.sharedsubnet.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/shared_vpc/data/aws_launch_template_master-us-test-1a.masters.sharedvpc.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.sharedvpc.example.com
+  serviceAccountIssuer: https://api.internal.sharedvpc.example.com
-  serviceAccountJWKSURI: https://api.sharedvpc.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.sharedvpc.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager:

tests/integration/update_cluster/unmanaged/data/aws_launch_template_master-us-test-1a.masters.unmanaged.example.com_user_data

@@ -205,8 +205,8 @@ kubeAPIServer:
   requestheaderUsernameHeaders:
   - X-Remote-User
   securePort: 443
-  serviceAccountIssuer: https://api.unmanaged.example.com
+  serviceAccountIssuer: https://api.internal.unmanaged.example.com
-  serviceAccountJWKSURI: https://api.unmanaged.example.com/openid/v1/jwks
+  serviceAccountJWKSURI: https://api.internal.unmanaged.example.com/openid/v1/jwks
   serviceClusterIPRange: 100.64.0.0/13
   storageBackend: etcd3
 kubeControllerManager: