Default secret no longer being generated for service account, with Ku…

…bernetes 1.24.0 (hashicorp#1724)

Because of k8s version 1.24 the default token will not be generated.
`The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount.`
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes
The check of the service account count is wong assuming that it has always a default token.

README.md

@@ -21,7 +21,7 @@ Please note: We take Terraform's security and our users' trust very seriously. I
 ## Requirements
 
 -	[Terraform](https://www.terraform.io/downloads.html) 0.12.x
--	[Go](https://golang.org/doc/install) 1.16.x (to build the provider plugin)
+-	[Go](https://golang.org/doc/install) 1.18.x (to build the provider plugin)
 
 
 ## Contributing to the provider

kubernetes/resource_kubernetes_service_account.go

@@ -117,9 +117,15 @@ func getServiceAccountDefaultSecret(ctx context.Context, name string, config api
 			return resource.NonRetryableError(err)
 		}
 
-		if len(resp.Secrets) == len(config.Secrets) {
-			log.Printf("[DEBUG] Configuration contains %d secrets, saw %d, expected %d", len(config.Secrets), len(resp.Secrets), len(config.Secrets)+1)
-			return resource.RetryableError(fmt.Errorf("Waiting for default secret of %q to appear", buildId(resp.ObjectMeta)))
+		/*
+		   https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes
+		   K8s 1.24: The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default.
+		   This means the default token will not be there and requires onw token to be generated and attached.
+		   Generate the error only if there are no responses of the minimal set of token are not there.
+		*/
+		if len(resp.Secrets) == 0 {
+			log.Printf("[DEBUG] Configuration contains %d secrets, saw %d", len(config.Secrets), len(resp.Secrets))
+			return resource.RetryableError(fmt.Errorf("Waiting for service account token secret of %q to appear [%d/%d]", buildId(resp.ObjectMeta), len(config.Secrets), len(resp.Secrets)))
 		}
 
 		diff := diffObjectReferences(config.Secrets, resp.Secrets)

kubernetes/resource_kubernetes_service_account_test.go

@@ -102,6 +102,35 @@ func TestAccKubernetesServiceAccount_automount(t *testing.T) {
 					}),
 				),
 			},
+			//K8s 1.24 without default token test
+			{
+				Config: testAccKubernetesServiceAccountConfig_automount(name),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckKubernetesServiceAccountExists("kubernetes_service_account.test", &conf),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "metadata.0.annotations.%", "2"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "metadata.0.annotations.TestAnnotationOne", "one"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "metadata.0.annotations.TestAnnotationTwo", "two"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "metadata.0.labels.%", "3"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "metadata.0.labels.TestLabelOne", "one"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "metadata.0.labels.TestLabelTwo", "two"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "metadata.0.labels.TestLabelThree", "three"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "metadata.0.name", name),
+					resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.generation"),
+					resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.resource_version"),
+					resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.uid"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "secret.#", "2"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "image_pull_secret.#", "2"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "false"),
+					testAccCheckServiceAccountImagePullSecrets(&conf, []*regexp.Regexp{
+						regexp.MustCompile("^" + name + "-three$"),
+						regexp.MustCompile("^" + name + "-four$"),
+					}),
+					testAccCheckServiceAccountSecrets(&conf, []*regexp.Regexp{
+						regexp.MustCompile("^" + name + "-one$"),
+						regexp.MustCompile("^" + name + "-two$"),
+					}),
+				),
+			},
 		},
 	})
 }
@@ -192,6 +221,24 @@ func TestAccKubernetesServiceAccount_update(t *testing.T) {
 					}),
 				),
 			},
+			//K8s 1.24 without default token test
+			{
+				Config: testAccKubernetesServiceAccountConfig_noAttributes(name),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckKubernetesServiceAccountExists("kubernetes_service_account.test", &conf),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "metadata.0.annotations.%", "0"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "metadata.0.labels.%", "0"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "metadata.0.name", name),
+					resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.generation"),
+					resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.resource_version"),
+					resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.uid"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "secret.#", "0"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "image_pull_secret.#", "0"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "true"),
+					testAccCheckServiceAccountImagePullSecrets(&conf, []*regexp.Regexp{}),
+					testAccCheckServiceAccountSecrets(&conf, []*regexp.Regexp{}),
+				),
+			},
 		},
 	})
 }
@@ -224,6 +271,23 @@ func TestAccKubernetesServiceAccount_generatedName(t *testing.T) {
 					}),
 				),
 			},
+			{
+				//K8s 1.24 without default token test
+				Config: testAccKubernetesServiceAccountConfig_generatedName(prefix),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckKubernetesServiceAccountExists("kubernetes_service_account.test", &conf),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "metadata.0.annotations.%", "0"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "metadata.0.labels.%", "0"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "metadata.0.generate_name", prefix),
+					resource.TestMatchResourceAttr("kubernetes_service_account.test", "metadata.0.name", regexp.MustCompile("^"+prefix)),
+					resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.generation"),
+					resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.resource_version"),
+					resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.uid"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "true"),
+					testAccCheckServiceAccountImagePullSecrets(&conf, []*regexp.Regexp{}),
+					testAccCheckServiceAccountSecrets(&conf, []*regexp.Regexp{}),
+				),
+			},
 		},
 	})
 }