Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Connect: only look for service account secrets when creating/updating auth method #321

Merged
merged 3 commits into from
Sep 10, 2020

Conversation

ishustava
Copy link
Contributor

Changes proposed in this PR:

Kubernetes service account could have multiple secrets associated with it.
Previously, we were only looking at the first secret in the list and using
that secret to create or update the auth method in Consul.
However, on some platforms the service account may contain other types of secrets.
Specifically, in the case of Openshift, there are two secrets: one for the service account token
and the other for docker config credentials. This second secret gets injected automatically by Openshift.

This PR changes our implementation to use the first secret of type kubernetes.io/service-account-token.

How I've tested this PR:

Created a docker image (ishustava/consul-k8s-dev:09-04-2020-5e7491d) and ran connect acceptance tests with it on openshift.

How I expect reviewers to test this PR:

No infrastructure tests required from the reviewers at this point. We can rely on helm acceptance tests to make sure we didn't break anything.

Checklist:

  • Tests added
  • CHANGELOG entry added (HashiCorp engineers only, community PRs should not add a changelog entry)

@ishustava ishustava added area/connect Related to Connect service mesh, e.g. injection theme/openshift labels Sep 8, 2020
… auth method

Kubernetes service account could have multiple secrets associated with it.
Previously, we were only looking at the first secret in the list and using
that secret to create or update the auth method in Consul.
However, on some platforms (Openshift) the service account may contain other types of secrets.
Specifically, in the case of Openshift, there are two secrets: one for the service account token
and the other for docker credentials. This second secret gets injected automatically by Openshift.
This changes our implementation to use the first secret of type kubernetes.io/service-account-token.
@ishustava ishustava force-pushed the auth-method-multiple-secrets branch from f89a6ad to 3af44be Compare September 8, 2020 20:09
Copy link
Contributor

@thisisnotashwin thisisnotashwin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

@ishustava ishustava force-pushed the auth-method-multiple-secrets branch from b4a832d to e8f465b Compare September 10, 2020 03:58
@ishustava ishustava requested a review from lkysow September 10, 2020 04:03
@ishustava ishustava merged commit 9a19fe9 into master Sep 10, 2020
@ishustava ishustava deleted the auth-method-multiple-secrets branch September 10, 2020 23:13
ndhanushkodi pushed a commit to ndhanushkodi/consul-k8s that referenced this pull request Jul 9, 2021
Add -job to filename to match convention
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/connect Related to Connect service mesh, e.g. injection theme/openshift
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants