Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't fail when unable to find default SA token secret #1634

Merged
merged 4 commits into from
Mar 15, 2022
Merged

Don't fail when unable to find default SA token secret #1634

merged 4 commits into from
Mar 15, 2022

Conversation

alexsomesan
Copy link
Member

@alexsomesan alexsomesan commented Mar 10, 2022
edited by arybolovlev
Loading

Both the kubernetes_service_account datasource and resource contain a conveniece attribute to expose the default service account created automatically by the cluster along with the SA. The check for the secret to be deemed the "default" one, includes a matching of the creation timestamps between the SA and the associated Secret.

It's a valid scenario for the default token secret of a Service Account to be replaced throughout the lifecycle of the SA.

When this default secret is deleted, the cluster automatically generates a new one and updates the SA accordingly.

The provider should not fail when the default token is no longer available.

Description

Acceptance tests

  • Have you added an acceptance test for the functionality being added?
  • Have you run the acceptance tests on this branch?

Output from acceptance testing:

$ make testacc TESTARGS='-run=^TestAccKubernetesDataSourceServiceAccount_*'

=== RUN   TestAccKubernetesDataSourceServiceAccount_basic
--- PASS: TestAccKubernetesDataSourceServiceAccount_basic (4.42s)
=== RUN   TestAccKubernetesDataSourceServiceAccount_default_secret
--- PASS: TestAccKubernetesDataSourceServiceAccount_default_secret (4.44s)
PASS
ok  	github.com/hashicorp/terraform-provider-kubernetes/kubernetes	9.389s

Release Note

Release note for CHANGELOG:

Fix fail when the provider cannot determine `default_secret_name`.

References

Fixes #1104

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

jrhouston
jrhouston reviewed Mar 10, 2022
View reviewed changes
kubernetes/resource_kubernetes_service_account.go Outdated
defaultSecret, err := findDefaultServiceAccount(ctx, sa, conn)
if err != nil {
return nil, fmt.Errorf("Failed to discover the default service account token: %s", err)
log.Printf("[WARN] Failed to discover the default service account token: %s", err)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps should be a warning diagnostic to tell the user this has happened, rather than simply a log?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was also considering that as an option. Let's do that instead.

@github-actions github-actions bot added size/S and removed size/XS labels Mar 11, 2022
@hashicorp-cla
Copy link

hashicorp-cla commented Mar 12, 2022
edited
Loading

CLA assistant check
All committers have signed the CLA.

@arybolovlev arybolovlev marked this pull request as ready for review March 15, 2022 09:01
alexsomesan
alexsomesan commented Mar 15, 2022
View reviewed changes
Copy link
Member Author

@alexsomesan alexsomesan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arybolovlev This works great! thanks for picking this up!
Can't approve as I'm the one who created the PR. We need @jrhouston to have a look.

@arybolovlev arybolovlev force-pushed the sa-default-token-issue-1104 branch from f4c68cf to 1e165d9 Compare March 15, 2022 14:17
@arybolovlev arybolovlev merged commit c178cdc into main Mar 15, 2022
@arybolovlev arybolovlev deleted the sa-default-token-issue-1104 branch March 15, 2022 16:10
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 15, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@iBrandyJackson iBrandyJackson iBrandyJackson approved these changes

@jrhouston jrhouston jrhouston approved these changes

@arybolovlev arybolovlev Awaiting requested review from arybolovlev

Assignees
No one assigned
Labels
documentation size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Data resource for Service Account fails to find default token
5 participants
@alexsomesan @hashicorp-cla @jrhouston @iBrandyJackson @arybolovlev