Error when creating kubernetes service account "Waiting for default secret to appear"

[dvidben]

Terraform fails to create kubernetes service account claiming the default secret does not appear.
This used to work before, so I'm suspecting about the terraform update of the kubernetes provider to latest version (2.11.0)

Terraform Version

Terraform v1.1.9
on linux_amd64

Terraform Configuration Files

main.tf

resource "kubernetes_service_account" "admin_user" {
  metadata {
    name      = "admin-user"
  }
}

providers.tf

provider "kubernetes" {
  config_path = "~/.kube/config"
}

Debug Output

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # kubernetes_service_account.admin_user will be created
  + resource "kubernetes_service_account" "admin_user" {
      + automount_service_account_token = true
      + default_secret_name             = (known after apply)
      + id                              = (known after apply)

      + metadata {
          + generation       = (known after apply)
          + name             = "admin-user"
          + namespace        = "default"
          + resource_version = (known after apply)
          + uid              = (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

kubernetes_service_account.admin_user: Creating...
kubernetes_service_account.admin_user: Still creating... [10s elapsed]
kubernetes_service_account.admin_user: Still creating... [20s elapsed]
kubernetes_service_account.admin_user: Still creating... [30s elapsed]
╷
│ Error: Waiting for default secret of "default/admin-user" to appear        
│
│   with kubernetes_service_account.admin_user,
│   on main.tf line 2, in resource "kubernetes_service_account" "admin_user":
│    2: resource "kubernetes_service_account" "admin_user" {

Expected Behavior

Kubernetes service account created successfully (and defautl secret available)

Actual Behavior

Service account fails during creating.

Steps to Reproduce

1. terraform init
2. terraform apply

Additional Context

No additional context

References

No similar issues identified yet.

[jbardin]

Hello,

This appears to be a question or an issue with a provider, not with Terraform itself. You can check existing issues and file a new one in the provider's project repository, linked from the their registry page. If you have questions about Terraform or the provider, it's better to use the community forum where there are more people ready to help. The GitHub issues here are monitored only by a few core maintainers.

Thanks!

[dvidben]

Thanks @jbardin.
This issue was related to the Docker Desktop / Kubernetes version.
For any reason, the creation of service accounts in the latest versions of Docker desktop / kubernetes does not create the default user secrets.

See below:

Docker desktop 4.8.1
$ kubectl version --short
Client Version: v1.23.0
Server Version: v1.24.0
$ kubectl create sa admin-user
serviceaccount/admin-user created
$ kubectl describe sa admin-user
Name:                admin-user
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   <none>
Tokens:              <none>
Events:              <none>


Docker desktop 4.3.1
$ kubectl version --short
Client Version: v1.23.0
Server Version: v1.22.4
$ kubectl create sa admin-user
serviceaccount/admin-user created
$ kubectl describe sa admin-user
Name:                admin-user
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   admin-user-token-tcws7
Tokens:              admin-user-token-tcws7
Events:              <none>

[CRidge]

This issue was related to the Docker Desktop / Kubernetes version. For any reason, the creation of service accounts in the latest versions of Docker desktop / kubernetes does not create the default user secrets.

Have you got this to work with the latest version of Docker Desktop / kubernetes? I'm struggling with the same issue and I can't find any other reference to the problem online than this issue ...

@dvidben I found this, which suggests it was intentional: Kubernetes 1.24.0 release notes with original issue

Still haven't figured out exactly how to get around this, though ...

[dvidben]

@CRidge for now, I have just downgraded to kubernetes v1.22.4.
While I have not tested this potential solution, based on the linked release notes you provided above, a potential path forward is to create the TokenRequest or a secret to get this manually done before the account is created.
https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets

[CRidge]

@dvidben I tried the route you linked to, but couldn't get that to work either, so I've also downgraded kubernetes to pre 1.24.

I've also created an issue with the kubernetes provider: hashicorp/terraform-provider-kubernetes#1724

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.