Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: issue with kubernetes_service_account in k8s 1.24 #1329

Closed
wants to merge 5 commits into from
Closed

fix: issue with kubernetes_service_account in k8s 1.24 #1329

wants to merge 5 commits into from
+71 −13

Conversation

y4ssi
Copy link

@y4ssi y4ssi commented Jul 20, 2022

The problem when generating new service accounts, is that the secret containing the SA token is no longer generated automatically since the LegacyServiceAccountTokenNoAutoGeneration feature gate was enabled as true in Kubernetes clusters version 1.24.
(references: kubernetes/enhancements#2799
https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/)

This is the reported issue for the terraform resource kubernetes_service_account
hashicorp/terraform-provider-kubernetes#1724

Alternative changes were made using the terraform resource kubernetes_manifest to manually generate the service accounts along with their secret

fix: issue with kubernetes_service_account in k8s 1.24
3874c2f 
The problem when generating new service accounts, is that the secret containing the SA token is no longer generated automatically since the LegacyServiceAccountTokenNoAutoGeneration feature gate was enabled as true in Kubernetes clusters version 1.24.
(references: kubernetes/enhancements#2799
https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/)

This is the reported issue for the terraform resource kubernetes_service_account
hashicorp/terraform-provider-kubernetes#1724

Alternative changes were made using the terraform resource kubernetes_manifest to manually generate the service accounts along with their secret
@y4ssi y4ssi requested review from a team, Jberlinsky and bharathkkb as code owners July 20, 2022 15:42
@google-cla
Copy link

google-cla bot commented Jul 20, 2022

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

bharathkkb
bharathkkb reviewed Jul 22, 2022
View reviewed changes
Copy link
Member

@bharathkkb bharathkkb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @yasserisa

modules/workload-identity/main.tf Outdated
@@ -45,16 +44,45 @@ resource "google_service_account" "cluster_service_account" {
project = var.project_id
}

resource "kubernetes_service_account" "main" {
resource "kubernetes_manifest" "main_secret" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using the manifest resource has a limitation which requires the cluster to be available at plan time. We may have to look at other alternatives.

https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest#before-you-use-this-resource

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a very good point.

I found a community module that might solve the problem.

https://registry.terraform.io/providers/gavinbunney/kubectl/latest

Another alternative I was thinking about is that we occupy a script using this module

https://github.com/terraform-google-modules/terraform-google-gcloud/tree/master/modules/kubectl-wrapper

@comment-bot-dev
Copy link

@yasserisa
Thanks for the PR! 🚀
✅ Lint checks have passed.

bharathkkb
bharathkkb reviewed Jul 27, 2022
View reviewed changes
Copy link
Member

@bharathkkb bharathkkb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yasserisa Looks like there is some movement in the provider to fix this. Since this will be a breaking change if we switch to wrapper I am leaning towards waiting a bit to see if the fix will help.

@y4ssi
Copy link
Author

y4ssi commented Jul 27, 2022

@yasserisa Looks like there is some movement in the provider to fix this. Since this will be a breaking change if we switch to wrapper I am leaning towards waiting a bit to see if the fix will help.

@bharathkkb

I have seen that the PR was generated yesterday to fix the problem.

hashicorp/terraform-provider-kubernetes#1792

I agree to wait, as I saw in the PR, the kubernetes_service_account resource will not wait for the creation of the secret, so I assume that all we would have to do is subsequent to the SA creation is to generate the secret manually, in that case we could use the kubernetes_secret resource and so we keep the code cleaner without adding a breaking change.

@bharathkkb
Copy link
Member

hashicorp/terraform-provider-kubernetes#1792 was merged so I am closing this. We may need to constrain the provider to new min version once released.

@bharathkkb bharathkkb closed this Aug 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DrFaust92 DrFaust92 DrFaust92 left review comments

@bharathkkb bharathkkb bharathkkb left review comments

@Jberlinsky Jberlinsky Awaiting requested review from Jberlinsky

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@y4ssi @comment-bot-dev @bharathkkb @DrFaust92