-
Notifications
You must be signed in to change notification settings - Fork 988
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
automountServiceAccountToken default disagrees with k8s #263
Comments
There's something worse wrong than the default, because changing the terraform config for this field has no effect on the actual value. I've toggled it from true to false and back in the tf config, and tf says it updates it, but nothing actually happens to the kubernetes service account's config.
|
|
This was defaulted to It was only recently added to docs but not yet released in the docs: https://github.com/terraform-providers/terraform-provider-kubernetes/pull/253/files Whats worse is that for some specs like Pod its just set to false This should be added to the configuration spec and not fixed to false If this provider has specific opinions just so that it can work, it is essentially crippled. The lengths I had to go to find out this was the problem in the provider... :) |
This is breaking my ingress controller setup. Is it possible to manually mount the service account token currently or any workaround to this? |
@dploeger set automountServiceAccountToken: true in your deployment config. (kubectl edit deploy/deployment_name) |
@dploeger No I believe the default of false results in the automountServiceAccountToken being set on a pod when you deploy the pod with the kubernetes provider. A single pod that is. If you set it for the deployment the pod is created by the deployment, not by the provider. So the deployment sets the value |
@j00p34 I saw, that in the pods automountServiceAccountToken was set to false after I have changed it in the deployment. But I'm currently unsure, wether I had recreated the pods from the deployment. Will check it out and keep you posted. |
It's definetely true in k8s api, I can confirm that... This default |
To come back to this, yes. kubectl edit (I used patch) enables the automount in the deployment again. However, this is obviously not the way I want to do that with Terraform. 😄 Any progress on setting this on the deployment using terraform? |
Agree here. I get that the maintainers want to not expose this option to keep it "strict" (and force you mount the service account directly) but this makes things very painful. |
Is this planned for some release? |
Hi. Any updates on this issue? Why not have a way to configure this as we need? |
There's an active PR: #261 |
FTR, this appears to be related to #38. |
In terraform it seems even if you set automount_service_account_token = true on kubernetes_service_account, it seems the kubernetes_deployment resource block overwrite it with "false" by default. The issue is that kubernetes_deployment resource doesn't permit to change this config. I had to create my deployment config in a yaml file and call it with a local-exec provisioner to make things work
|
@JnMik See the workaround at #38 (comment) A fix is likely to be merged soon for Deployments: #261 (comment) |
This issue has been open 180 days with no activity. If this issue is reproducible with the latest version of the provider and with Terraform 0.12, please comment. Otherwise this issue will be closed in 30 days. |
#814 was merged, I believe this can now be closed. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
Affected Resource(s)
Terraform Configuration Files
Debug Output
Expected Behavior
I expected the result of terraform to be the same as the result of the equivalent
kubectl apply myyaml
. For example:Actual Behavior
Note that
automountServiceAccountToken
is set to false, unlike the expected behavior.References
The Reference doesn't explicitly mention the default value of this field, but behaviorally, the default is true, as implied by the "can opt out" language in the user guide. Currently
terraform-provider-kubernetes
sets the default to "false" which disagrees with the default behavior in a subtle but completely-breaking way. As a newcomer, I didn't know anything about this file, much less that it could be turned off, so I assumed that the mysterious "open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory" error I was encountering was caused by my own fault, and it took me ~4 hours to find the true cause.The text was updated successfully, but these errors were encountered: