terraform-oci-oke icon indicating copy to clipboard operation
terraform-oci-oke copied to clipboard

Published 20 hours ago verified publisher icon oracle-terraform-modules

Provision Service Account with Token on Install

Open steve-gray opened this issue 2 years ago • 3 comments

When provisioning a Kubernetes cluster, it's a common requirement to run another task after provisioning to configure the cluster. To that end, you need an account token for the cluster. The OKE module here does not provide the way to allocate a per-cluster service account token, and the only element returned is the "cluster_config" object, which does not actually have a workable token, but instead is a config that contains references to the OCI tooling - which does not work on Terraform cloud or other hosting solutions.

For example, the user block looks like:

 name: user-ckjp6cilhpq
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - ce
      - cluster
      - generate-token
      - --cluster-id

EKS and other providers solve for this by having the ability to obtain an ephemeral/short-lived token that works with the Kubernetes cluster.

I reported this previously in #594, and it was incorrectly closed as it was assumed that #601 was suitable. However that was in error, and does not solve for the problem - 601 was only talking about getting the file at all, and appears to have been suited to an environment with the oci tool would be available.

steve-gray avatar Mar 09 '23 23:03 steve-gray

There seems to be nothing in the oci provider to do this.

dgadelha avatar Aug 25 '23 04:08 dgadelha

There's actually a generate-token operation on the OCI API that generates a Kubernetes bearer token that can be pulled through to Go, then to here to do this.

steve-gray avatar Aug 25 '23 05:08 steve-gray

Any word on this? I believe this also affects the missing functionality from 4.x.x in which you could use create_service_account = true

tcrowder-koerber avatar Mar 20 '24 15:03 tcrowder-koerber