terraform-google-kubernetes-engine icon indicating copy to clipboard operation
terraform-google-kubernetes-engine copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

fix: issue with kubernetes_service_account in k8s 1.24

Open y4ssi opened this issue 3 years ago • 3 comments

The problem when generating new service accounts, is that the secret containing the SA token is no longer generated automatically since the LegacyServiceAccountTokenNoAutoGeneration feature gate was enabled as true in Kubernetes clusters version 1.24. (references: https://github.com/kubernetes/enhancements/issues/2799 https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/)

This is the reported issue for the terraform resource kubernetes_service_account https://github.com/hashicorp/terraform-provider-kubernetes/issues/1724

Alternative changes were made using the terraform resource kubernetes_manifest to manually generate the service accounts along with their secret

y4ssi avatar Jul 20 '22 15:07 y4ssi

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

google-cla[bot] avatar Jul 20 '22 15:07 google-cla[bot]

@yasserisa Thanks for the PR! 🚀
✅ Lint checks have passed.

comment-bot-dev avatar Jul 26 '22 15:07 comment-bot-dev

@yasserisa Looks like there is some movement in the provider to fix this. Since this will be a breaking change if we switch to wrapper I am leaning towards waiting a bit to see if the fix will help.

@bharathkkb

I have seen that the PR was generated yesterday to fix the problem.

https://github.com/hashicorp/terraform-provider-kubernetes/pull/1792

I agree to wait, as I saw in the PR, the kubernetes_service_account resource will not wait for the creation of the secret, so I assume that all we would have to do is subsequent to the SA creation is to generate the secret manually, in that case we could use the kubernetes_secret resource and so we keep the code cleaner without adding a breaking change.

y4ssi avatar Jul 27 '22 16:07 y4ssi

https://github.com/hashicorp/terraform-provider-kubernetes/pull/1792 was merged so I am closing this. We may need to constrain the provider to new min version once released.

bharathkkb avatar Aug 18 '22 17:08 bharathkkb