fix: Support Kubernetes v1.24. Fixes #8320 #9680
Conversation
Signed-off-by: Alex Collins <[email protected]>
Signed-off-by: Alex Collins <[email protected]>
Signed-off-by: Alex Collins <[email protected]>
Signed-off-by: Alex Collins <[email protected]>
Signed-off-by: Alex Collins <[email protected]>
Signed-off-by: Yuan Tang <[email protected]>
Signed-off-by: Yuan Tang <[email protected]>
Signed-off-by: Yuan Tang <[email protected]>
terrytangyuan
force-pushed
the
support-k8s-124
branch
from
7b4e2f6
to
6845549
Compare
Signed-off-by: Yuan Tang <[email protected]>
Signed-off-by: Yuan Tang <[email protected]>
Signed-off-by: Yuan Tang <[email protected]>
Signed-off-by: Yuan Tang <[email protected]>
Signed-off-by: Yuan Tang <[email protected]>
| return "", fmt.Errorf("service account %s/%s does not have any secrets", account.Namespace, account.Name) | ||
| } | ||
| return account.Secrets[0].Name, nil | ||
| return secrets.SecretName(account), nil |
There was a problem hiding this comment.
I think we are breaking backwards compatibility here.
Users of v1.23 and below, are not conditioned to generate ServiceAccount secrets yet and so having the assumption that there exists the secret by naming convention is going to break a lot of.
I think the implementation needs to have both implementations and preserve the older v1.23 assumed behavior for backward compatibility
EDIT: Nevermind, I just saw the implementation of SecretName and see that it is doing just that.
| As of Kubernetes v1.24, secrets are not automatically created for service accounts by default. [Find out how to create these yourself manually](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-service-account-api-token). | ||
|
|
||
| Argo discovers your token by name, not annotation. They must be named `${serviceAccountName}.service-account-token`. |
There was a problem hiding this comment.
I think we could do better job explaining when users need to do this. When using Agent http template? Auth delegation in api server? Does this need to be mentioned in the SSO docs?
|
@alexec @sarabala1979 Any thoughts on Jesse's questions above? Is the token request API something you thought about when agent was initially designed/implemented? |
|
This is meant to be a cheap option that basically keeps the old behaviour. I’m happy for someone to contribute a more involved fix. |
Signed-off-by: Yuan Tang <[email protected]>
Signed-off-by: Yuan Tang <[email protected]>
|
I'll investigate the approach that uses the TokenRequest API. It seems like a better option instead of using a token that never expires. |
|
@terrytangyuan Mainly we need to think about the API calls increase. Will Controller call once to create a secret for SA or Will it call every reconcile time? |
We'll need to manage the lifecycle of tokens so that they can be rotated and re-requested only when necessary (e.g. based a configured timeout/expiration for bearer tokens) instead of making requests frequently. |
|
Remaining issues:
|
|
For reference, #9620 was re-opened and completed after this was closed, so marking this as superseded |
agilgur5
added
solution/superseded
Fixes #8320. On top of existing work in #9620.
Co-authored-by: Alex Collins [email protected]
Signed-off-by: Yuan Tang [email protected]
Signed-off-by: Alex Collins [email protected]