Give better error when using default service acct (#842)

* Give better error when using default service acct If consul login fails when the service account name is `default` then give an explicit warning that the reason it failed is because in default installations that is not a support service account name. We can't fail during injection because we support modifying the binding rule such that `default` _is_ a valid svc account name.
hashicorp · Nov 10, 2021 · 8a63540 · 8a63540
1 parent 0ad49a9
commit 8a63540
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@ BREAKING CHANGES:
 IMPROVEMENTS:
 * Control Plane
   * TLS: Support PKCS1 and PKCS8 private keys for Consul certificate authority. [[GH-843](https://github.com/hashicorp/consul-k8s/pull/843)]
+  * Connect: Log a warning when ACLs are enabled and the default service account is used. [[GH-842](https://github.com/hashicorp/consul-k8s/pull/842)]
 * CLI
   * Delete jobs, cluster roles, and cluster role bindings on `uninstall`. [[GH-820](https://github.com/hashicorp/consul-k8s/pull/820)]
 * Helm Chart

diff --git a/control-plane/subcommand/connect-init/command.go b/control-plane/subcommand/connect-init/command.go
@@ -138,6 +138,12 @@ func (c *Command) Run(args []string) int {
 			return err
 		}, backoff.WithMaxRetries(backoff.NewConstantBackOff(1*time.Second), numLoginRetries))
 		if err != nil {
+			if c.flagServiceAccountName == "default" {
+				c.logger.Warn("The service account name for this Pod is \"default\"." +
+					" In default installations this is not a supported service account name." +
+					" The service account name must match the name of the Kubernetes Service" +
+					" or the consul.hashicorp.com/connect-service annotation.")
+			}
 			c.logger.Error("Hit maximum retries for consul login", "error", err)
 			return 1
 		}