From 8a63540547ababee7d0ff245a9b18308fa5e1dcd Mon Sep 17 00:00:00 2001
From: Luke Kysow <1034429+lkysow@users.noreply.github.com>
Date: Tue, 9 Nov 2021 16:07:11 -0800
Subject: [PATCH] Give better error when using default service acct (#842)

* Give better error when using default service acct

If consul login fails when the service account name is `default` then
give an explicit warning that the reason it failed is because in
default installations that is not a support service account name.

We can't fail during injection because we support modifying the binding
rule such that `default` _is_ a valid svc account name.
---
 CHANGELOG.md                                     | 1 +
 control-plane/subcommand/connect-init/command.go | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6f26d88bef..4f4d60e80a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ BREAKING CHANGES:
 IMPROVEMENTS:
 * Control Plane
   * TLS: Support PKCS1 and PKCS8 private keys for Consul certificate authority. [[GH-843](https://github.com/hashicorp/consul-k8s/pull/843)]
+  * Connect: Log a warning when ACLs are enabled and the default service account is used. [[GH-842](https://github.com/hashicorp/consul-k8s/pull/842)]
 * CLI
   * Delete jobs, cluster roles, and cluster role bindings on `uninstall`. [[GH-820](https://github.com/hashicorp/consul-k8s/pull/820)]
 * Helm Chart
diff --git a/control-plane/subcommand/connect-init/command.go b/control-plane/subcommand/connect-init/command.go
index d8158b5f20..e7487fb9e1 100644
--- a/control-plane/subcommand/connect-init/command.go
+++ b/control-plane/subcommand/connect-init/command.go
@@ -138,6 +138,12 @@ func (c *Command) Run(args []string) int {
 			return err
 		}, backoff.WithMaxRetries(backoff.NewConstantBackOff(1*time.Second), numLoginRetries))
 		if err != nil {
+			if c.flagServiceAccountName == "default" {
+				c.logger.Warn("The service account name for this Pod is \"default\"." +
+					" In default installations this is not a supported service account name." +
+					" The service account name must match the name of the Kubernetes Service" +
+					" or the consul.hashicorp.com/connect-service annotation.")
+			}
 			c.logger.Error("Hit maximum retries for consul login", "error", err)
 			return 1
 		}