Connect: only look for service account secrets when creating/updating auth method #321
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ishustava
added
area/connect
ishustava
commented
Sep 8, 2020
… auth method Kubernetes service account could have multiple secrets associated with it. Previously, we were only looking at the first secret in the list and using that secret to create or update the auth method in Consul. However, on some platforms (Openshift) the service account may contain other types of secrets. Specifically, in the case of Openshift, there are two secrets: one for the service account token and the other for docker credentials. This second secret gets injected automatically by Openshift. This changes our implementation to use the first secret of type kubernetes.io/service-account-token.
ishustava
force-pushed
the
auth-method-multiple-secrets
branch
from
f89a6ad to
3af44be
Compare
lkysow
reviewed
Sep 8, 2020
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
ishustava
force-pushed
the
auth-method-multiple-secrets
branch
from
b4a832d to
e8f465b
Compare
lkysow
reviewed
Sep 10, 2020
lkysow
approved these changes
Sep 10, 2020
ndhanushkodi
pushed a commit
to ndhanushkodi/consul-k8s
that referenced
this pull request
Jul 9, 2021
Add -job to filename to match convention
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes proposed in this PR:
Kubernetes service account could have multiple secrets associated with it.
Previously, we were only looking at the first secret in the list and using
that secret to create or update the auth method in Consul.
However, on some platforms the service account may contain other types of secrets.
Specifically, in the case of Openshift, there are two secrets: one for the service account token
and the other for docker config credentials. This second secret gets injected automatically by Openshift.
This PR changes our implementation to use the first secret of type kubernetes.io/service-account-token.
How I've tested this PR:
Created a docker image (
ishustava/consul-k8s-dev:09-04-2020-5e7491d) and ran connect acceptance tests with it on openshift.How I expect reviewers to test this PR:
No infrastructure tests required from the reviewers at this point. We can rely on helm acceptance tests to make sure we didn't break anything.
Checklist: