Skip to content

Add service account token secret#160

Merged
No9 merged 1 commit intoIBM:mainfrom
usimd:main
May 1, 2024
Merged

Add service account token secret#160
No9 merged 1 commit intoIBM:mainfrom
usimd:main

Conversation

@usimd
Copy link
Contributor

@usimd usimd commented Apr 23, 2024
edited
Loading

Adds a new secret to be compatible with EKS >= 1.24 (see https://aws.github.io/aws-eks-best-practices/security/docs/iam/).

This closes #143 and closes #140.

Open design questions:

  • put token secret in dedicated file?
  • make secret name configurable?
  • add token conditionally (for example only for versions later than 1.24 based on KubeVersion?
  • add specific flag to toggle token secret creation?

Let me know what you think 😃

No9
No9 reviewed Apr 26, 2024
View reviewed changes
charts/core-dump-handler/templates/secrets.yaml Outdated
s3Region: {{ .Values.daemonset.s3Region }}
{{- end }}
---
apiVersion: v1
Copy link
Collaborator

@No9 No9 Apr 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this be put behind a flag such as

{{- if .Values.daemonset.useServiceAccountToken }}
apiVersion: v1
.....

With the value set to false in the values.yaml
https://github.com/IBM/core-dump-handler/blob/main/charts/core-dump-handler/values.yaml#L60

useServiceAccountToken: false

If this is mandatory now for all AWS instances can you set the value set to true in aws.values.yaml?

Copy link
Contributor Author

@usimd usimd Apr 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your feedback! I've moved the secret to a dedicated file and added the flag, but to the serviceAccount section, seemed more intuitive to me.

Also want to outline, that this does not seem to be limited to AWS (https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#no-really-you-must-read-this-before-you-upgrade-1). I can't test/verify this for any other environment, have no access to any. But if it turns out it is required, I could add the respective config to the other values files.

@usimd
Add service account token secret
ff16805 
Signed-off-by: usimd <11619247+usimd@users.noreply.github.com>
@No9 No9 merged commit b8ea795 into IBM:main May 1, 2024
@No9
Copy link
Collaborator

No9 commented May 1, 2024

@usimd Thank you very much for this work.

@usimd
Copy link
Contributor Author

usimd commented May 2, 2024

Thank you for sharing this work, @No9! Much appreciated 👍

Would it be possible to create a new release with this PR in place? Or are there other changes you're waiting for?

@No9
Copy link
Collaborator

No9 commented May 2, 2024

Yes I want to try and land this before the next release
#157

@usimd usimd mentioned this pull request May 23, 2024
Merged
@usimd
Copy link
Contributor Author

usimd commented Sep 10, 2024

Hey @No9 👋
Since the other PR (and a few more) have been merged, I was wondering whether there was a bug in the release process that's preventing a new version. Or are you waiting for something else? It's been awhile since v8.10.0.

@No9
Copy link
Collaborator

No9 commented Sep 16, 2024

Hey @usimd
I'm crushed for time right now but I plan to get this out by the end of the month.

@sorind-broadsign
Copy link

sorind-broadsign commented Nov 12, 2024

Hello guys, sorry for the nudge. I understand @No9 you are busy but do you have an estimate when the next release is out. I'm waiting for the fix in this PR.
I can try to build the chart myself. Should I build the docker image as well ? Or can I use the 8.10.0 image ?

@sorind-broadsign
Copy link

sorind-broadsign commented Nov 14, 2024

Much appreciated @No9 , cheers to everyone working on this project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@No9 No9 No9 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Deployment error fails to EKS Kubernetes 1.23+ does not mount service account token anymore

3 participants

@usimd @No9 @sorind-broadsign