Merge pull request #146 from ExpediaGroup/feature/update_svc

fix: update k8s service account creation
ExpediaGroup · Jun 4, 2024 · 7a78f06 · 7a78f06
2 parents 8538d72 + 2b27fc6
commit 7a78f06
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [4.5.2] - 2024-06-04
+### Updated
+- Changed Service account creation to make it work with eks 1.24 and later.
+
 ## [4.5.1] - 2024-05-08
 ### Added
 - Adding tags to the Datadog agent

diff --git a/iam-k8s.tf b/iam-k8s.tf
@@ -18,7 +18,8 @@ resource "aws_iam_role" "waggle_dance_k8s_role_iam" {
       "Action": "sts:AssumeRoleWithWebIdentity",
       "Condition": {
        "StringEquals": {
-         "${var.oidc_provider}:sub": "system:serviceaccount:${var.k8s_namespace}:${local.instance_alias}"
+         "${var.oidc_provider}:sub": "system:serviceaccount:${var.k8s_namespace}:${local.instance_alias}",
+         "${var.oidc_provider}:aud": "sts.amazonaws.com"
        }
       }
     }

diff --git a/k8s.tf b/k8s.tf
@@ -13,7 +13,7 @@ locals {
   k8s_cpu_limit = length(var.cpu_limit) != 0 ? var.cpu_limit / 1024 : (var.cpu / 1024) * 1.25
 }
 
-resource "kubernetes_service_account" "waggle_dance" {
+resource "kubernetes_service_account_v1" "waggle_dance" {
   count = var.wd_instance_type == "k8s" ? 1 : 0
   metadata {
     name        = local.instance_alias
@@ -22,7 +22,23 @@ resource "kubernetes_service_account" "waggle_dance" {
       "eks.amazonaws.com/role-arn" = var.oidc_provider == "" ? "" : aws_iam_role.waggle_dance_k8s_role_iam[0].arn
     }
   }
-  automount_service_account_token = true
+}
+
+resource "kubernetes_secret_v1" "waggle_dance" {
+  count = var.wd_instance_type == "k8s" ? 1 : 0
+  metadata {
+    name        = local.instance_alias
+    namespace   = var.k8s_namespace
+    annotations = {
+      "kubernetes.io/service-account.name"      = local.instance_alias
+      "kubernetes.io/service-account.namespace" = var.k8s_namespace
+    }
+  }
+  type = "kubernetes.io/service-account-token"
+
+  depends_on = [
+    kubernetes_service_account_v1.waggle_dance
+  ]
 }
 
 resource "kubernetes_deployment_v1" "waggle_dance" {
@@ -55,11 +71,12 @@ resource "kubernetes_deployment_v1" "waggle_dance" {
           "prometheus.io/scrape" : var.prometheus_enabled
           "prometheus.io/port" : local.actuator_port
           "prometheus.io/path" : "/actuator/prometheus"
+          "iam.amazonaws.com/role" = var.oidc_provider == "" ? aws_iam_role.waggle_dance_k8s_role_iam[0].name : null
         }
       }
 
       spec {
-        service_account_name            = kubernetes_service_account.waggle_dance[0].metadata.0.name
+        service_account_name            = kubernetes_service_account_v1.waggle_dance[0].metadata.0.name
         automount_service_account_token = true
         container {
           image = "${var.docker_image}:${var.docker_version}"

diff --git a/version.tf b/version.tf
@@ -9,7 +9,7 @@ terraform {
   required_providers {
     aws = {
       source                = "hashicorp/aws"
-      version               = ">= 2.7.0"
+      version               = ">= 2.13.0"
       configuration_aliases = [aws.remote]
     }
     datadog = {