Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Always create manual long lived token #19970

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

fix: Always create manual long lived token #19970

wants to merge 5 commits into from
+126 −125

Commits on Sep 19, 2024

  1. use constant in secret data key 

    Signed-off-by: Max Gautier <[email protected]>
    @VannTen
    VannTen committed Sep 19, 2024
    Configuration menu
    Copy the full SHA
    b1291d5 View commit details
    Browse the repository at this point in the history

  2. Do not patch serviceAccount with created secret 

    Referencing the secrets in the `secrets` fields of the ServiceAccount
will make kubernetes consider it an auto-generated secret, and:
1. Warn about its usage in API responses
2. Subject it to automatic cleanup after roughly one year if unused

See:
- https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#legacy-serviceaccount-token-cleaner
- https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#create-token

Signed-off-by: Max Gautier <[email protected]>
    @VannTen
    VannTen committed Sep 19, 2024
    Configuration menu
    Copy the full SHA
    68ac178 View commit details
    Browse the repository at this point in the history

Commits on Nov 9, 2024

  1. Do not use existing auto-generated tokens 

    Kubernetes legacy ServiceAccount tokens will generate warnings on use
and be garbage collected if not used for one year, starting with
Kubernetes 1.30.

Use an explicitly created token secret with a fixed name, based on the
service account name.

Signed-off-by: Max Gautier <[email protected]>
    @VannTen
    VannTen committed Nov 9, 2024
    Configuration menu
    Copy the full SHA
    8871321 View commit details
    Browse the repository at this point in the history

  2. clusterauth: rework tests 

    This align clusterauth_test with the expected behavior modified by the
previous commit, and is more in line with the way Kubernetes service
account secrets are handled by the token controller.

Signed-off-by: Max Gautier <[email protected]>
    @VannTen
    VannTen committed Nov 9, 2024
    Configuration menu
    Copy the full SHA
    3e14128 View commit details
    Browse the repository at this point in the history

  3. clusterauth: rewrite getOrCreate testing 

    Test all 3 cases:
- token secret already exists -> we should not create another
- token secret does not exists
- error on secret creation.

Since getOrCreateServiceAccountSecretToken does not actually look at the
content of the token itself, we remove the part of the test related to
this.

Signed-off-by: Max Gautier <[email protected]>
    @VannTen
    VannTen committed Nov 9, 2024
    Configuration menu
    Copy the full SHA
    0958b86 View commit details
    Browse the repository at this point in the history