-
Notifications
You must be signed in to change notification settings - Fork 589
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(config): use projected volume for SA token #3563
Conversation
b74942c
to
78e0490
Compare
Codecov ReportBase: 72.1% // Head: 72.2% // Increases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## main #3563 +/- ##
=====================================
Coverage 72.1% 72.2%
=====================================
Files 127 127
Lines 14771 14771
=====================================
+ Hits 10660 10668 +8
+ Misses 3434 3427 -7
+ Partials 677 676 -1
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🏅
Since we're recently making more and more changes that require an e2e pass and we have no way of verifying that outside of the bounds of PRs we should add an e2e run label similarly to what we have for nightly: https://github.com/Kong/kubernetes-ingress-controller/blob/ec17ebcaa39fdfd8a01d960eaaadcc2546e4da9a/.github/workflows/test_nightly.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that the Secret named "kong-serviceaccount-token" still winds up in the set of generated manifests:
kubernetes-ingress-controller/deploy/single/all-in-one-dbless.yaml
Lines 1593 to 1600 in 8104f58
apiVersion: v1 | |
kind: Secret | |
metadata: | |
annotations: | |
kubernetes.io/service-account.name: kong-serviceaccount | |
name: kong-serviceaccount-token | |
namespace: kong | |
type: kubernetes.io/service-account-token |
@rainest's #3475 didn't mention removing this Secret, but I took it to be implied.
@seh Thanks for pointing this out, I overlooked it's not needed anymore. |
What this PR does / why we need it:
Ports the changes from helm chart: Kong/charts#722. A projected volume is used instead of a static secret.
That effectively makes our manifests not compatible with Kubernetes < 1.21 versions. According to our support matrix, we already do not support such.
E2E tests run: https://github.com/Kong/kubernetes-ingress-controller/actions/runs/4187269214
Which issue this PR fixes:
Closes #3475.
Special notes for your reviewer:
PR Readiness Checklist:
Complete these before marking the PR as
ready to review
:CHANGELOG.md
release notes have been updated to reflect any significant (and particularly user-facing) changes introduced by this PR