-
Notifications
You must be signed in to change notification settings - Fork 962
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add default_service_account resource #876
Conversation
Would love to see this merged. Any feedback or changes from the hashicorp folks on next steps? |
I tested this manually using the following configuration and got a failure on apply:
The output looks like this:
The secret is created correctly. The service account however is missing the secret association. I'm guessing this is due to a race condition during TIP: running Terraform with TRACE debug level will show you the API calls being made and their contents. You can follow the order of operations there.
|
Looking into it, will have an update by next week at the latest |
Thanks for testing @alexsomesan, definitely an oversight on my part. Should be fixed now!
I was able to reproduce the race with the ServiceAccount controller via the acceptance tests, but found it was a lot more intermittent. Running in a loop until failure eventually triggered the error: while true; do
TF_ACC=1 go test "./kubernetes" -v -run 'TestAccKubernetesDefaultServiceAccount' -timeout 120m -count 1 || break
done
I broke up the test so that the ServiceAccount can be created immediately after the namespace. If it also has to wait on several secrets, the race is presumably much less likely. |
I've also added a similar wait to the |
The Travis error is coming from
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, thanks for this very thorough PR! I'm on-duty this week and taking over for Alex. I left one minor style comment in the test. Everything else looks great. I did run into an issue with testing though, running the same test as Alex mentioned.
The acceptance tests are passing consistently for me, both in our CI environment (so there are no regressions) and locally testing the new acceptance tests in a loop like you showed us. Those are passing consistently.
However, there seems to be an issue with the new acceptance tests not reporting errors. The tests need to look for the specific data that the resource is injecting into the default service account (for example, checking for the existence of any configured secrets being added to the default service account).
The manual test that Alex mentioned is failing for me, so that's a good place to start testing. Basically I just copy/pasted it into main.tf
in a new empty directory and ran TF_LOG=trace terraform apply
. (I also copied the provider binary into that directory after compiling it from your branch). Here is all my terminal output from testing, which includes setup, and debug output from the provider. It shows that the default service account never gets updated with the new secrets.
We just need to make sure that the configs we're setting actually get applied to the default service account.
Awesome, thank you! Seems like whatever is causing
|
terrafmt upgrade012 ./kubernetes/resource_kubernetes_default_service_account_test.go
Known/unknown attributes does not affect dependency tree
Ok, can now confirm the failing example above is now working!
Leaving notes below for each change. Wait Error
Turns out this was not related to acceptance tests versus a full end-to-end TF run, but rather a symptom of having exactly 1 secret specified in configuration. The wait logic checks whether the number of actual secrets matches an input: len(resp.Secrets) == len(config.Secrets) When I added some logging to help confirm the problem initially and to aid in future debugging.
|
Looks good! I ran the acceptance tests and did some local testing. It all works as planned. Thanks for this contribution! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
Description
This PR adds a
kubernetes_default_service_account
resource. This follows the lead ofaws_default_vpc
and otheraws_default_*
resources. It doesn't create any infrastructure, instead setting minimal state (ID + default secret) and then calling out toUpdate
so that any new user-specified config is persisted.It shares most of its functionality/code with the main
kubernetes_service_account
resource. It overrides:metadata.name
schema, forcing the value to be "default"Create
method which doesn't actually create any resources, and just finds the default service account token secret and then callsUpdate
I factored out
getServiceAccountDefaultSecret
so that both resources'Create
methods could use it. I also updated that to use a field selector to filter service account tokens on the server side. That should help performance in namespaces with large numbers of secrets.Acceptance tests
https://gist.github.com/bendrucker/03b3483eefbd1094aa262c6fa0309b56
References
Closes #302
Community Note