-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Be more judicious about cleaning up service account tokens #10041
Be more judicious about cleaning up service account tokens #10041
Conversation
@lavalamp PTAL |
0e9a4d5
to
1d3dca6
Compare
GCE e2e build/test passed for commit 0e9a4d52ec271090e5dadb0c73ac862d4ce91f31. |
GCE e2e build/test passed for commit 1d3dca67962272b82610571a9619d97daf343ed4. |
@@ -24,6 +24,8 @@ import ( | |||
"io/ioutil" | |||
"strings" | |||
|
|||
"github.com/golang/glog" | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: this and jwt-go should be in the same block, and they should be after the kubernetes imports.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
just a few pedantic comments... |
1d3dca6
to
1ee5578
Compare
LGTM |
GCE e2e build/test passed for commit 1ee5578. |
Merging since this fixes a bug. |
Be more judicious about cleaning up service account tokens
As we moved some of our controllers to use service account credentials to run, we ran into a bug (openshift/origin#3298) where the token controller was "cleaning up" tokens it didn't find a service account for. As a result, those controllers' reflectors API calls started failing.
Somehow, the service account whose addition to the
serviceAccounts
store triggered token creation is missing from the same store when the secret addition is observed. @deads2k, @smarterclayton and I are still trying to figure out how that is possible, but in the meantime, this PR: