Add awaiter for service-account-token secret #2048
Conversation
|
PR is now waiting for a maintainer to run the acceptance tests. |
1 similar comment
|
PR is now waiting for a maintainer to run the acceptance tests. |
|
/run-acceptance-tests |
There was a problem hiding this comment.
Thanks for the PR, @kirecek! 馃帀
I wasn't aware of this use case previously, but I think the approach looks good. I'd like to get an integration test added to cover the service-account-token case before merging. The test could create the secret and then export the value of .data and assert that the value is set.
This example is pretty close to what you'd need for this.
Let me know if you need any help figuring that part out.
|
Please view the PR build: https://github.com/pulumi/pulumi-kubernetes/actions/runs/2584246190 |
|
PR is now waiting for a maintainer to run the acceptance tests. |
|
Thank you. I tried to add a simple test based on the example you linked. |
|
/run-acceptance-tests |
|
Please view the PR build: https://github.com/pulumi/pulumi-kubernetes/actions/runs/2591649040 |
Signed-off-by: Erik Jankovi膷 <erik.jankovic@gmail.com>
|
PR is now waiting for a maintainer to run the acceptance tests. |
|
/run-acceptance-tests |
|
Please view the PR build: https://github.com/pulumi/pulumi-kubernetes/actions/runs/2592687150 |
Co-authored-by: Levi Blackstone <levi@pulumi.com>
|
PR is now waiting for a maintainer to run the acceptance tests. |
|
/run-acceptance-tests |
|
Please view the PR build: https://github.com/pulumi/pulumi-kubernetes/actions/runs/2592945440 |
|
PR is now waiting for a maintainer to run the acceptance tests. |
|
/run-acceptance-tests |
|
Please view the PR build: https://github.com/pulumi/pulumi-kubernetes/actions/runs/2593158791 |
|
PR is now waiting for a maintainer to run the acceptance tests. |
Hi,
tbh this does not feel very right to me but still, I'd like to get your opinion since I already wrote the patch 馃槙
Proposed changes
Add watcher for
V1Secretwith the secret type of kubernetes.io/service-account-token.i.e After the creation of serviceaccount token secret, pulumi seems to not have a native way of retrieving secret data which are filled by kubernetes controller. For example
where data from the secret
secret.data.apply(v => v["token"]);will be undefined so users cannot work with its value.The watcher simply waits for a secret to populate data which is immediate action.
Use-cases
Create access to API servers to services in multiple cluster - which is common practice for example in service meshes (istio, linkerd) but also in other tools that do some kind of similar federation.
Alternatives
1.) Use kubernetes client directly but TBH this is kinda repellent for new pulumi users
2.) Always read resources from the API after creation to fetchlive objects. But this change seems to be complex at first sight.
3.) There is a proposed generic watcher for user-specified resources #1260 but if we won't get any events I'm not sure it would solve this particular case. Although the issue is still open so not sure 馃し馃徎
WDYT?