-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add awaiter for service-account-token secret #2048
Conversation
PR is now waiting for a maintainer to run the acceptance tests. |
1 similar comment
PR is now waiting for a maintainer to run the acceptance tests. |
/run-acceptance-tests |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR, @kirecek! 馃帀
I wasn't aware of this use case previously, but I think the approach looks good. I'd like to get an integration test added to cover the service-account-token
case before merging. The test could create the secret and then export the value of .data
and assert that the value is set.
This example is pretty close to what you'd need for this.
Let me know if you need any help figuring that part out.
Please view the PR build: https://github.com/pulumi/pulumi-kubernetes/actions/runs/2584246190 |
PR is now waiting for a maintainer to run the acceptance tests. |
Thank you. I tried to add a simple test based on the example you linked. |
/run-acceptance-tests |
Please view the PR build: https://github.com/pulumi/pulumi-kubernetes/actions/runs/2591649040 |
Signed-off-by: Erik Jankovi膷 <erik.jankovic@gmail.com>
PR is now waiting for a maintainer to run the acceptance tests. |
/run-acceptance-tests |
Please view the PR build: https://github.com/pulumi/pulumi-kubernetes/actions/runs/2592687150 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like you just fixed the lint issue, so LGTM if it passes on the rerun! Thanks for the fix :)
Co-authored-by: Levi Blackstone <levi@pulumi.com>
PR is now waiting for a maintainer to run the acceptance tests. |
/run-acceptance-tests |
Please view the PR build: https://github.com/pulumi/pulumi-kubernetes/actions/runs/2592945440 |
PR is now waiting for a maintainer to run the acceptance tests. |
/run-acceptance-tests |
Please view the PR build: https://github.com/pulumi/pulumi-kubernetes/actions/runs/2593158791 |
PR is now waiting for a maintainer to run the acceptance tests. |
Hi,
tbh this does not feel very right to me but still, I'd like to get your opinion since I already wrote the patch 馃槙
Proposed changes
Add watcher for
V1Secret
with the secret type of kubernetes.io/service-account-token.i.e After the creation of serviceaccount token secret, pulumi seems to not have a native way of retrieving secret data which are filled by kubernetes controller. For example
where data from the secret
secret.data.apply(v => v["token"]);
will be undefined so users cannot work with its value.The watcher simply waits for a secret to populate data which is immediate action.
Use-cases
Create access to API servers to services in multiple cluster - which is common practice for example in service meshes (istio, linkerd) but also in other tools that do some kind of similar federation.
Alternatives
1.) Use kubernetes client directly but TBH this is kinda repellent for new pulumi users
2.) Always read resources from the API after creation to fetchlive objects. But this change seems to be complex at first sight.
3.) There is a proposed generic watcher for user-specified resources #1260 but if we won't get any events I'm not sure it would solve this particular case. Although the issue is still open so not sure 馃し馃徎
WDYT?