Fix: Remove 1.23 restriction on workload identity module

[liggitt]

The issue with hashicorp/kubernetes hanging creating service accounts was resolved in hashicorp/terraform-provider-kubernetes#1792 in https://github.com/hashicorp/terraform-provider-kubernetes/releases/tag/v2.13.0

This reverts the temporary limitation of the workload identity module to 1.23 added in #1315 to resolve #1313, and updates the minimum required version of hashicorp/kubernetes to 2.13.0 for the workload-identity module

Fixes #1582

cc @bharathkkb @apeabody

BEGIN_COMMIT_OVERRIDE
Fix(kubernetes ~> 2.13)!: Remove 1.23 restriction on workload identity module (#1595)
END_COMMIT_OVERRIDE

[bharathkkb]

/gcbrun

[liggitt]

looks like the CI failure (https://console.cloud.google.com/cloud-build/builds;region=global/4191051c-4ffc-4779-9adc-73ede3c8d710;step=94?e=-13802955&jsmode=o&mods=logs_tg_prod&project=cloud-foundation-cicd) is

TestSimpleAutopilotPrivateNonDefaultSA 2023-03-27T19:32:36Z command.go:100: Running command terraform with args [output -no-color -json project_ids]
TestSimpleAutopilotPrivateNonDefaultSA 2023-03-27T19:32:40Z command.go:185: 
TestSimpleAutopilotPrivateNonDefaultSA 2023-03-27T19:32:40Z command.go:185: Error: Output "project_ids" not found
TestSimpleAutopilotPrivateNonDefaultSA 2023-03-27T19:32:40Z command.go:185: 
TestSimpleAutopilotPrivateNonDefaultSA 2023-03-27T19:32:40Z command.go:185: The output variable requested could not be found in the state file. If you
TestSimpleAutopilotPrivateNonDefaultSA 2023-03-27T19:32:40Z command.go:185: recently added this to your configuration, be sure to run `terraform apply`,
TestSimpleAutopilotPrivateNonDefaultSA 2023-03-27T19:32:40Z command.go:185: since the state won't be updated with new output variables until that command
TestSimpleAutopilotPrivateNonDefaultSA 2023-03-27T19:32:40Z command.go:185: is run.
TestSimpleAutopilotPrivateNonDefaultSA 2023-03-27T19:32:40Z retry.go:99: Returning due to fatal error: FatalError{Underlying: error while running command: exit status 1; 
Error: Output "project_ids" not found

The output variable requested could not be found in the state file. If you
recently added this to your configuration, be sure to run `terraform apply`,
since the state won't be updated with new output variables until that command
is run.}
    output.go:193: 
        	Error Trace:	/builder/home/go/pkg/mod/github.com/gruntwork-io/terratest@v0.41.11/modules/terraform/output.go:193
        	            				/builder/home/go/pkg/mod/github.com/!google!cloud!platform/cloud-foundation-toolkit/infra/blueprint-test@v0.4.1/pkg/tft/terraform.go:292
        	            				/workspace/test/integration/utils/utils.go:25
        	            				/workspace/test/integration/simple_autopilot_private_non_default_sa/simple_autopilot_private_non_default_sa_test.go:27
        	Error:      	Received unexpected error:
        	            	FatalError{Underlying: error while running command: exit status 1; 
        	            	Error: Output "project_ids" not found
        	            	
        	            	The output variable requested could not be found in the state file. If you
        	            	recently added this to your configuration, be sure to run `terraform apply`,
        	            	since the state won't be updated with new output variables until that command
        	            	is run.}
        	Test:       	TestSimpleAutopilotPrivateNonDefaultSA
--- FAIL: TestSimpleAutopilotPrivateNonDefaultSA (17.34s)

I think this is pre-existing, I'm seeing this job fail on other PRs as well

is there an issue and ETA for resolving the CI break at HEAD?

[apeabody]

Thanks @liggitt!

@bharathkkb, I opened #1597

[liggitt]

looks like the rerun passed, and the workload-identity-local steps succeeded (and from what I can tell, it tested against a 1.25 cluster)

[apeabody]

looks like the rerun passed, and the workload-identity-local steps succeeded

Yes, looks like some CI flakiness as both this and my test PR just passed.

[apeabody]

Thanks @liggitt! LGTM!

[liggitt]

thanks! any chance of pulling this into a 25.1.0 patch release ahead of 26.0.0?

[apeabody]

thanks! any chance of pulling this into a 25.1.0 patch release ahead of 26.0.0?

Let me discuss with @bharathkkb, but I think we might be able to make the next release v25.1.0.

[bharathkkb]

@liggitt @apeabody IIUC The 1.23 k8s version was just hardcoded in the example and not in the module. Since the previously module supported > 2.0, < 3.0 anyway, users could technically use 2.13+ providers with the fix.

We have now also bumped the min constraint to > 2.13, < 3.0 which would need a breaking release incase users were explicitly pinned between > 2.0, < 2.13.

[liggitt]

Interesting, thanks for that clarification. It's surprising a minor version dependency bump for a downstream bugfix requires a major version change here, but I'm glad existing consumers can use against 1.24+ successfully without any changes here

[apeabody]

@liggitt @apeabody IIUC The 1.23 k8s version was just hardcoded in the example and not in the module. Since the previously module supported > 2.0, < 3.0 anyway, users could technically use 2.13+ providers with the fix.

We have now also bumped the min constraint to > 2.13, < 3.0 which would need a breaking release incase users were explicitly pinned between > 2.0, < 2.13.

Thanks @bharathkkb! That was going to be my question with regards to it being a non-Google provider.

[apeabody]

Interesting, thanks for that clarification. It's surprising a minor version dependency bump for a downstream bugfix requires a major version change here, but I'm glad existing consumers can use against 1.24+ successfully without any changes here

Hi @liggitt, yes good call by @bharathkkb that it was the module README.md and example used for CI which were pinned to kubernetes_version = "1.23", nothing in the v25.0.0 terraform-google-kubernetes-engine module actually limited the kubernetes version. As long as a user doesn't have it pinned elsewhere, terraform init -upgrade should update the kubernetes provider to the most recent 2.x release and everything should work as intended.