-
Notifications
You must be signed in to change notification settings - Fork 470
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(deployment) replace static secret with projected volume #722
Conversation
63063d7
to
23f4d91
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mcharriere do you know if this will break backwards-compatibility with older k8s versions (and which?) that don't support projected volumes? This looks fine and is something we should do, we just need to know what older versions would break with projected volumes and whether we need to add any additional templates for older-version compatibility.
@rainest, yes, you are right. this change breaks on 1.19 and older when One option is to increase the K8s required version to 1.20 (https://github.com/Kong/charts/blob/main/charts/kong/README.md#prerequisites) and document somewhere that older versions would work disabling WDYT? |
helm supports restricting kubernetes versions by specifying field |
Hi @ubergesundheit @mcharriere 👋
If possible I'd much rather prefer this route at this point to not break our users. What do you think about introducing this capabilities check (via helm) in this PR? BTW: what specific change in k8s is this leveraging that breaks 1.19 and older? I've looked through various docs and couldn't find anything specific that would point to that version. |
Sounds good.
In 1.20, the
I didn't check if there are alternatives for <1.20, as I think for those cases keeping the current behavior should be fine having in mind that the ingress controller itself doesn't support 1.19 since v2.6. |
23f4d91
to
b971de1
Compare
This was the missing bit. Thanks!
We can retain the old behaviour for those versions, no? |
yes, I just pushed a commit keeping the old behavior for <1.20. I tested it on k8s versions 1.19, 1.20 and 1.25 and it works as expected in all of them. |
Just added #725 to test across versions, so if ya'll can fetch rebase onto our current main it should confirm the new and legacy behavior. @pmalek should we indeed need some additional CI values to test this? Although this isn't configured explicitly in any I know of, that shouldn't be an issue since we create the account by default: charts/charts/kong/values.yaml Lines 26 to 27 in 892774e
|
Yes, this should be enough for this PR since we want to test the old and new behaviours for pre 1.20 and 1.20 and up. |
The static service account secret has been superseeded by a projected volume becoming the standar way to authenticate against the K8s API since v1.21. With this change we keep the token mounted only on the ingress controller container and gain the security improvements that the TokenRequests API brings. Signed-off-by: Matias Charriere <matias@giantswarm.io>
Signed-off-by: Matias Charriere <matias@giantswarm.io>
92c5392
to
8aa4aa9
Compare
Will this change make its way over into the manifests that sit in the deploy directory of the Kong/kubernetes-ingress-controller repository? |
@seh there's no reason it shouldn't. Kong/kubernetes-ingress-controller#3475 to track that. |
What this PR does / why we need it:
This PR replaces the static service account secret with a projected volume. The projected volume is the standard way to authenticate against the K8s API since v1.21.
With this change we keep the token mounted only on the ingress controller container and gain the security improvements that the TokenRequests API brings.
Which issue this PR fixes
Special notes for your reviewer:
client-go introduced support for rotating tokens in kubernetes/kubernetes#67359
The expiration time has been set to 3607 following the Kubernetes default value.
Checklist
main
branch.