workload-identity compatibility

Question

workload-identity compatibility

DerEinePete opened this issue 2 years ago · 4 comments

Hi,

In the workload-identity module is stated "Note: This module currently supports Kubernetes <= 1.23." Is this still the case?

https://cloud.google.com/kubernetes-engine/docs/release-schedule

The release schedule of the Google Cloud states, that it is already upgrading kubernetes to 1.24.
But I haven't experienced any issue.

Answer 1 · 2023-03-21T01:19:34.000Z

@DerEinePete :
Just found this ticket and thought i'd post a comment. I'm not a maintainer, but it's likely related to hashicorp/terraform-provider-kubernetes#1724

v1.24.0 includes a breaking change as the default secret that is/was generated when creating a service account no longer will be generated. So, depending on how you manage your kubernetes service accounts, you may run into a warning similar to the one below. The fix is simple though. If i have time I may create a PR to fix it. That being said, we don't use this module so it's way down on the priority list.

Warning: "default_secret_name" is no longer applicable for Kubernetes v1.24.0 and above

v1.24 Release Notes - Breaking Change:

"The LegacyServiceAccountTokenNoAutoGenerationeature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the TokenRequest API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this guide. (kubernetes/kubernetes#108309, @zshihang)"

You can see an example of how to fix it here:

Was fixed in https://github.com/oracle-quickstart/oci-micronaut/pull/31

Answer 2 · 2023-03-24T11:38:42.000Z

Now that Kubernetes version 1.24 or higher is the default across all GKE release channels, it would be most helpful to support 1.24+ in the Workload Identity module. In the Spanner Autoscaler we are currently pinning to 1.23, which is scheduled to go EOL on 2023-07-31.

Answer 3 · 2023-03-27T20:00:13.000Z

it looks like the bug in https://github.com/hashicorp/terraform-provider-kubernetes was fixed in https://github.com/hashicorp/terraform-provider-kubernetes/releases/tag/v2.13.0

I opened #1595 to drop the 1.23 restriction and bump the required hashicorp/kubernetes version to one that includes the fix (2.13+), but it looks like that is blocked on an unrelated CI failure at HEAD

Answer 4 · 2023-03-27T23:51:41.000Z

Hi Everyone - Just a quick summary that the current version (v25.0.0) of terraform-google-kubernetes-engine can be used with Workload Identity and Kubernetes 1.24+, as long as your installed version of the Kubernetes provider is at least v2.13.0. The provider versions can be upgraded to the most recent permitted versions with terraform init -upgrade, and the installed provider versions verified with terraform providers.

The next major version of the terraform-google-kubernetes-engine module will enforce the newer Kubernetes provider version (#1595).