Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-cdk-lib: Secrets for service account not getting created #30139

Closed
brizaldi opened this issue May 10, 2024 · 5 comments
Closed

aws-cdk-lib: Secrets for service account not getting created #30139

brizaldi opened this issue May 10, 2024 · 5 comments
Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service aws-cdk-lib Related to the aws-cdk-lib package documentation This is a problem with documentation. effort/medium Medium work item – several days of effort p2

Comments

@brizaldi
Copy link

Describe the issue

Our cluster was using Kubernetes version 1.22. However, after upgrading to the latest version (1.29), we noticed a change in the process of creating service accounts in AWS CDK.

Previously, when we created a service account like this cluster.addServiceAccount(...), the secret token would be generated automatically, but it seems that this is no longer the case in the latest version.

Does CDK have a way to handle this, or do we need to create the secret manually?

More context: kubernetes/kubernetes#108309

Links

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks.Cluster.html#addwbrservicewbraccountid-options
@brizaldi brizaldi added documentation This is a problem with documentation. needs-triage This issue or PR still needs to be triaged. labels May 10, 2024
@github-actions github-actions bot added the aws-cdk-lib Related to the aws-cdk-lib package label May 10, 2024
@pahud
Copy link
Contributor

pahud commented May 10, 2024

Can you explain a little bit more about what secret token are you expecting?

addServiceAccount() essentially creates a new ServiceAccount construct and I didn't see any secret token to be created.

And, what is the CDK version you are using for 1.22?

@pahud pahud added p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. @aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels May 10, 2024
@brizaldi
Copy link
Author

brizaldi commented May 11, 2024
edited
Loading

We're currently using aws-cdk version 2.135.0.

Basically on pre 1.24 kubernetes, when you create a service account they will create these two resources, a service account and a secret will be automatically created, but after 1.24 they only create a service account without the secret.

cdk command:

const serviceAccount = cluster.addServiceAccount("my-service-account", {
    name: "my-service-account",
    namespace: "my-namespace"
})

service account

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/my-role
  labels:
    app.kubernetes.io/name: my-service-account
  name: my-service-account
  namespace: my-namespace
  resourceVersion: "890732087"
  uid: bfc00afd-024b-4ac5-92ab-be7c90c25312
secrets:
- name: my-service-account-token-k2l6z

secret

apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZ...
  namespace: bXktbmFtZXNwYWNl
  token: ZXlKaGJHY2lPa...
kind: Secret
metadata:
  annotations:
    kubernetes.io/service-account.name: my-service-account
    kubernetes.io/service-account.uid: bfc00afd-024b-4ac5-92ab-be7c90c25312
  name: my-service-account-token-k2l6z
  namespace: my-namespace
  resourceVersion: "890732086"
  uid: 7ec2efab-29b9-4062-bc98-06d64fbd0e74
type: kubernetes.io/service-account-token

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label May 11, 2024
This was referenced May 13, 2024
Closed
Closed
@brizaldi
Copy link
Author

Closed. Ends up creating the secret token manually using KubernetesManifest construct.

@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot mentioned this issue Jun 1, 2024
Closed
@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service aws-cdk-lib Related to the aws-cdk-lib package documentation This is a problem with documentation. effort/medium Medium work item – several days of effort p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pahud @brizaldi @aws-cdk-automation