From 7cc826c9e55af33aee11165a425155e4f8cc2ae1 Mon Sep 17 00:00:00 2001 From: John Houston Date: Fri, 13 Nov 2020 15:35:58 -0500 Subject: [PATCH] Normalize automount_service_account_token to be in line with the K8s API (#1054) --- .../data_source_kubernetes_service_account.go | 1 + ..._source_kubernetes_service_account_test.go | 4 +-- kubernetes/resource_kubernetes_pod.go | 8 ++--- kubernetes/resource_kubernetes_pod_test.go | 29 +++++++++++++++---- .../resource_kubernetes_service_account.go | 6 ++-- ...esource_kubernetes_service_account_test.go | 16 +++++----- kubernetes/schema_pod_spec.go | 1 + website/docs/d/pod.html.markdown | 2 +- .../docs/guides/getting-started.html.markdown | 2 +- website/docs/r/daemonset.html.markdown | 2 +- .../r/default_service_account.html.markdown | 2 +- website/docs/r/deployment.html.markdown | 2 +- website/docs/r/pod.html.markdown | 2 +- website/docs/r/service_account.html.markdown | 2 +- 14 files changed, 49 insertions(+), 30 deletions(-) diff --git a/kubernetes/data_source_kubernetes_service_account.go b/kubernetes/data_source_kubernetes_service_account.go index 022d5fefff..cdd709df19 100644 --- a/kubernetes/data_source_kubernetes_service_account.go +++ b/kubernetes/data_source_kubernetes_service_account.go @@ -2,6 +2,7 @@ package kubernetes import ( "context" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/kubernetes/data_source_kubernetes_service_account_test.go b/kubernetes/data_source_kubernetes_service_account_test.go index 567818189a..8ad2adca79 100644 --- a/kubernetes/data_source_kubernetes_service_account_test.go +++ b/kubernetes/data_source_kubernetes_service_account_test.go @@ -24,7 +24,7 @@ func TestAccKubernetesDataSourceServiceAccount_basic(t *testing.T) { resource.TestCheckResourceAttr("kubernetes_service_account.test", "metadata.0.labels.TestLabel", "label"), resource.TestCheckResourceAttr("kubernetes_service_account.test", "secret.0.name", name+"-secret"), resource.TestCheckResourceAttr("kubernetes_service_account.test", "image_pull_secret.0.name", name+"-image-pull-secret"), - resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "false"), + resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "true"), resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "default_secret_name"), ), }, @@ -37,7 +37,7 @@ func TestAccKubernetesDataSourceServiceAccount_basic(t *testing.T) { resource.TestCheckResourceAttr("data.kubernetes_service_account.test", "metadata.0.labels.TestLabel", "label"), resource.TestCheckResourceAttr("data.kubernetes_service_account.test", "secret.0.name", name+"-secret"), resource.TestCheckResourceAttr("data.kubernetes_service_account.test", "image_pull_secret.0.name", name+"-image-pull-secret"), - resource.TestCheckResourceAttr("data.kubernetes_service_account.test", "automount_service_account_token", "false"), + resource.TestCheckResourceAttr("data.kubernetes_service_account.test", "automount_service_account_token", "true"), resource.TestCheckResourceAttrSet("data.kubernetes_service_account.test", "default_secret_name"), ), }, diff --git a/kubernetes/resource_kubernetes_pod.go b/kubernetes/resource_kubernetes_pod.go index dfcf720769..3bb22cc1fc 100644 --- a/kubernetes/resource_kubernetes_pod.go +++ b/kubernetes/resource_kubernetes_pod.go @@ -3,10 +3,11 @@ package kubernetes import ( "context" "fmt" - "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "log" "time" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" api "k8s.io/api/core/v1" @@ -17,10 +18,7 @@ import ( func resourceKubernetesPod() *schema.Resource { podSpecFields := podSpecFields(false, false, false) - // Setting this default to false prevents a perpetual diff caused by volume_mounts - // being mutated on the server side as Kubernetes automatically adds a mount - // for the service account token - podSpecFields["automount_service_account_token"].Default = false + return &schema.Resource{ CreateContext: resourceKubernetesPodCreate, ReadContext: resourceKubernetesPodRead, diff --git a/kubernetes/resource_kubernetes_pod_test.go b/kubernetes/resource_kubernetes_pod_test.go index 279aeeeb9a..f2c0dbc4c2 100644 --- a/kubernetes/resource_kubernetes_pod_test.go +++ b/kubernetes/resource_kubernetes_pod_test.go @@ -1146,6 +1146,8 @@ resource "kubernetes_pod" "test" { } spec { + automount_service_account_token = false + container { image = "%s" name = "containername" @@ -1211,7 +1213,9 @@ func testAccKubernetesPodConfigWithInitContainer(podName string, image string) s } spec { - container { + automount_service_account_token = false + + container { name = "nginx" image = "nginx" @@ -1501,7 +1505,9 @@ resource "kubernetes_pod" "test" { } spec { - container { + automount_service_account_token = false + + container { image = "%s" name = "containername" @@ -1545,6 +1551,8 @@ resource "kubernetes_pod" "test" { } spec { + automount_service_account_token = false + container { image = "%s" name = "containername" @@ -1597,7 +1605,8 @@ resource "kubernetes_pod" "test" { } spec { - restart_policy = "Never" + restart_policy = "Never" + automount_service_account_token = false container { image = "%s" @@ -1726,7 +1735,8 @@ resource "kubernetes_pod" "test" { } spec { - restart_policy = "Never" + restart_policy = "Never" + automount_service_account_token = false container { image = "%s" @@ -1846,6 +1856,8 @@ func testAccKubernetesPodConfigWithEmptyDirVolumes(podName, imageName string) st } spec { + automount_service_account_token = false + container { image = "%s" name = "containername" @@ -1879,6 +1891,8 @@ func testAccKubernetesPodConfigWithEmptyDirVolumesSizeLimit(podName, imageName s } spec { + automount_service_account_token = false + container { image = "%s" name = "containername" @@ -2104,8 +2118,7 @@ resource "kubernetes_pod" "test" { } func testAccKubernetesPodConfigReadinessGate(secretName, configMapName, podName, imageName string) string { - return fmt.Sprintf(` -resource "kubernetes_secret" "test" { + return fmt.Sprintf(`resource "kubernetes_secret" "test" { metadata { name = "%s" } @@ -2157,6 +2170,8 @@ resource "kubernetes_pod" "test" { } spec { + automount_service_account_token = false + readiness_gate { condition_type = "haha" } @@ -2226,6 +2241,8 @@ func testAccKubernetesPod_regression(provider, name, imageName string) string { } spec { + automount_service_account_token = false + container { image = %[3]q name = "containername" diff --git a/kubernetes/resource_kubernetes_service_account.go b/kubernetes/resource_kubernetes_service_account.go index 7959e28ab7..d3e16ea45d 100644 --- a/kubernetes/resource_kubernetes_service_account.go +++ b/kubernetes/resource_kubernetes_service_account.go @@ -3,13 +3,14 @@ package kubernetes import ( "context" "fmt" - "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "log" "strings" "time" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + api "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -63,8 +64,9 @@ func resourceKubernetesServiceAccount() *schema.Resource { }, "automount_service_account_token": { Type: schema.TypeBool, - Description: "True to enable automatic mounting of the service account token", + Description: "Enable automatic mounting of the service account token", Optional: true, + Default: true, }, "default_secret_name": { Type: schema.TypeString, diff --git a/kubernetes/resource_kubernetes_service_account_test.go b/kubernetes/resource_kubernetes_service_account_test.go index 5a67d826e6..30e2c0032a 100644 --- a/kubernetes/resource_kubernetes_service_account_test.go +++ b/kubernetes/resource_kubernetes_service_account_test.go @@ -44,7 +44,7 @@ func TestAccKubernetesServiceAccount_basic(t *testing.T) { resource.TestCheckResourceAttrSet(resourceName, "metadata.0.uid"), resource.TestCheckResourceAttr(resourceName, "secret.#", "2"), resource.TestCheckResourceAttr(resourceName, "image_pull_secret.#", "2"), - resource.TestCheckResourceAttr(resourceName, "automount_service_account_token", "false"), + resource.TestCheckResourceAttr(resourceName, "automount_service_account_token", "true"), testAccCheckServiceAccountImagePullSecrets(&conf, []*regexp.Regexp{ regexp.MustCompile("^" + name + "-three$"), regexp.MustCompile("^" + name + "-four$"), @@ -96,7 +96,7 @@ func TestAccKubernetesServiceAccount_automount(t *testing.T) { resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.uid"), resource.TestCheckResourceAttr("kubernetes_service_account.test", "secret.#", "2"), resource.TestCheckResourceAttr("kubernetes_service_account.test", "image_pull_secret.#", "2"), - resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "true"), + resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "false"), testAccCheckServiceAccountImagePullSecrets(&conf, []*regexp.Regexp{ regexp.MustCompile("^" + name + "-three$"), regexp.MustCompile("^" + name + "-four$"), @@ -142,7 +142,7 @@ func TestAccKubernetesServiceAccount_update(t *testing.T) { resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.uid"), resource.TestCheckResourceAttr("kubernetes_service_account.test", "secret.#", "2"), resource.TestCheckResourceAttr("kubernetes_service_account.test", "image_pull_secret.#", "2"), - resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "false"), + resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "true"), testAccCheckServiceAccountImagePullSecrets(&conf, []*regexp.Regexp{ regexp.MustCompile("^" + name + "-three$"), regexp.MustCompile("^" + name + "-four$"), @@ -173,7 +173,7 @@ func TestAccKubernetesServiceAccount_update(t *testing.T) { resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.uid"), resource.TestCheckResourceAttr("kubernetes_service_account.test", "secret.#", "1"), resource.TestCheckResourceAttr("kubernetes_service_account.test", "image_pull_secret.#", "3"), - resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "true"), + resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "false"), testAccCheckServiceAccountImagePullSecrets(&conf, []*regexp.Regexp{ regexp.MustCompile("^" + name + "-three$"), regexp.MustCompile("^" + name + "-four$"), @@ -199,7 +199,7 @@ func TestAccKubernetesServiceAccount_update(t *testing.T) { resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.uid"), resource.TestCheckResourceAttr("kubernetes_service_account.test", "secret.#", "0"), resource.TestCheckResourceAttr("kubernetes_service_account.test", "image_pull_secret.#", "0"), - resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "false"), + resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "true"), testAccCheckServiceAccountImagePullSecrets(&conf, []*regexp.Regexp{}), testAccCheckServiceAccountSecrets(&conf, []*regexp.Regexp{ regexp.MustCompile("^" + name + "-token-[a-z0-9]+$"), @@ -234,7 +234,7 @@ func TestAccKubernetesServiceAccount_generatedName(t *testing.T) { resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.resource_version"), resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.self_link"), resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.uid"), - resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "false"), + resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "true"), testAccCheckServiceAccountImagePullSecrets(&conf, []*regexp.Regexp{}), testAccCheckServiceAccountSecrets(&conf, []*regexp.Regexp{ regexp.MustCompile("^" + prefix + "[a-z0-9]+-token-[a-z0-9]+$"), @@ -446,7 +446,7 @@ func testAccKubernetesServiceAccountConfig_modified(name string) string { name = "${kubernetes_secret.four.metadata.0.name}" } - automount_service_account_token = "true" + automount_service_account_token = false } resource "kubernetes_secret" "one" { @@ -526,7 +526,7 @@ func testAccKubernetesServiceAccountConfig_automount(name string) string { name = "${kubernetes_secret.four.metadata.0.name}" } - automount_service_account_token = true + automount_service_account_token = false } resource "kubernetes_secret" "one" { diff --git a/kubernetes/schema_pod_spec.go b/kubernetes/schema_pod_spec.go index 6487c8bd73..ec474c423b 100644 --- a/kubernetes/schema_pod_spec.go +++ b/kubernetes/schema_pod_spec.go @@ -31,6 +31,7 @@ func podSpecFields(isUpdatable, isDeprecated, isComputed bool) map[string]*schem "automount_service_account_token": { Type: schema.TypeBool, Optional: true, + Default: true, Description: "AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.", }, "container": { diff --git a/website/docs/d/pod.html.markdown b/website/docs/d/pod.html.markdown index 2f88923c36..72400ba38f 100644 --- a/website/docs/d/pod.html.markdown +++ b/website/docs/d/pod.html.markdown @@ -52,7 +52,7 @@ The following arguments are supported: * `affinity` - A group of affinity scheduling rules. If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler. * `active_deadline_seconds` - Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer. -* `automount_service_account_token` - Indicates whether a service account token should be automatically mounted. Defaults to false for Pods. +* `automount_service_account_token` - Indicates whether a service account token should be automatically mounted. Defaults to true for Pods. * `container` - List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated. For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/containers) * `init_container` - List of init containers belonging to the pod. Init containers always run to completion and each must complete successfully before the next is started. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/workloads/pods/init-containers)/ * `dns_policy` - Set DNS policy for containers within the pod. Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'. Optional: Defaults to 'ClusterFirst', see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy). diff --git a/website/docs/guides/getting-started.html.markdown b/website/docs/guides/getting-started.html.markdown index f3a4a70df2..0998b01653 100644 --- a/website/docs/guides/getting-started.html.markdown +++ b/website/docs/guides/getting-started.html.markdown @@ -251,7 +251,7 @@ Terraform will perform the following actions: } + spec { - + automount_service_account_token = false + + automount_service_account_token = true + dns_policy = "ClusterFirst" + enable_service_links = false + host_ipc = false diff --git a/website/docs/r/daemonset.html.markdown b/website/docs/r/daemonset.html.markdown index 1106bc7b5f..07cbc09673 100644 --- a/website/docs/r/daemonset.html.markdown +++ b/website/docs/r/daemonset.html.markdown @@ -142,7 +142,7 @@ The following arguments are supported: * `affinity` - (Optional) A group of affinity scheduling rules. If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler. * `active_deadline_seconds` - (Optional) Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer. -* `automount_service_account_token` - (Optional) Indicates whether a service account token should be automatically mounted. Defaults to `false`. +* `automount_service_account_token` - (Optional) Indicates whether a service account token should be automatically mounted. Defaults to `true`. * `container` - (Optional) List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated. For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/containers) * `init_container` - (Optional) List of init containers belonging to the pod. Init containers always run to completion and each must complete successfully before the next is started. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/workloads/pods/init-containers)/ * `dns_policy` - (Optional) Set DNS policy for containers within the pod. Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'. Optional: Defaults to 'ClusterFirst', see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy). diff --git a/website/docs/r/default_service_account.html.markdown b/website/docs/r/default_service_account.html.markdown index 15ed36abde..032a4067eb 100644 --- a/website/docs/r/default_service_account.html.markdown +++ b/website/docs/r/default_service_account.html.markdown @@ -37,7 +37,7 @@ The following arguments are supported: * `metadata` - (Required) Standard service account's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata) * `image_pull_secret` - (Optional) A list of references to secrets in the same namespace to use for pulling any images in pods that reference this Service Account. For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/secrets#manually-specifying-an-imagepullsecret) * `secret` - (Optional) A list of secrets allowed to be used by pods running using this Service Account. For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/secrets) -* `automount_service_account_token` - (Optional) Boolean, `true` to enable automatic mounting of the service account token +* `automount_service_account_token` - (Optional) Boolean, `true` to enable automatic mounting of the service account token. Defaults to `true`. ## Nested Blocks diff --git a/website/docs/r/deployment.html.markdown b/website/docs/r/deployment.html.markdown index e7d985d58d..b2f5cb037e 100644 --- a/website/docs/r/deployment.html.markdown +++ b/website/docs/r/deployment.html.markdown @@ -147,7 +147,7 @@ The following arguments are supported: * `affinity` - (Optional) A group of affinity scheduling rules. If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler. * `active_deadline_seconds` - (Optional) Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer. -* `automount_service_account_token` - (Optional) Indicates whether a service account token should be automatically mounted. Defaults to `false`. +* `automount_service_account_token` - (Optional) Indicates whether a service account token should be automatically mounted. Defaults to `true`. * `container` - (Optional) List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated. For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/containers) * `readiness_gate` - (Optional) If specified, all readiness gates will be evaluated for pod readiness. A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to "True". [More info](https://git.k8s.io/enhancements/keps/sig-network/0007-pod-ready++.md) * `init_container` - (Optional) List of init containers belonging to the pod. Init containers always run to completion and each must complete successfully before the next is started. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/workloads/pods/init-containers)/ diff --git a/website/docs/r/pod.html.markdown b/website/docs/r/pod.html.markdown index 1612609c11..552ca5070d 100644 --- a/website/docs/r/pod.html.markdown +++ b/website/docs/r/pod.html.markdown @@ -200,7 +200,7 @@ The following arguments are supported: * `affinity` - (Optional) A group of affinity scheduling rules. If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler. * `active_deadline_seconds` - (Optional) Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer. -* `automount_service_account_token` - (Optional) Indicates whether a service account token should be automatically mounted. Defaults to `false` for Pods. +* `automount_service_account_token` - (Optional) Indicates whether a service account token should be automatically mounted. Defaults to `true` for Pods. * `container` - (Optional) List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated. For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/containers) * `init_container` - (Optional) List of init containers belonging to the pod. Init containers always run to completion and each must complete successfully before the next is started. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/workloads/pods/init-containers)/ * `dns_policy` - (Optional) Set DNS policy for containers within the pod. Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'. Optional: Defaults to 'ClusterFirst', see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy). diff --git a/website/docs/r/service_account.html.markdown b/website/docs/r/service_account.html.markdown index 3d4e307571..dbf40c83e7 100644 --- a/website/docs/r/service_account.html.markdown +++ b/website/docs/r/service_account.html.markdown @@ -37,7 +37,7 @@ The following arguments are supported: * `metadata` - (Required) Standard service account's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata) * `image_pull_secret` - (Optional) A list of references to secrets in the same namespace to use for pulling any images in pods that reference this Service Account. For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/secrets#manually-specifying-an-imagepullsecret) * `secret` - (Optional) A list of secrets allowed to be used by pods running using this Service Account. For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/secrets) -* `automount_service_account_token` - (Optional) Boolean, `true` to enable automatic mounting of the service account token. Defaults to `false`. +* `automount_service_account_token` - (Optional) Boolean, `true` to enable automatic mounting of the service account token. Defaults to `true`. ## Nested Blocks