Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support multiple service-account-issuers in apiserver #16497

Merged
merged 3 commits into from
May 3, 2024
Merged

Support multiple service-account-issuers in apiserver #16497

merged 3 commits into from
May 3, 2024

Conversation

zetaab
Copy link
Member

@zetaab zetaab commented Apr 27, 2024
edited
Loading

currently kOps supports only one --service-account-issuer flag in apiserver. However, it is problem if people want to change the issuer without downtime. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection says

You can specify the --service-account-issuer argument multiple times, this can be useful to enable a non-disruptive change of the issuer. When this flag is specified multiple times, the first is used to generate tokens and all are used to determine which issuers are accepted. You must be running Kubernetes v1.22 or later to be able to specify --service-account-issuer multiple times.

This PR makes it possible to define issuer multiple times

@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 27, 2024
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. area/provider/aws Issues or PRs related to aws provider size/M Denotes a PR that changes 30-99 lines, ignoring generated files. area/nodeup size/L Denotes a PR that changes 100-499 lines, ignoring generated files. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Apr 27, 2024
@zetaab zetaab force-pushed the feat/multipleserviceaccountissuer branch 3 times, most recently from 4777562 to 5a3ecb5 Compare April 27, 2024 19:21
@zetaab zetaab force-pushed the feat/multipleserviceaccountissuer branch from 5a3ecb5 to b25253f Compare April 27, 2024 19:38
@zetaab zetaab changed the title WIP: Support multiple service-account-issuer flags WIP: Support multiple service-account-issuers in apiserver Apr 27, 2024
@zetaab zetaab force-pushed the feat/multipleserviceaccountissuer branch from b25253f to eafa5d2 Compare April 28, 2024 08:31
@zetaab zetaab changed the title WIP: Support multiple service-account-issuers in apiserver Support multiple service-account-issuers in apiserver Apr 28, 2024
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 28, 2024
@zetaab zetaab requested review from hakman and justinsb April 28, 2024 09:16
@zetaab zetaab force-pushed the feat/multipleserviceaccountissuer branch from a012145 to e3fe7a8 Compare April 29, 2024 09:57
@zetaab zetaab force-pushed the feat/multipleserviceaccountissuer branch from e7c5cea to e60531d Compare April 29, 2024 10:06
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Apr 29, 2024
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Apr 29, 2024
@hakman hakman mentioned this pull request Apr 30, 2024
Closed
@zetaab
Copy link
Member Author

zetaab commented May 1, 2024

/retest

@zetaab
Copy link
Member Author

zetaab commented May 1, 2024

/test pull-kops-e2e-aws-upgrade-k127-ko127-to-klatest-kolatest-many-addons

@justinsb
Copy link
Member

justinsb commented May 3, 2024

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 3, 2024
@justinsb
Copy link
Member

justinsb commented May 3, 2024

We discussed in office hours, "additional" makes sense because the first one is special.

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: justinsb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 3, 2024
@k8s-ci-robot k8s-ci-robot merged commit 8544f1b into kubernetes:master May 3, 2024
22 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.30 milestone May 3, 2024
This was referenced May 4, 2024
Merged
Merged
@zetaab zetaab deleted the feat/multipleserviceaccountissuer branch May 4, 2024 08:04
k8s-ci-robot added a commit that referenced this pull request May 4, 2024
@k8s-ci-robot
Merge pull request #16512 from hakman/automated-cherry-pick-of-#16497…
7d72d30 
…-upstream-release-1.28

Automated cherry pick of #16497: Support multiple service-account-issuer flags
k8s-ci-robot added a commit that referenced this pull request May 4, 2024
@k8s-ci-robot
Merge pull request #16511 from hakman/automated-cherry-pick-of-#16497…
45e7976 
…-upstream-release-1.29

Automated cherry pick of #16497: Support multiple service-account-issuer flags
@elliotdobson elliotdobson mentioned this pull request May 8, 2024
Merged
elliotdobson added a commit to elliotdobson/kops that referenced this pull request Jul 30, 2024
@elliotdobson
Update Service Account Issuer Migration doc
6287e79 
Add procedure for using `additionalServiceAccountIssuers` which was added in kubernetes#16497.
@BrewTestBot BrewTestBot mentioned this pull request Aug 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hakman hakman hakman left review comments

@johngmyers johngmyers Awaiting requested review from johngmyers

@olemarkus olemarkus Awaiting requested review from olemarkus

@justinsb justinsb Awaiting requested review from justinsb

Assignees

@justinsb justinsb

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/api area/nodeup area/provider/aws Issues or PRs related to aws provider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/office-hours lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.30
Development

Successfully merging this pull request may close these issues.
4 participants
@zetaab @justinsb @k8s-ci-robot @hakman