search

armory / spinnaker-tools

Apache License 2.0
18 stars 7 forks source link

spinnaker tool fails to create service account fro eks 1.24 #9

Open puneetsingh23 opened 1 year ago

puneetsingh23 commented 1 year ago

cd ~/environment/spinnaker-tools ./spinnaker-tools create-service-account --kubeconfig ${SOURCE_KUBECONFIG} --context ${CONTEXT} --output ${DEST_KUBECONFIG} --namespace ${SPINNAKER_NAMESPACE} --service-account-name ${SPINNAKER_SERVICE_ACCOUNT_NAME}

errror: Using kubeconfig file /home/ec2-user/.kube/config Using provided context {arn:aws:eks:us-east-1:xxxxxxxxxxxxxcluster/test-eksctl arn:aws:eks:us-east-1:xxxxxxxxxxx:cluster/test-eksctl} Getting namespaces ... Creating service account spinnaker-ws-sa ... Created ServiceAccount spinnaker-ws-sa in namespace spinnaker Adding cluster-admin binding to service account spinnaker-ws-sa ... Created ClusterRoleBinding spinnaker-spinnaker-ws-sa-admin in namespace spinnaker Getting token for service account ... Creating Kubeconfig failed, exiting Unable to obtain token for service account. Check you have access to the service account created. Get secret failed: error: resource name may not be empty exit status 1

radunicolae commented 1 year ago

Starting with k8s 1.24 service accounts no longer have the default, long lasting, token created. The tools need to be updated to create the token separately. I am getting the same error on EKS 1.24

savagekw commented 1 year ago

got similar error: Getting token for service account ... Creating Kubeconfig failed, exiting Unable to obtain token for service account. Check you have access to the service account created. Get secret failed: error: resource name may not be empty exit status 1 running on EKS: 1.25

radunicolae commented 1 year ago

I found a partial solution here https://docs.armory.io/continuous-deployment/armory-admin/manual-service-account/ , but it does not take into account k8s 1.24 changes to long-lasting tokens. My solution was to create the namespace + SA + ClusterRoleBinding + long-lasting token.

apiVersion: v1
kind: Namespace
metadata:
  name: spinnaker

---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: spinnaker-service-account
  namespace: spinnaker

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: spinnaker-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: spinnaker-service-account
  namespace: spinnaker

---

apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: spinnaker-service-account-token
  namespace: spinnaker
  annotations:
    kubernetes.io/service-account.name: "spinnaker-service-account"

And the run the bellow script.

# Update these to match your environment
SERVICE_ACCOUNT_NAME=spinnaker-service-account
CONTEXT=$(kubectl config current-context)
NAMESPACE=spinnaker

NEW_CONTEXT=spinnaker
KUBECONFIG_FILE="kubeconfig-sa"

SECRET_NAME=spinnaker-service-account-token

TOKEN_DATA=$(kubectl get secret ${SECRET_NAME} \
  --context ${CONTEXT} \
  --namespace ${NAMESPACE} \
  -o jsonpath='{.data.token}')

TOKEN=$(echo ${TOKEN_DATA} | base64 -d)

# Create dedicated kubeconfig
# Create a full copy
kubectl config view --raw > ${KUBECONFIG_FILE}.full.tmp
# Switch working context to correct context
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp config use-context ${CONTEXT}
# Minify
kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp \
  config view --flatten --minify > ${KUBECONFIG_FILE}.tmp
# Rename context
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  rename-context ${CONTEXT} ${NEW_CONTEXT}
# Create token user
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  set-credentials ${CONTEXT}-${NAMESPACE}-token-user \
  --token ${TOKEN}
# Set context to use token user
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  set-context ${NEW_CONTEXT} --user ${CONTEXT}-${NAMESPACE}-token-user
# Set context to correct namespace
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  set-context ${NEW_CONTEXT} --namespace ${NAMESPACE}
# Flatten/minify kubeconfig
kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \
  view --flatten --minify > ${KUBECONFIG_FILE}
# Remove tmp
rm ${KUBECONFIG_FILE}.full.tmp
rm ${KUBECONFIG_FILE}.tmp

This will generate a new kube config file using the Service Accounts token, just like spinnaker-tools used to do.

savagekw commented 1 year ago

Thank you for the sharing Radu. Appreciate the help.