hashicorp / consul-k8s

First-class support for Consul Service Mesh on Kubernetes
https://www.consul.io/docs/k8s
Mozilla Public License 2.0
667 stars 318 forks source link

consul-auth-method service account auto generate token is impacted by Kubernetes 1.29 release | KEP-2799: Reduction of Secret-based Service Account Tokens #4140

Open MageshSrinivasulu opened 3 months ago

MageshSrinivasulu commented 3 months ago

Kubernetes 1.29 has released a feature that will impact the service account tokens that are auto-generated

https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2799-reduction-of-secret-based-service-account-token

The secret of the service account consul-auth-method is impacted by this issue

https://kubernetes.io/blog/2023/12/13/kubernetes-v1-29-release/#serviceaccount-token-clean-up

image

https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2799-reduction-of-secret-based-service-account-token#proposal

image

As we can see the below secret is updated with the label kubernetes.io/legacy-token-last-used

kind: Secret
metadata:
  annotations:
    kubernetes.io/service-account.name: consul-auth-method
    meta.helm.sh/release-name: consul
    meta.helm.sh/release-namespace: consul
  labels:
    app: consul
    app.kubernetes.io/managed-by: Helm
    chart: consul-helm
    component: auth-method
    heritage: Helm
    kubernetes.io/legacy-token-last-used: "2024-06-17"
    release: consul
  name: consul-auth-method
  namespace: consul
type: kubernetes.io/service-account-token

How does the consul plan to address this issue? Will the helm release include the manual creation of a service account secret?

MageshSrinivasulu commented 3 months ago

Can someone please comment on how to handle this issue using helm deployment?