Unable to bind Secret token to Service Account

[hsalluri259]

Terraform Version, Provider Version and Kubernetes Version

Terraform version: v1.7.2 Kubernetes provider version: v2.30.0 Kubernetes version: v1.28.8

Affected Resource(s)

• kubernetes_secret
• kubernetes_service_account

Terraform Configuration Files

resource "kubernetes_service_account" "example" {
  metadata {
    name      = "argocd-manager"
    namespace = "kube-system"
  }
}

resource "kubernetes_secret" "example" {
  metadata {
    annotations = {
      "kubernetes.io/service-account.name" = kubernetes_service_account.example.metadata.0.name
    }
    namespace = "kube-system"

    name = "argocd-manager-token"
  }

  type                           = "kubernetes.io/service-account-token"
  wait_for_service_account_token = true
}

Steps to Reproduce

1. terraform apply
2. Kubernetes SA and Secret is created.

Expected Behavior

When I did kubectl describe sa argocd-manager it should show secret associated with it.

Actual Behavior

Kubernetes secret does show up in my SA.

{
    "apiVersion": "v1",
    "automountServiceAccountToken": true,
    "kind": "ServiceAccount",
    "metadata": {
        "creationTimestamp": "2024-07-02T19:19:16Z",
        "name": "argocd-manager",
        "namespace": "kube-system",
        "resourceVersion": "562950580",
        "uid": "ee77ecaa-fb27-4a48-a285-36e39e3b6e6d"
    }
}

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[arybolovlev]

Hi @hsalluri259,

I have run the provider code snippet and it works with no issues.

$ kubectl describe serviceaccount -n kube-system argocd-manager

Name:                argocd-manager
Namespace:           kube-system
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   <none>
Tokens:              argocd-manager-token
Events:              <none>

The token falls under its own field Tokens and only displays with kubectl describe(see above).

[hsalluri259]

Yes, you're right. Since it was not created automatically it won't show in secrets when I do kubectl get secret -ojson. Thank you though for checking.