-
Notifications
You must be signed in to change notification settings - Fork 547
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rbd: create token and use it for vault SA everytime possible #3377
Conversation
de14a71
to
32dd191
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we would be completely missing the err which may have happened during createToken.
if it was something that would be helpful.
I'd prefer we make the requested changes, so we can capture both the errors if they occur,
wdyt @Madhu-1 @saiprashanth173 ?
token, err := kms.createToken(sa, c) | ||
if err == nil { | ||
return token, nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
token, err := kms.createToken(sa, c) | |
if err == nil { | |
return token, nil | |
} | |
token, createTokenErr := kms.createToken(sa, c) | |
if createTokenErr == nil { | |
return token, nil | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure what the change above will cover. If we want to be more specific. Continue to fetch token from the SA only if kubernetes doesn't support TokeRequest API else return all other errors.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
apologies, the other part of the requested changes was not posted by mistake.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great catch! Yes it makes sense to include this error as part of the final error. I updated the code to include it in the error being returned.
internal/kms/vault_sa.go
Outdated
@@ -310,7 +314,7 @@ func (kms *vaultTenantSA) getToken() (string, error) { | |||
} | |||
} | |||
|
|||
return kms.createToken(sa, c) | |||
return "", fmt.Errorf("failed to find token in ServiceAccount %s/%s", kms.Tenant, kms.tenantSAName) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return "", fmt.Errorf("failed to find token in ServiceAccount %s/%s", kms.Tenant, kms.tenantSAName) | |
err = fmt.Errorf("failed to find token in ServiceAccount %s/%s", kms.Tenant, kms.tenantSAName) | |
if createTokenErr != nil { | |
err = fmt.Errorf(%w and failed to create token: %w",err, createTokenErr) | |
} | |
return "", err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We only reach here if createTokenErr is not nil
. I felt if
here is redundant. Included it as part of final error.
token, err := kms.createToken(sa, c) | ||
if err == nil { | ||
return token, nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
apologies, the other part of the requested changes was not posted by mistake.
use TokenRequest API by default for vault SA even with K8s versions < 1.24 Signed-off-by: Prashanth Dintyala <vdintyala@nvidia.com>
32dd191
to
ed0ea1a
Compare
Pull request has been modified.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks ! ,
LGTM
Signed-off-by: Prashanth Dintyala vdintyala@nvidia.com
Describe what this PR does
Create short lived service account tokens and use them for vault SA approach even for K8s version <1.24; fall back to using token obtained from services account's secret reference (if exists).
Related issues
Fixes: #3360
Show available bot commands
These commands are normally not required, but in case of issues, leave any of
the following bot commands in an otherwise empty comment in this PR:
/retest ci/centos/<job-name>
: retest the<job-name>
after unrelatedfailure (please report the failure too!)
/retest all
: run this in case the CentOS CI failed to start/report any testprogress or results