Update Kubernetes 1.24 and kind v0.19.0 #280
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Ensure that we test all the components against Kubernetes 1.24. In the future we should aim for GKE 1.27, but this is a good step forward as they are many deprecations related with this version. https://kubernetes.io/blog/2022/05/03/kubernetes-1-24-release-announcement/ In particulary, we are looking at one change that has direct impact with Vault. Service Account Tokens in Kubernetes v1.24, non-expiring service account tokens are no longer auto-generated. You can read further details here: https://eng.d2iq.com/blog/service-account-tokens-in-kubernetes-v1.24/
rnaveiras
force-pushed
the
rnaveiras-k8s-1.24-and-vault
branch
from
667d538 to
2849e9d
Compare
Avoid configuration behaviour that change across vault versions
rnaveiras
force-pushed
the
rnaveiras-k8s-1.24-and-vault
branch
from
2849e9d to
ba76f66
Compare
DragosDumitrache
approved these changes
Jun 14, 2023
| $ source <(setup-envtest use -i -p env 1.22.x) | ||
| $ # configure envtest to use k8s 1.24.x binaries | ||
| $ setup-envtest use -p path 1.24.x | ||
| $ source <(setup-envtest use -i -p env 1.24.x) |
There was a problem hiding this comment.
Not a big deal, but I'd love it if this weren't so bash centric 🥺
There was a problem hiding this comment.
haha, I feel the same way. let's see what I can do in the following PR's
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ensure that we test all the components against Kubernetes 1.24. We should aim for Kubernetes 1.27 in the future, but this is a good step forward as many behaviour changes are related to this version.
https://kubernetes.io/blog/2022/05/03/kubernetes-1-24-release-announcement/
In particular, we are looking at one change that directly impacts Vault. Service Account Tokens in Kubernetes v1.24, non-expiring service account tokens are no longer auto-generated.
You can read further details here:
https://eng.d2iq.com/blog/service-account-tokens-in-kubernetes-v1.24/
How come this is working? without additional changes?
With any vault version before 1.9, this should break all the integration tests because the jwt iss validation will fail.
You can read more details about this here https://developer.hashicorp.com/vault/docs/auth/kubernetes#kubernetes-1-21
You need to enable
disable_iss_validation=trueon those versions for theauth/kubernetes/configconfiguration.From Vault 1.9.0,
disable_iss_validationandissuerare deprecated, and the default fordisable_iss_validationhas changed totruefor new Kubernetes auth mounts.