-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
K8SSAND-799 ⁃ Add support for service account token authentication to remote clusters #83
Comments
Note that in future Kubernetes versions static service account secrets will probably be phased out in place of ephemeral ones that are auto-renewed. Those service accounts will not have accompanying secrets anymore that don't expire. Instead service account token is made on demand and mounted directly into the pod. (And replaced when it expires) I think the plan is to enable this behaviour by default in 1.22. This would mean you'd still run into expiring credential problems. |
Thanks for the references @arianvp. I need to read through those docs to better understand what is involved.
As long as I can handle the expiration and renewal via k8s APIs then it should be fine. The expiration problem I ran into required either have |
The KEP mentions this about expiration:
It looks like there is a mechanism to handle expiration, but this wouldn't apply to our use case of using the token out of cluster. We will need to sync the tokens, but I don't know that using the k8s api is the best way to do that. If for some reason the token does expire before it can be synced then we might be stuck in a bad state. |
In #82 I reported authentication issues with GKE. The OAuth token expires every hour and Google Cloud Tools is needed to renew it. We will face similar problems with other cloud providers. An alternative solution that is cloud provider-agnostic is to use service account tokens from the remote clusters. An approach was described in this article.
I propose that we create a script that does the following:
┆Issue is synchronized with this Jira Task by Unito
┆Epic: Multi-Cluster Deployment
┆Fix Versions: k8ssandra-operator-1.0.0-alpha.1
┆Issue Number: K8SSAND-799
┆Priority: Medium
The text was updated successfully, but these errors were encountered: