I'm using Terraform workload-identity module , to create Kubernetes service account in Google Cloud. When i apply the changes, I'm getting below warning.
"default_secret_name" is no longer applicable for Kubernetes v1.24.0 and above │ │ with module.app-workload-identity.kubernetes_service_account_v1.main, │
on ../../modules/workload-identity/main.tf line 57, in resource "kubernetes_service_account_v1" "main": │ 57: resource "kubernetes_service_account_v1" "main" { │ │ Starting from version 1.24.0 Kubernetes does not automatically generate a token for service accounts, in this case, "default_secret_name" will be │ empty
Workload-Identity main.tf
locals {
service_account_tmp = var.google_service_account_email== "" ? "projects/${var.project_id}/serviceAccounts/cloudsql-sa@${var.project_id}.iam.gserviceaccount.com" : var.google_service_account_email
service_id = "projects/${var.project_id}/serviceAccounts/cloudsql-sa@${var.project_id}.iam.gserviceaccount.com"
k8s_sa_gcp_derived_name = "serviceAccount:${var.project_id}.svc.id.goog[${var.namespace}/${local.output_k8s_name}]"
gcp_sa_email = var.google_service_account_email
# This will cause terraform to block returning outputs until the service account is created
k8s_given_name = var.k8s_sa_name != null ? var.k8s_sa_name : var.name
output_k8s_name = var.use_existing_k8s_sa ? local.k8s_given_name : kubernetes_service_account.main[0].metadata[0].name
output_k8s_namespace = var.use_existing_k8s_sa ? var.namespace : kubernetes_service_account.main[0].metadata[0].namespace
}
# resource "google_service_account" "cluster_service_account" {
# GCP service account ids must be < 30 chars matching regex ^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$
# KSA do not have this naming restriction.
# account_id = substr(var.name, 0, 30)
# display_name = substr("GCP SA bound to K8S SA ${local.k8s_given_name}", 0, 100)
# project = var.project_id
# }
resource "kubernetes_namespace" "k8s_namespace" {
metadata {
name = var.namespace
}
}
# resource "kubernetes_secret_v1" "main" {
# metadata {
# name = var.name
# namespace = var.namespace
# annotations = {
# "kubernetes.io/service-account.name" = kubernetes_service_account_v1.main.metadata.0.name
# "kubernetes.io/service-account.namespace" = kubernetes_service_account_v1.main.metadata.0.namespace
# }
# generate_name = "${kubernetes_service_account_v1.main.metadata.0.name}-token-"
# }
# type = "kubernetes.io/service-account-token"
# wait_for_service_account_token = true
#}
resource "kubernetes_service_account" "main" {
count = var.use_existing_k8s_sa ? 0 : 1
metadata {
name = var.name
namespace = var.namespace
annotations = {
"iam.gke.io/gcp-service-account" = var.google_service_account_email
}
}
}
module "annotate-sa" {
source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
version = "~> 2.0.2"
enabled = var.use_existing_k8s_sa && var.annotate_k8s_sa
skip_download = true
cluster_name = var.cluster_name
cluster_location = var.location
project_id = var.project_id
kubectl_create_command = "kubectl annotate --overwrite sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account=${local.gcp_sa_email}"
kubectl_destroy_command = "kubectl annotate sa -n ${local.output_k8s_namespace} ${local.k8s_given_name} iam.gke.io/gcp-service-account-"
}
resource "google_service_account_iam_member" "main" {
service_account_id = local.service_id
role = "roles/iam.workloadIdentityUser"
member = local.k8s_sa_gcp_derived_name
}
As per the this documentation , I have tried to add the resource "kubernetes_secret_v1" to create a service account token. But still getting the same warning message.
From this git issue kubernetes_service_account issue has been successfully fixed using this manifest.
I found this alternative solution where changes are made using the terraform resource kubernetes_manifest to manually generate the service accounts along with their secret.
Can you try the main.tf file and let me know if this works.
For more information follow this Issue.