From 753a3909c1bf32547c76b137344464921dd36812 Mon Sep 17 00:00:00 2001 From: janli Date: Tue, 4 Jun 2024 10:37:27 -0700 Subject: [PATCH 1/3] fix: update service account creation --- iam-k8s.tf | 3 ++- k8s.tf | 21 +++++++++++++++++++-- version.tf | 2 +- 3 files changed, 22 insertions(+), 4 deletions(-) diff --git a/iam-k8s.tf b/iam-k8s.tf index 01fa758..20ac329 100644 --- a/iam-k8s.tf +++ b/iam-k8s.tf @@ -18,7 +18,8 @@ resource "aws_iam_role" "waggle_dance_k8s_role_iam" { "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { - "${var.oidc_provider}:sub": "system:serviceaccount:${var.k8s_namespace}:${local.instance_alias}" + "${var.oidc_provider}:sub": "system:serviceaccount:${var.k8s_namespace}:${local.instance_alias}", + "${var.oidc_provider}:aud": "sts.amazonaws.com" } } } diff --git a/k8s.tf b/k8s.tf index 2c40801..cdb79e3 100644 --- a/k8s.tf +++ b/k8s.tf @@ -13,7 +13,7 @@ locals { k8s_cpu_limit = length(var.cpu_limit) != 0 ? var.cpu_limit / 1024 : (var.cpu / 1024) * 1.25 } -resource "kubernetes_service_account" "waggle_dance" { +resource "kubernetes_service_account_v1" "waggle_dance" { count = var.wd_instance_type == "k8s" ? 1 : 0 metadata { name = local.instance_alias @@ -22,7 +22,23 @@ resource "kubernetes_service_account" "waggle_dance" { "eks.amazonaws.com/role-arn" = var.oidc_provider == "" ? "" : aws_iam_role.waggle_dance_k8s_role_iam[0].arn } } - automount_service_account_token = true +} + +resource "kubernetes_secret_v1" "waggle_dance" { + count = var.wd_instance_type == "k8s" ? 1 : 0 + metadata { + name = local.instance_alias + namespace = var.k8s_namespace + annotations = { + "kubernetes.io/service-account.name" = local.instance_alias + "kubernetes.io/service-account.namespace" = var.k8s_namespace + } + } + type = "kubernetes.io/service-account-token" + + depends_on = [ + kubernetes_service_account_v1.waggle_dance + ] } resource "kubernetes_deployment_v1" "waggle_dance" { @@ -55,6 +71,7 @@ resource "kubernetes_deployment_v1" "waggle_dance" { "prometheus.io/scrape" : var.prometheus_enabled "prometheus.io/port" : local.actuator_port "prometheus.io/path" : "/actuator/prometheus" + "iam.amazonaws.com/role" = var.oidc_provider == "" ? aws_iam_role.waggle_dance_k8s_role_iam[0].name : null } } diff --git a/version.tf b/version.tf index 04eca34..bad8b9e 100644 --- a/version.tf +++ b/version.tf @@ -9,7 +9,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 2.7.0" + version = ">= 2.13.0" configuration_aliases = [aws.remote] } datadog = { From bc9ae35d5b97047ca3de64bed822c7fa5d80d2f3 Mon Sep 17 00:00:00 2001 From: janli Date: Tue, 4 Jun 2024 10:43:43 -0700 Subject: [PATCH 2/3] fix: update kubernetes api --- k8s.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s.tf b/k8s.tf index cdb79e3..82d1460 100644 --- a/k8s.tf +++ b/k8s.tf @@ -76,7 +76,7 @@ resource "kubernetes_deployment_v1" "waggle_dance" { } spec { - service_account_name = kubernetes_service_account.waggle_dance[0].metadata.0.name + service_account_name = kubernetes_service_account_v1.waggle_dance[0].metadata.0.name automount_service_account_token = true container { image = "${var.docker_image}:${var.docker_version}" From 2b27fc68cf582ce92615f3a1bbfd48779198d2b3 Mon Sep 17 00:00:00 2001 From: janli Date: Tue, 4 Jun 2024 10:57:12 -0700 Subject: [PATCH 3/3] fix: update change log --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c28e9e0..f99a291 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +## [4.5.2] - 2024-06-04 +### Updated +- Changed Service account creation to make it work with eks 1.24 and later. + ## [4.5.1] - 2024-05-08 ### Added - Adding tags to the Datadog agent