-
Notifications
You must be signed in to change notification settings - Fork 991
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds support for waiting for default service account in ns resource #2119
Adds support for waiting for default service account in ns resource #2119
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left you 1 comment but overall this makes sense – you'll need to add a line to the documentation page for kubernetes_namespace
resource with your new attribute.
// FIXME: Since the creation of the Default ServiceAccount is asynchronous to the Namespace | ||
// We need to wait some period of time, using something like d.Timeout(schema.TimeoutCreate) | ||
// is not long enough for a Kind cluster to pass without timing out (about 10 seconds). | ||
// Using an undefined word here forces the timeout to use the defaultTimeout of 20mins. | ||
// I do not consider this production ready. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure I understand the logic here. The schema for the kubernetes_namespace
resource doesn't specify a create timeout, so if you use schema.TimeoutCreate you'll get the default of 20 minutes anyway.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! I re-tested it and it does work as you mentioned, so this must've been a mistake on my end.
Thanks!
…ount_to_namespace_resource
We are experiencing some flaky tests over in
hashicorp/vault-secrets-operator
in our project when running on low resource CI systems where we experience a race between the creation of a namespace resource and the ability to reference thedefault
serviceaccount that Kubernetes creates for every namespace. The result is that the namespace is created by tf and dependent resources on the namespace (which also depend on the default serviceaccount) will fail to be created.Some example code which we've seen hit this issue:
This results in tests that fail like:
The reason that it fails is that kubernetes will refuse to create a Secret which references a serviceaccount via annotation when the serviceaccount does not exist.
This is similar to #1943
Some workarounds which do work
default
serviceaccount.kubernetes_default_service_account
resource to provide the expected behaviour.We've also attempted to use
data
to reference the default service account but it also hits the same issue:This PR adds the optional ability to wait for the default service account to be created by Kubernetes when creating a namespace resource:
Description
Acceptance tests
Output from acceptance testing:
Release Note
Release note for CHANGELOG:
References
Community Note