Increased sa and secret creation_time difference check (#1)

[amsgeodis]

Increased service_account and secret creation_time difference check to a bigger limit, 60 seconds; instead of 3 seconds. If we have mutation webhooks, the secret creation can take longer.
#1104

Description

Acceptance tests

• Have you added an acceptance test for the functionality being added?
• Have you run the acceptance tests on this branch?

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccXXX'

...

Release Note

Release note for CHANGELOG:

...

References

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[hashicorp-cla]

All committers have signed the CLA.

[erSitzt]

Hi everyone can we get this merged ? It's a very small change and it would help a lot of people...

This is the whats happening right after running terraform:

❯ k get sa
NAME                   SECRETS   AGE
default                1         131d
vault-tokenreview      1         10s
❯ k get secret
NAME                               TYPE                                  DATA   AGE
default-token-czq66                kubernetes.io/service-account-token   3      131d
vault-tokenreview-token-28nmc      kubernetes.io/service-account-token   3      <invalid>
❯ k get secret
NAME                               TYPE                                  DATA   AGE
default-token-czq66                kubernetes.io/service-account-token   3      131d
vault-tokenreview-token-28nmc      kubernetes.io/service-account-token   3      <invalid>
❯ k get secret
NAME                               TYPE                                  DATA   AGE
default-token-czq66                kubernetes.io/service-account-token   3      131d
vault-tokenreview-token-28nmc      kubernetes.io/service-account-token   3      <invalid>
❯ k get secret
NAME                               TYPE                                  DATA   AGE
default-token-czq66                kubernetes.io/service-account-token   3      131d
vault-tokenreview-token-28nmc      kubernetes.io/service-account-token   3      <invalid>
❯ k get secret
NAME                               TYPE                                  DATA   AGE
default-token-czq66                kubernetes.io/service-account-token   3      131d
vault-tokenreview-token-28nmc      kubernetes.io/service-account-token   3      <invalid>
❯
❯ k get secret
NAME                               TYPE                                  DATA   AGE
default-token-czq66                kubernetes.io/service-account-token   3      131d
vault-tokenreview-token-28nmc      kubernetes.io/service-account-token   3      6s
❯
❯ k get sa
NAME                   SECRETS   AGE
default                1         131d
vault-tokenreview      1         4m28s
❯ k get secret
NAME                               TYPE                                  DATA   AGE
default-token-czq66                kubernetes.io/service-account-token   3      131d
vault-tokenreview-token-28nmc      kubernetes.io/service-account-token   3      3m46s

As you can see it took longer than 40s for the secret to be ready... (i'm not sure why it takes that long.. maybe someone has an idea about that...)

And maybe have a look at those annotations in mentioned in #848
Or correct me if my assumption is wrong :)

And for completeness sake as i'm having the problem now while creating SAs and not importing them
#1104

[owengo]

I also have the issue with eks. 4 seconds difference between sa and secret,
Skipping <token> as it wasn't created at the same time as the service account