Add support for Kubernetes 1.24+

Kubernetes 1.24 does not create secrets for Service Accounts per default. Secrets that is needed outside of pods has to be created manually. Change-Id: I52f8e99ece5554fd0560c5ec87543f7e0dc02817
2022-12-14 23:08:42 +01:00 · 2022-12-14 23:08:42 +01:00 · 3fc03870c3
parent f7ed1eb1ea
commit 3fc03870c3
2 changed files with 25 additions and 14 deletions
--- a/nodepool/driver/kubernetes/provider.py
+++ b/nodepool/driver/kubernetes/provider.py
@ -185,29 +185,37 @@ class KubernetesProvider(Provider, QuotaSupport):
        }
        self.k8s_client.create_namespaced_service_account(namespace, sa_body)

+        secret_body = {
+            'apiVersion': 'v1',
+            'kind': 'Secret',
+            'type': 'kubernetes.io/service-account-token',
+            'metadata': {
+                'name': user,
+                'annotations': {
+                    'kubernetes.io/service-account.name': user
+                }
+            }
+        }
+        self.k8s_client.create_namespaced_secret(namespace, secret_body)
+
        # Wait for the token to be created
        for retry in range(30):
-            sa = self.k8s_client.read_namespaced_service_account(
-                user, namespace)
+            secret = self.k8s_client.read_namespaced_secret(user, namespace)
            ca_crt = None
            token = None
-            if sa.secrets:
-                for secret_obj in sa.secrets:
-                    secret = self.k8s_client.read_namespaced_secret(
-                        secret_obj.name, namespace)
-                    token = secret.data.get('token')
-                    ca_crt = secret.data.get('ca.crt')
-                    if token and ca_crt:
-                        token = base64.b64decode(
-                            token.encode('utf-8')).decode('utf-8')
-                        break
+            if secret.data:
+                token = secret.data.get('token')
+                ca_crt = secret.data.get('ca.crt')
+                if token and ca_crt:
+                    token = base64.b64decode(
+                        token.encode('utf-8')).decode('utf-8')
            if token and ca_crt:
                break
            time.sleep(1)
        if not token or not ca_crt:
            raise exceptions.LaunchNodepoolException(
-                "%s: couldn't find token for service account %s" %
-                (namespace, sa))
+                "%s: couldn't find token for secret %s" %
+                (namespace, secret))

        # Create service account role
        all_verbs = ["create", "delete", "get", "list", "patch",
--- a/nodepool/tests/unit/test_driver_kubernetes.py
+++ b/nodepool/tests/unit/test_driver_kubernetes.py
@ -64,6 +64,9 @@ class FakeCoreClient(object):
        FakeSA.secrets = [FakeSA.secret]
        return FakeSA

+    def create_namespaced_secret(self, ns, secret_body):
+        return
+
    def read_namespaced_secret(self, name, ns):
        class FakeSecret:
            data = {'ca.crt': 'ZmFrZS1jYQ==', 'token': 'ZmFrZS10b2tlbg=='}