terraform-provider-kubernetes: Secret type service-account-token cannot be created

Terraform Version

terraform -v
Terraform v0.11.10
+ provider.kubernetes v1.4.0

Affected Resource(s)

  • kubernetes_secret

Terraform Configuration Files


provider "kubernetes" {
  version = "~> 1.4"
}

resource "kubernetes_secret" "sa-secret" {
  type = "kubernetes.io/service-account-token"
  metadata = {
    name      = "some_name"
  }
}

Debug Output

* kubernetes_secret.sa-secret: 1 error(s) occurred: 
* kubernetes_secret.sa-secret: Secret "some_name" is invalid: metadata.annotations[kubernetes.io/service-account.name]: Required value

Setting the annotation via terraform produces another error:

resource "kubernetes_secret" "sa-secret" {
  type = "kubernetes.io/service-account-token"
  metadata = {
    name      = "some_name"
    annotations {
      "kubernetes.io/service-account-token.name" = "service_account_name"
    }
  }
}

results in

Error: kubernetes_secret.sa-secret: metadata.0.annotations: "kubernetes.io/service-account-token.name" is internal Kubernetes annotation

Expected Behavior

Create a secret type service-account-token

Actual Behavior

Error exit 1

Background Information

I am trying to script my hashicorp vault configuration. I want to create a secret I can reference with a static name and then grant my vault backend config based on the service accounts token stored in the secret.

For reading the secret I am waiting for https://github.com/terraform-providers/terraform-provider-kubernetes/pull/243 to be merged

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 6
  • Comments: 15 (3 by maintainers)

Most upvoted comments

@cupojoe yes, removing the type property creates a simple secret. ServiceAccount secrets mount their values into a folder in the pod (/var/run/secrets/kubernetes.io/serviceaccount/token), which then can be used e.g. in initContainers to authenticating against Hashicorps vault. A simple secret is not enough because I need kube API access

+4
Dariusch on Jan 14, 2019

You need to specify namespace for the secret. This is the correct example that works for me:

resource "kubernetes_secret" "gitlab_admin_sa_secret" {
  metadata {
    name = "gitlab-admin-secret"
    namespace = "kube-system"
    annotations = {
      "kubernetes.io/service-account.name" = "${kubernetes_service_account.gitlab_admin_sa.metadata.0.name}"
    }
  }
  data = {
    token = "${var.gitlab_admin_token}"
  }
  type = "kubernetes.io/service-account-token"
}
+1
ikarlashov on Jul 4, 2019

I believe the annotation should be “kubernetes.io/service-account.name” = “service_account_name” instead of “kubernetes.io/service-account-token.name” = “service_account_name”

But then on secret creation I have this weird error : Error: secrets “alb-ingress-controller” not found

Terraform doesn’t seem to like the type property with this value type = “kubernetes.io/service-account-token”

+1
JnMik on Jun 14, 2019
Read more comments on GitHub
← terraform-provider-kubernetes: Name validation regex is invalid
terraform-provider-kubernetes: Unable to use kubernetes provider with fixed limited permissions - see here: https://github.com/hashicorp/terraform-provider-azurerm/pull/21229 →