Skip to content

Commit

Permalink
Use patch() API call for manually created Secret which belongs to Ser…
Browse files Browse the repository at this point in the history
…viceAccount
  • Loading branch information
seleznev committed Aug 8, 2023
1 parent a8106c8 commit d87514d
Showing 1 changed file with 15 additions and 0 deletions.
15 changes: 15 additions & 0 deletions k8s_handle/k8s/adapters.py
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,21 @@ def replace(self, parameters):
name=self.name, body=self.body, namespace=self.namespace
)

# Use patch() for Secrets with ServiceAccount's token to preserve data fields (ca.crt, token, namespace),
# "kubernetes.io/service-account.uid" annotation and "kubernetes.io/legacy-token-last-used" label
# populated by serviceaccount-token controller.
#
# See for details:
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-an-api-token-for-a-serviceaccount
if self.kind in ['secret']:
if ('type' in self.body and self.body['type'] == 'kubernetes.io/service-account-token' and
'annotations' in self.body['metadata'] and
self.body['metadata']['annotations']['kubernetes.io/service-account.name'] != ''):

return getattr(self.api, 'patch_namespaced_{}'.format(self.kind))(
name=self.name, body=self.body, namespace=self.namespace
)

if hasattr(self.api, "replace_namespaced_{}".format(self.kind)):
return getattr(self.api, 'replace_namespaced_{}'.format(self.kind))(
name=self.name, body=self.body, namespace=self.namespace)
Expand Down

0 comments on commit d87514d

Please sign in to comment.