add a Service Account token volume projection to create a JSON Web To…

…ken and OpenID Connect (OIDC) ID Token for the example.com audience
rgl · Mar 8, 2024 · e1d388e · e1d388e
1 parent d87f7c0
commit e1d388e
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -14,6 +14,20 @@ This will:
 * Create the Elastic Container Registry (ECR) repositories declared on the
   [`source_images` global variable](config.tm.hcl), and upload the corresponding container
   images.
+* Demonstrate how to automatically deploy the [`kubernetes-hello` workload](stacks/eks-workloads/kubernetes-hello.tf).
+  * Show its environment variables.
+  * Show its tokens, secrets, and configs (config maps).
+  * Show its pod name and namespace.
+  * Show the containers running inside its pod.
+  * Show its memory limits.
+  * Show its cgroups.
+  * Expose as a Kubernetes `LoadBalancer` `Service`.
+    * Note that this results in the creation of an [EC2 Classic Load Balancer (CLB)](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/introduction.html).
+  * Use [Role and RoleBinding](https://kubernetes.io/docs/reference/access-authn-authz/rbac/).
+  * Use [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/).
+  * Use [Secret](https://kubernetes.io/docs/concepts/configuration/secret/).
+  * Use [ServiceAccount](https://kubernetes.io/docs/concepts/security/service-accounts/).
+  * Use [Service Account token volume projection (a JSON Web Token and OpenID Connect (OIDC) ID Token)](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) for the `https://example.com` audience.
 * Demonstrate how to automatically deploy the [`otel-example` workload](stacks/eks-workloads/otel-example.tf).
   * Expose as a Kubernetes `LoadBalancer` `Service`.
     * Note that this results in the creation of an [EC2 Classic Load Balancer (CLB)](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/introduction.html).

diff --git a/config.tm.hcl b/config.tm.hcl
@@ -25,7 +25,7 @@ globals {
       # see https://github.com/rgl/kubernetes-hello
       name = "docker.io/ruilopes/kubernetes-hello"
       # renovate: datasource=docker depName=ruilopes/kubernetes-hello
-      tag = "v0.0.0.202402130912-test"
+      tag = "v0.0.0.202403070852-test"
     }
   }
 }

diff --git a/stacks/ecr/_inputs.auto.tfvars b/stacks/ecr/_inputs.auto.tfvars
@@ -4,7 +4,7 @@ environment = "dev"
 images = {
   kubernetes-hello = {
     name = "docker.io/ruilopes/kubernetes-hello"
-    tag  = "v0.0.0.202402130912-test"
+    tag  = "v0.0.0.202403070852-test"
   }
   otel-example = {
     name = "ghcr.io/rgl/opentelemetry-dotnet-playground"

diff --git a/stacks/eks-workloads/_inputs.auto.tfvars b/stacks/eks-workloads/_inputs.auto.tfvars
@@ -7,7 +7,7 @@ region       = "eu-west-1"
 source_images = {
   kubernetes-hello = {
     name = "docker.io/ruilopes/kubernetes-hello"
-    tag  = "v0.0.0.202402130912-test"
+    tag  = "v0.0.0.202403070852-test"
   }
   otel-example = {
     name = "ghcr.io/rgl/opentelemetry-dotnet-playground"

diff --git a/stacks/eks-workloads/kubernetes-hello.tf b/stacks/eks-workloads/kubernetes-hello.tf
@@ -112,9 +112,12 @@ resource "kubernetes_service_v1" "kubernetes_hello" {
 }
 
 # see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+# see https://kubernetes.io/docs/concepts/storage/projected-volumes/#serviceaccounttoken
+# see https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
 # see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#deployment-v1-apps
 # see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#podtemplatespec-v1-core
 # see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#container-v1-core
+# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#serviceaccounttokenprojection-v1-core
 # see https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment_v1
 resource "kubernetes_deployment_v1" "kubernetes_hello" {
   metadata {
@@ -167,6 +170,11 @@ resource "kubernetes_deployment_v1" "kubernetes_hello" {
               }
             }
           }
+          volume_mount {
+            name       = "tokens"
+            read_only  = true
+            mount_path = "/var/run/secrets/tokens"
+          }
           volume_mount {
             name       = "secrets"
             read_only  = true
@@ -192,6 +200,28 @@ resource "kubernetes_deployment_v1" "kubernetes_hello" {
             }
           }
         }
+        volume {
+          name = "tokens"
+          projected {
+            sources {
+              # NB the kubelet will periodically rotate this token.
+              # NB the token is rotated when its older than 80% of its time
+              #    to live or if the token is older than 24h.
+              # NB in production, set to a higher value (e.g. 3600 (1h)).
+              # NB the minimum allowed value is 600 (10m).
+              # NB this is equivalent of using the TokenRequest API.
+              #    see https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/
+              # NB this is equivalent of executing:
+              #       kubectl create token kubernetes-hello --audience example.com --duration 600s
+              #    see https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_token/
+              service_account_token {
+                path               = "example.com-jwt.txt"
+                audience           = "https://example.com"
+                expiration_seconds = 600
+              }
+            }
+          }
+        }
         volume {
           name = "secrets"
           secret {