Do not use long-lived service account tokens in secrets

Co-authored-by: Ryan Richard <richardry@vmware.com>
2026-01-08 23:23:39 +00:00 · 2023-10-20 15:28:53 -05:00
parent dc1d563549
commit 2603bbfcd6
27 changed files with 1462 additions and 138 deletions
--- a/test/integration/concierge_impersonation_proxy_test.go
+++ b/test/integration/concierge_impersonation_proxy_test.go
@@ -2050,6 +2050,7 @@ func createServiceAccountToken(ctx context.Context, t *testing.T, adminClient ku
 			Delete(context.Background(), serviceAccount.Name, metav1.DeleteOptions{}))
 	})

+	// TODO: What is this used for?
 	secret, err := adminClient.CoreV1().Secrets(namespaceName).Create(ctx, &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: "int-test-service-account-token-",
--- a/test/integration/concierge_whoami_test.go
+++ b/test/integration/concierge_whoami_test.go
@@ -89,6 +89,7 @@ func TestWhoAmI_ServiceAccount_Legacy_Parallel(t *testing.T) {
 	}, metav1.CreateOptions{})
 	require.NoError(t, err)

+	// TODO: What is this used for?
 	secret, err := kubeClient.Secrets(ns.Name).Create(ctx, &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: "test-whoami-",
--- a/test/integration/pod_shutdown_test.go
+++ b/test/integration/pod_shutdown_test.go
@@ -32,11 +32,24 @@ func TestPodShutdown_Disruptive(t *testing.T) {
 	env := testlib.IntegrationEnv(t, testlib.SkipPodRestartAssertions()).
 		WithKubeDistribution(testlib.KindDistro)

-	testShutdownAllPodsOfApp(t, env, env.ConciergeNamespace, env.ConciergeAppName, "-kube-cert-agent-")
-	testShutdownAllPodsOfApp(t, env, env.SupervisorNamespace, env.SupervisorAppName, "")
+	shutdownAllPodsOfApp(t, env, env.ConciergeNamespace, env.ConciergeAppName, true)
+	shutdownAllPodsOfApp(t, env, env.SupervisorNamespace, env.SupervisorAppName, false)
 }

-func testShutdownAllPodsOfApp(t *testing.T, env *testlib.TestEnv, namespace string, appName string, ignorePodsWithNameSubstring string) {
+func shutdownAllPodsOfApp(
+	t *testing.T,
+	env *testlib.TestEnv,
+	namespace string,
+	appName string,
+	isConcierge bool,
+) {
+	t.Helper()
+
+	ignorePodsWithNameSubstring := ""
+	if isConcierge {
+		ignorePodsWithNameSubstring = "-kube-cert-agent-"
+	}
+
 	// Precondition: the app should have some pods running initially.
 	initialPods := getRunningPodsByNamePrefix(t, namespace, appName+"-", ignorePodsWithNameSubstring)
 	require.Greater(t, len(initialPods), 0)
@@ -114,6 +127,12 @@ func testShutdownAllPodsOfApp(t *testing.T, env *testlib.TestEnv, namespace stri
 			"did not find expected message in pod log for pod %q", pl.pod.Name)
 		require.Containsf(t, pl.logsBuf.String(), `[graceful-termination] apiserver is exiting`,
 			"did not find expected message in pod log for pod %q", pl.pod.Name)
+
+		if isConcierge {
+			require.Containsf(t, pl.logsBuf.String(), `fetch-impersonation-proxy-tokens start hook's background goroutine has finished`,
+				"did not find expected message in pod log for pod %q", pl.pod.Name)
+		}
+
 		t.Logf("found expected graceful-termination messages in the logs of pod %q", pl.pod.Name)
 	}