Hey !
I would like use gtoken in cronjob.
It's work but po doesn't finish.
It still stay with "status: Not Ready" because after po execution, update-gcp-id-token restart :

Normal Started 3m26s kubelet Started container check-certif
Normal Pulling 3m26s kubelet Pulling image "doitintl/gtoken:latest"
Normal Pulled 3m26s kubelet Successfully pulled image "doitintl/gtoken:latest" in 248.821135ms (248.835925ms including waiting)
Normal Created 3m26s kubelet Created container update-gcp-id-token
Normal Started 3m26s kubelet Started container update-gcp-id-token

I can't stop "update-gcp-id-token" for cronjob please ?

Thanks !

Hi.

The variable $GSA_SA came up in AWS: Create AWS IAM Role with Google OIDC Web Identity.

Where is this defined?

Thank you.

The following warnings were issues with recent deployment attempt

./deployment/webhook-create-signed-cert.sh:
Warning: certificates.k8s.io/v1beta1 CertificateSigningRequest is deprecated in v1.19+, unavailable in v1.22+; use certificates.k8s.io/v1 CertificateSigningRequest

kubectl create -f deployment/mutatingwebhook-bundle.yaml
Warning: admissionregistration.k8s.io/v1beta1 MutatingWebhookConfiguration is deprecated in v1.16+, unavailable in v1.22+; use admissionregistration.k8s.io/v1 MutatingWebhookConfiguration

Please see https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
At least kube-system ns should be excluded

kubectl run is deprecated and --serviceaccout does not work

I've deployed gtoken as mentioned in read me. But I couldn't achieve to access aws resource. Actually, webhook doesn't run properly. I couldn't see any log in webhook pod. there is only following logs
time="2023-03-24T09:26:19Z" level=info msg="listening on https://:8443"

when I tried aws command in test pod I saw the following error.
Unable to locate credentials. You can configure credentials by running "aws configure".

Also, I couldn't see any environment variables related with AWS in test pod after creation. I expect webhook adds some aws related variables after pod creation.

Hey I notice we use KSA_NAMESPACE parameter in README just one time, then we proceed using K8S_NAMESPACE nomenclature, so I guess it is a typo?

Anyway, I can't PR to it, just reporting what I found while following the tutorial.

BTW, great tool :)

I create a pod with below config:

############

testpod.yaml

############
apiVersion: v1
kind: Pod
metadata:
name: test-job
spec:
serviceAccountName: saname
restartPolicy: Never
containers:
- name: test-pod
image: ubuntu
command:
- /bin/sleep
- "10"
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi

############

CMD: kubectl -f testpod.yaml

After the sleep command finished, it does not terminated,

CMD: kubectl get pod
test-job 1/2 Running 0 5m26s

CMD: kubectl describe pod test-job
.
.
Containers:
test-pod:
Container ID: docker://d6a95538e748e9585af2e11f62d2f9f65bc7a7c5cb01d01357985cb0e7fd56f3
Image: ubuntu
Image ID: docker-pullable://ubuntu@sha256:c95a8e48bf88e9849f3e0f723d9f49fa12c5a00cfc6e60d2bc99d87555295e4c
Port:
Host Port:
Command:
/bin/sleep
10
State: Terminated
Reason: Completed
Exit Code: 0
Started: Tue, 15 Dec 2020 11:18:59 +0800
Finished: Tue, 15 Dec 2020 11:19:09 +0800
Ready: False
Restart Count: 0
.
.
.
update-gcp-id-token:
Container ID: docker://88ec093929b3c648b032448d17de5f46fb6be9bdcc5e78247acac1a16cf9dcbc
Image: doitintl/gtoken:latest
Image ID: docker-pullable://doitintl/gtoken@sha256:cb9647b375f579e378e957ed80dfa6259667987cf87835b10b125dc5b175b31d
Port:
Host Port:
Command:
/gtoken
--file=/var/run/secrets/aws/token/gtoken
--refresh=true
State: Running
Started: Tue, 15 Dec 2020 11:19:00 +0800
Ready: True
Restart Count: 0

#########

It seems like the update-gcp-id-token does not terminated.
Is it possible to terminate update-gcp-id-token after test-pod fininshed?

Thank you!

it looks like the #8 was removed from the source code causing crashes

Hi,

Your gtoken approach works like a charm for access to S3. But I was wondering if you have tried/confirmed it with other AWS services, for example ECR to pull images?

Kind regards,

Eric Van Steenbergen