✨ Kubernetes v1.24 upgrade

[dependabot]

I'm gonna take this over from dependabot. Looking into this, this is a bigger task to do. Essentially:

• bump kubernetes to 1.24
• split go.mod into main and e2e modules so we don't need the argo/flux dependencies in the main mod
  This is needed because argo doesn't integrate with 1.23 yet
• migrate kubernetes and vault provider to NOT fetch the service account tokens via Kind=Secret and instead use TokenRequest API
  • research: impact on existing vault users
• extend the serviceAccountRef to include a audience field
• refactor kubernetes provider to match provider/client interfaces (should do with vault in the future, too)
• fix e2e tests

Impact for Vault Users

When using TokenRequest API the issuer claim changes from kubernetes/serviceaccount to https://<controlplane-api-endpoint>. From vault's perspective this can be a breaking change if the config param is set to this value: disable_issuer_validation=false. By default (Vault >= 1.9) this value is false. Users may set that value to true but this flag has been deprecated and should not be used. Instead, issuer validation is disabled by default.

So you're affected if:

• you're running Vault < 1.9 and have not set disable_issuer_validation=true
• your running Vault >= 1.9 and have set disable_issuer_validation=false

Impact for Kubernetes Users

• TokenRequest API is beta since 1.12 and enabled by default
• there should be no impact for users

---

Bumps sigs.k8s.io/controller-runtime from 0.11.2 to 0.12.3.

Release notes

Sourced from sigs.k8s.io/controller-runtime's releases.

v0.12.3

What's Changed

• ✨ Provide access to admission.Request in custom validator/defaulter in kubernetes-sigs/controller-runtime#1952

Full Changelog: kubernetes-sigs/controller-runtime@v0.12.2...v0.12.3

v0.12.2

changes since v0.12.1

✨ New Features

• Allow TLS to be entirely configured on webhook server (#1914)

🐛 Bug Fixes

• Fix webhook write response error for broken HTTP connection (#1931)
• Fix issue with starting multiple test envs (#1913)
• don't override global log in builder (#1911)

Thanks to all our contributors!

v0.12.1

changes since v0.12.0

🐛 Bug Fixes

• fix loading CRDs from multiple directories in envtests (#1905)

Thanks to all our contributors!

v0.12.0

changes since v0.11.2

⚠️ Breaking Changes

• make fake client delete operations honor dry run opt (#1873)
• logging: align to Kubernetes structured logging, add reconcileID (#1827)
• leaderelection: use 'leases' as default resource lock object (#1773)

✨ New Features

• certwatcher: add metrics to monitor certificate reads (#1877)
• Bump to k8s.io v1.24.0 (#1885)
• Bump to k8s.io v1.24.0-rc.1 (#1879)
• return a bool from AddFinalizer and RemoveFinalizer (#1636)
• update client-go to 1.24-beta (#1864)
• Add BaseContext to manager Options for use with Runnables (#1846)
• Upgrade k8s dependencies from 1.23.0 to 1.23.5 (#1843)
• Add Kubernetes Gomega extension with to make testing controllers easier (#1767)

... (truncated)

Commits

• cd0058a Merge pull request #1952 from k8s-infra-cherrypick-robot/cherry-pick-1950-to-...
• b698f2b Provide access to admission.Request in custom validator/defaulter
• f561596 ✨ Bump k8s.io packages to v1.24.2 (#1940)
• 697e66d Merge pull request #1931 from k8s-infra-cherrypick-robot/cherry-pick-1930-to-...
• 0d4500b Fix webhook write response error for broken HTTP connection
• d15de97 Merge pull request #1914 from k8s-infra-cherrypick-robot/cherry-pick-1897-to-...
• 54d6a15 Allow TLS config to be entirely configured on webhook server
• 160efcb Merge pull request #1913 from k8s-infra-cherrypick-robot/cherry-pick-1910-to-...
• 6c84577 Fix issue with starting multiple test envs
• 1efdbd7 Merge pull request #1911 from k8s-infra-cherrypick-robot/cherry-pick-1907-to-...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[paul-the-alien]

Greetings!
Thank you for contributing to this project!
If this is your first time contributing, please make
sure to read the Developer and Contributing Process guides.
Please also mind and follow our Code of Conduct.

Useful commands:

• make fmt: Formats the code
• make check-diff: Ensures the branch is clean
• make reviewable: Ensures a PR is ready for review

[ghost]

👇 Click on the image for a new way to code review

• Make big changes easier — review code in small groups of related files

• Know where to start — see the whole change at a glance

• Take a code tour — explore the change with an interactive tour

• Make comments and review — all fully sync’ed with github

  Try it now!

Legend

[moolen]

// moved contents to first post ☝️

[moolen]

vault provider tries to use the same mechanics as before. If they fail (they will with 1.24+) - it'll try to use the TokenRequest API.

This may cause issues if a user sets disable_issuer_validation=false - this is deprecated and with vault 1.9 it's set by default to true.

[moolen]

Kubernetes provider will migrate to the new TokenRequest API. I don't see a need to keep the old ServiceAccount.Secrets[] approach.

[moolen]

we're still using an old version <1.9 of vault in our e2e tests, hence we gotta fix the issuer validation

[moolen]

I want to deprecate this in favor of serviceAccountRef.Audiences[].

It looks like expirationSeconds is not needed because we generate a service account token on the fly and use it only once. There is no replacement for expirationSeconds

[moolen]

The idea is to add that audiences everywhere. provider can use/set a default which can be extended with this field.
It has been implemented for all providers.

[moolen]

/ok-to-test-managed sha=e5ed381 provider=aws

[moolen]

/ok-to-test-managed sha=e5ed381 provider=gcp

[github-actions]

💰 Infracost estimate: monthly cost will increase by $235 📈

Project	Previous	New	Diff
external-secrets/external-secrets/terraform/aws/plan.json	$0	$235	+$235

Infracost output

Project: external-secrets/external-secrets/terraform/aws/plan.json

+ module.cluster.module.eks.aws_cloudwatch_log_group.this[0]
  Monthly cost depends on usage

    + Data ingested
      Monthly cost depends on usage
        +$0.50 per GB

    + Archival Storage
      Monthly cost depends on usage
        +$0.03 per GB

    + Insights queries data scanned
      Monthly cost depends on usage
        +$0.005 per GB

+ module.cluster.module.eks.aws_eks_cluster.this[0]
  +$73.00

    + EKS cluster
      +$73.00

+ module.cluster.module.eks.module.eks_managed_node_group["example"].aws_eks_node_group.this[0]
  +$125

    + Instance usage (Linux/UNIX, on-demand, t3.large)
      +$121

    + CPU credits
      $0.00

    + Storage (general purpose SSD, gp2)
      +$4.00

+ module.cluster.module.vpc.aws_cloudwatch_log_group.flow_log[0]
  Monthly cost depends on usage

    + Data ingested
      Monthly cost depends on usage
        +$0.50 per GB

    + Archival Storage
      Monthly cost depends on usage
        +$0.03 per GB

    + Insights queries data scanned
      Monthly cost depends on usage
        +$0.005 per GB

+ module.cluster.module.vpc.aws_eip.nat[0]
  +$3.65

    + IP address (if unused)
      +$3.65

+ module.cluster.module.vpc.aws_nat_gateway.this[0]
  +$32.85

    + NAT gateway
      +$32.85

    + Data processed
      Monthly cost depends on usage
        +$0.045 per GB

Monthly cost change for external-secrets/external-secrets/terraform/aws/plan.json
Amount:  +$235 ($0.00 → $235)

──────────────────────────────────
Key: ~ changed, + added, - removed

58 cloud resources were detected:
∙ 6 were estimated, 4 of which include usage-based costs, see https://infracost.io/usage-file
∙ 49 were free:
  ∙ 13 x aws_security_group_rule
  ∙ 6 x aws_iam_role_policy_attachment
  ∙ 6 x aws_route_table_association
  ∙ 6 x aws_subnet
  ∙ 4 x aws_iam_role
  ∙ 4 x aws_security_group
  ∙ 2 x aws_route
  ∙ 2 x aws_route_table
  ∙ 1 x aws_flow_log
  ∙ 1 x aws_iam_openid_connect_provider
  ∙ 1 x aws_iam_policy
  ∙ 1 x aws_internet_gateway
  ∙ 1 x aws_launch_template
  ∙ 1 x aws_vpc
∙ 3 are not supported yet, see https://infracost.io/requested-resources:
  ∙ 3 x aws_eks_addon

This comment will be updated when the cost estimate changes.

_{Is this comment useful? Yes, No, Other}

[moolen]

/ok-to-test-managed sha=e5ed381 provider=aws

[moolen]

@gusfcarvalho if you have some time to review 🙏 I left comments to explain a little bit of background.

[gusfcarvalho]

Sorry @moolen, I've been quite busy here! I'll take a look by the end of the week with no delays 🙏

[gusfcarvalho]

just ran tests around the bump itself and the ability to generate tokens with Hashivault - it works very well.

IMO, disable_iss_validation is not an issue even, because it would still happen for any k8s version >1.21 anyways. I think we're good to go.

[gusfcarvalho]

/approve

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
1 Code Smell

No Coverage information
0.0% Duplication