Creating ServiceAccount for Kubernetes Cluster Deployment Target without using a Secret Token

Hi
Im in the process of migrating our existing old version of Octopus Deploy to the latest on-premise version (v2023.2 Build 13175).
We use Kubernetes Cluster Deployment Targets.

When following your documentation from:

you advise to configure Kubernetes target with a service account and use the account secret as a Token.
This contradicts the official documentation from Service Accounts | Kubernetes which since v1.22 does not provide the Token as long-lived, meaning it will expire shortly after, and the Deployment Target will not authenticate.
From v1.24 they seems to not even create a secret due to security concerns.

Do you have an official other way to deploy to Kubernetes, perhaps using their TokenRequestAPI which kubernetes.io recommend?

Best Regards
Søren

Hi @sn,

Great to hear from you again, that’s a great question!

Our Kubernetes Deployments are getting a lot of attention at the moment, with heaps of features being planned.

Check out our Product Roadmap where you can submit your own suggestions too, I think OIDC support in particular sounds like it would be useful here: https://roadmap.octopus.com/c/70-openid-connect-oidc-octopus-as-resource-server

For cloud hosted Clusters we’ve added support for short lived tokens via the relevant tooling (aws-cli/kubelogin etc) however it looks like on-prem clusters haven’t been adjusted just yet.

I did notice that K8’s suggests using certificates as an alternative option, however I’ll check in with the devs about our plans for incorporating the TokenRequest api and will keep you posted with any updates from them:

For example, your external application can authenticate using a well-protected private key and a certificate,

Feel free to reach out with any questions in the meantime at all!

Best Regards,

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.