(feat) Make token indefinite

When registering the management cluster, register-mgmt-cluster can be passed
this arg: `service-account-token=true`

When that is set, register-mgmt-cluster creates a Secret of type
`kubernetes.io/service-account-token`
Instead of generating a token with an expiration, the token is taken
from the newly created Secret.

.github/workflows/main.yaml

@@ -43,4 +43,17 @@ jobs:
     - name: fv
       run: make create-cluster fv
       env:
-        FV: true
+        FV: true
+  FV_SA_SECRET:
+    runs-on: ubuntu-latest
+    steps:
+    - name: checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - name: Set up Go
+      uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      with:
+        go-version: 1.23.4
+    - name: fv
+      run: make create-cluster-service-account-token-mode fv
+      env:
+        FV: true        

.gitignore

@@ -31,4 +31,7 @@ manager_pull_policy.yaml-e
 manager_auth_proxy_patch.yaml-e
 k8s/manifest.yaml-e
 
+test/manifest.yaml
+test/patched_manifest.yaml
+
 version.txt

Makefile

@@ -157,8 +157,7 @@ CLUSTER_NAME ?= sveltos
 TIMEOUT ?= 10m
 NUM_NODES ?= 2
 
-.PHONY: create-cluster
-create-cluster: $(KIND) $(KUBECTL) manifests ## Create a new kind cluster designed for development
+prepare-cluster:
 	sed -e "s/K8S_VERSION/$(K8S_VERSION)/g"  test/$(KIND_CONFIG) > test/$(KIND_CONFIG).tmp
 	$(KIND) create cluster --name=$(CLUSTER_NAME) --config test/$(KIND_CONFIG).tmp
 
@@ -170,14 +169,22 @@ create-cluster: $(KIND) $(KUBECTL) manifests ## Create a new kind cluster design
 	$(KUBECTL) apply -f https://raw.githubusercontent.com/projectsveltos/libsveltos/$(TAG)/manifests/apiextensions.k8s.io_v1_customresourcedefinition_debuggingconfigurations.lib.projectsveltos.io.yaml
 	$(KUBECTL) apply -f https://raw.githubusercontent.com/projectsveltos/libsveltos/$(TAG)/manifests/apiextensions.k8s.io_v1_customresourcedefinition_sveltosclusters.lib.projectsveltos.io.yaml
 
-	# Install projectsveltos register-mgmt-cluster components
-	@echo 'Install projectsveltos register-mgmt-cluster components'
-	sed -e 's@image: .*@image: '"$(CONTROLLER_IMG):$(TAG)"'@' ./k8s/manifest.yaml  | $(KUBECTL) apply -f -
-
 	# Install sveltoscluster-manager
 	$(KUBECTL) apply -f https://raw.githubusercontent.com/projectsveltos/sveltoscluster-manager/$(TAG)/manifest/manifest.yaml
 
 
+.PHONY: create-cluster
+create-cluster: $(KIND) $(KUBECTL) manifests ## Create a new kind cluster designed for development
+	$(MAKE) prepare-cluster
+
+	$(MAKE) deploy-projectsveltos
+
+.PHONY: create-cluster-service-account-token-mode
+create-cluster-service-account-token-mode: $(KIND) $(KUBECTL) manifests ## Create a new kind cluster designed for development. Starts register-mgmt-cluster with service-account-token=true
+	$(MAKE) prepare-cluster
+
+	$(MAKE) deploy-projectsveltos-service-account-token-mode
+
 .PHONY: delete-cluster
 delete-cluster: $(KIND) ## Deletes the kind cluster $(CLUSTER_NAME)
 	$(KIND) delete cluster --name $(CLUSTER_NAME)
@@ -189,3 +196,12 @@ kind-test: test create-cluster fv ## Build docker image; start kind cluster; loa
 fv: $(KUBECTL) $(GINKGO) ## Run Sveltos Controller tests using existing cluster
 	cd test/fv; $(GINKGO) -nodes $(NUM_NODES) --label-filter='FV' --v --trace --randomize-all
 
+.PHONY: deploy-projectsveltos
+deploy-projectsveltos: # Install projectsveltos register-mgmt-cluster
+	@echo 'Install projectsveltos register-mgmt-cluster'
+	sed -e 's@image: .*@image: '"$(CONTROLLER_IMG):$(TAG)"'@' ./k8s/manifest.yaml  | $(KUBECTL) apply -f -
+
+deploy-projectsveltos-service-account-token-mode: $(KUBECTL)
+	sed -e 's@image: .*@image: '"$(CONTROLLER_IMG):$(TAG)"'@' ./k8s/manifest.yaml > test/manifest.yaml
+	sed -e "s/service-account-token=false/service-account-token=true/g"  test/manifest.yaml > test/patched_manifest.yaml
+	$(KUBECTL) apply -f test/patched_manifest.yaml

cmd/main.go

@@ -36,6 +36,7 @@ var (
 	labels                  string
 	sveltosClusterNamespace string
 	sveltosClusterName      string
+	serviceAccountToken     bool
 )
 
 const (
@@ -108,6 +109,9 @@ func initFlags(fs *pflag.FlagSet) {
 
 	fs.StringVar(&sveltosClusterName, "name", "mgmt",
 		"This option allows you to specify the name of the SveltosCluster instance representing the management cluster")
+
+	fs.BoolVar(&serviceAccountToken, "service-account-token", false,
+		"This option instructs Sveltos to create a Secret of type kubernetes.io/service-account-token instead of generating a token associated to ServiceAccount")
 }
 
 func registerManagementCluster(ctx context.Context, restConfig *rest.Config, c client.Client,
@@ -172,13 +176,26 @@ func generateKubeconfigForServiceAccount(ctx context.Context, restConfig *rest.C
 		return "", err
 	}
 
-	tokenRequest, err := getServiceAccountTokenRequest(ctx, restConfig, namespace, serviceAccountName, expirationSeconds, logger)
-	if err != nil {
-		return "", err
+	var token string
+	if serviceAccountToken {
+		if err := createSecret(ctx, c, namespace, serviceAccountName, logger); err != nil {
+			return "", err
+		}
+		var err error
+		token, err = getToken(ctx, c, namespace, serviceAccountName)
+		if err != nil {
+			return "", err
+		}
+	} else {
+		tokenRequest, err := getServiceAccountTokenRequest(ctx, restConfig, namespace, serviceAccountName, expirationSeconds, logger)
+		if err != nil {
+			return "", err
+		}
+		token = tokenRequest.Token
 	}
 
 	logger.V(logs.LogInfo).Info("Get Kubeconfig from TokenRequest")
-	data := getKubeconfigFromToken(restConfig, namespace, serviceAccountName, tokenRequest.Token, caData)
+	data := getKubeconfigFromToken(restConfig, namespace, serviceAccountName, token, caData)
 
 	return data, nil
 }
@@ -221,6 +238,61 @@ func createServiceAccount(ctx context.Context, c client.Client, namespace, name
 	return nil
 }
 
+func createSecret(ctx context.Context, c client.Client, namespace, saName string,
+	logger logr.Logger) error {
+
+	logger.V(logs.LogInfo).Info(fmt.Sprintf("Create Secret %s/%s", namespace, saName))
+	currentSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: namespace,
+			Name:      saName,
+			Annotations: map[string]string{
+				corev1.ServiceAccountNameKey: saName,
+			},
+		},
+		Type: corev1.SecretTypeServiceAccountToken,
+	}
+
+	err := c.Create(ctx, currentSecret)
+	if err != nil && !apierrors.IsAlreadyExists(err) {
+		logger.V(logs.LogInfo).Info(fmt.Sprintf("Failed to create Secret %s/%s: %v",
+			namespace, saName, err))
+		return err
+	}
+
+	return nil
+}
+
+func getToken(ctx context.Context, c client.Client, namespace, secretName string) (string, error) {
+	retries := 0
+	const maxRetries = 5
+	for {
+		secret := &corev1.Secret{}
+		err := c.Get(ctx, types.NamespacedName{Namespace: namespace, Name: secretName},
+			secret)
+		if err != nil {
+			if retries < maxRetries {
+				time.Sleep(time.Second)
+				continue
+			}
+			return "", err
+		}
+
+		if secret.Data == nil {
+			time.Sleep(time.Second)
+			continue
+		}
+
+		v, ok := secret.Data["token"]
+		if !ok {
+			time.Sleep(time.Second)
+			continue
+		}
+
+		return string(v), nil
+	}
+}
+
 func createClusterRole(ctx context.Context, c client.Client, clusterRoleName string, logger logr.Logger) error {
 	logger.V(logs.LogInfo).Info(fmt.Sprintf("Create ClusterRole %s", clusterRoleName))
 	// Extends permission in addon-controller-role-extra

k8s/manifest.yaml

@@ -37,6 +37,7 @@ spec:
         imagePullPolicy: IfNotPresent
         args:
         - --labels=
+        - --service-account-token=false
         resources:
           requests:
             memory: 128Mi

manifest/manifest.yaml

@@ -37,6 +37,7 @@ spec:
         imagePullPolicy: IfNotPresent
         args:
         - --labels=
+        - --service-account-token=false
         resources:
           requests:
             memory: 128Mi