Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove association between ServiceAccounts and token Secrets #884

Merged
merged 5 commits into from
Aug 29, 2023
Merged

Remove association between ServiceAccounts and token Secrets #884

merged 5 commits into from
Aug 29, 2023

Conversation

tpantelis
Copy link
Contributor

@tpantelis tpantelis commented Aug 22, 2023
edited
Loading

If a token Secret is associated to a ServiceAccount via its secrets field, K8s 1.27 interprets this as an auto-generated token and issues a client-side warning:

"Use tokens from the TokenRequest API or manually created secret-based tokens instead of auto-generated secret-based tokens."

While we no longer use auto-generated Secrets, we do still set the secrets field with the manually created Secret which causes the warning to be generated for every API call issued using a rest config created with the Secret's token.

We don't need to set the secrets field - we can locate a ServiceAccount's associated Secret via the
kubernetes.io/service-account.name annotation on the Secret.

For migration, also remove the secrets field from existing ServiceAccounts.

As a further safeguard on upgrade, ignore the warning via the warning handler.

Lastly, we don't need token Secrets created for the pod ServiceAccounts so only create then for the broker ServiceAccounts.

See individual commits for more details.

Fixes #880

@tpantelis tpantelis self-assigned this Aug 22, 2023
@submariner-bot
Copy link
Contributor

🤖 Created branch: z_pr884/tpantelis/sa_secret
🚀 Full E2E won't run until the "ready-to-test" label is applied. I will add it automatically once the PR has 2 approvals, or you can add it manually.

@tpantelis tpantelis requested a review from vthapar August 22, 2023 21:28
@tpantelis tpantelis mentioned this pull request Aug 25, 2023
Closed
@tpantelis
Remove association between ServiceAccounts and token Secrets
ccdc7f5 
If a token Secret is associated to a ServiceAccount via its
"secrets" field, K8s 1.27 interprets this as an auto-generated
token and issues a client-side warning:

"Use tokens from the TokenRequest API or manually created
secret-based tokens instead of auto-generated secret-based tokens."

While we no longer use auto-generated Secrets, we do still set the
"secrets" field with the manually created Secret which causes the
warning to be generated for every API call issued using a rest config
created with the Secret's token.

We don't need to set the "secrets" field - we can locate a
ServiceAccount's associated Secret via the
"kubernetes.io/service-account.name" annotation on the Secret.

For migration, also remove the "secrets" field from existing
ServiceAccounts.

As a further safeguard on upgrade, ignore the warning via the
warning handler.

Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
@tpantelis
Only create token secrets for broker ServiceAccounts
2b7fc16 
We don't need them created for the pod ServiceAccounts.

Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
@tpantelis
Refactor rbac.GetClientTokenSecret
a5c54da 
...to serviceaccount.GetTokenSecretFor as the function isn't really
related to RBAC. Plus we already have unit tests in serviceaccount
so we get code coverage credit :)

Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
@skitt skitt added the ready-to-test When a PR is ready for full E2E testing label Aug 29, 2023
@dfarrell07 dfarrell07 enabled auto-merge (rebase) August 29, 2023 16:51
@dfarrell07 dfarrell07 merged commit 16bb828 into submariner-io:devel Aug 29, 2023
26 checks passed
@submariner-bot
Copy link
Contributor

🤖 Closed branches: [z_pr884/tpantelis/sa_secret]

skitt added a commit to skitt/submariner-operator that referenced this pull request Sep 1, 2023
@skitt
Don't check the gateway secrets
a9c45ca 
Since submariner-io/subctl#884, gateway
service accounts no longer have associated tokens.

Signed-off-by: Stephen Kitt <skitt@redhat.com>
@skitt skitt mentioned this pull request Sep 1, 2023
Merged
skitt added a commit to submariner-io/submariner-operator that referenced this pull request Sep 1, 2023
@skitt
Don't check the gateway secrets
ad48efe 
Since submariner-io/subctl#884, gateway
service accounts no longer have associated tokens.

Signed-off-by: Stephen Kitt <skitt@redhat.com>
@dfarrell07 dfarrell07 added release-note-needed Should be mentioned in the release notes and removed release-note-needed Should be mentioned in the release notes labels Sep 12, 2023
@tpantelis tpantelis deleted the sa_secret branch April 4, 2024 15:31
@skitt skitt mentioned this pull request May 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skitt skitt skitt approved these changes

@dfarrell07 dfarrell07 dfarrell07 approved these changes

@Jaanki Jaanki Awaiting requested review from Jaanki Jaanki is a code owner

@Oats87 Oats87 Awaiting requested review from Oats87 Oats87 is a code owner

@sridhargaddam sridhargaddam Awaiting requested review from sridhargaddam sridhargaddam is a code owner

@vthapar vthapar Awaiting requested review from vthapar vthapar is a code owner

Assignees

@tpantelis tpantelis

Labels
ready-to-test When a PR is ready for full E2E testing
Projects
No open projects
Submariner 0.16
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Warnings seen while running subctl join command
4 participants
@tpantelis @submariner-bot @dfarrell07 @skitt