Verify kubeapps token instructions after SA change in k8s >=1.24

[antgamdia]

Converted into an issue since it requires further investigation.
Updating the issue content accordingly:

---

Hi,

In Kubernetes 1.24 tokens are not created for service accounts. So the authorization procedure in the documentation no longer works:

To create a Service Account for a user "example" in the "default" namespace, run the following:
kubectl create -n default serviceaccount example
To get the API token for this Service Account, run the following:
kubectl get -n default secret $(kubectl get -n default serviceaccount example -o jsonpath='{.secrets[].name}') -o go-template='{{.data.token | base64decode}}' && echo

So I created service account "example" like above, and then created a token with
kubectl create -f token.yml

token.yml:

apiVersion: v1
kind: Secret`
metadata:`
   namespace: default` 
   name: example-secret`
   annotations:`
       kubernetes.io/service-account.name: "example"`
type: kubernetes.io/service-account-token`

I then apply this yaml:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: example
  namespace: default

I can now see the token with
kubectl describe secret example-secret

However, this token does not get me into the kubeapps dashboard. It does get me into the standard kubernetes dasboard

Any ideas?

Originally posted by @Wouter053 in #4746

[absoludity]

There's an option on the discussion to "Create issue from discussion"? Might convey more info (and avoid duplication).

[absoludity]

Confirmed first that our preferred (secure) auth using OIDC works fine with 1.24. Then proceeded to test token authentication. Following the getting-started instructions, as expected, see the error as the secret doesn't exist:

$ kubectl create --namespace default serviceaccount kubeapps-operator
$ kubectl create clusterrolebinding kubeapps-operator --clusterrole=cluster-admin --serviceaccount=default:kubeapps-operator
serviceaccount/kubeapps-operator created
clusterrolebinding.rbac.authorization.k8s.io/kubeapps-operator created

$ kubectl get --namespace default secret $(kubectl get --namespace default serviceaccount kubeapps-operator -o jsonpath='{range .secrets[*]}{.name}{"\n"}{end}' | grep kubeapps-operator-token) -o jsonpath='{.data.token}' -o go-template='{{.data.token | base64decode}}' && echo
Error executing template: template: output:1:16: executing "output" at <base64decode>: invalid value; expected string. Printing more information for debugging the template:
        template was:
                {{.data.token | base64decode}}
        raw data was:
                {"apiVersion":"v1","items":[],"kind":"List","metadata":{"resourceVersion":"","selfLink":""}}
        object given to template engine was:
                map[apiVersion:v1 items:[] kind:List metadata:map[resourceVersion: selfLink:]]

error: error executing template "{{.data.token | base64decode}}": template: output:1:16: executing "output" at <base64decode>: invalid value; expected string

I've then created #4772 which updates the docs with the procedure I used, which seems similar to the original posters, but worked fine in both 1.24 as well as 1.21. I'll update the discussion there.