Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-37431

"Using service accounts in applications" doc inconsistencies regarding legacy service account tokens

XMLWordPrintable

    • Moderate
    • None
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      The doc https://docs.openshift.com/container-platform/4.16/authentication/using-service-accounts-in-applications.html implies tokens are auto generated, but as of 4.16, they are not. I see there is a note that explains this, but other parts of the document are not aligned:

      Prior to OpenShift Container Platform 4.16, a long-lived service account API token secret was also generated for each service account that was created. Starting with OpenShift Container Platform 4.16, this service account API token secret is no longer created.

      Looks good!

      But, it seems to imply the token gets automatically generated, but it doesn't automatically generate the API token:

      Each service account automatically contains two secrets:
1. An API token 
...
The generated API token and registry credentials do not expire

      It shows an auto generated legacy token in the example output here:

      Name:                robot
Namespace:           project1
Labels:	             <none>
Annotations:	     <none>
Image pull secrets:  robot-dockercfg-qzbhb
Mountable secrets:   robot-dockercfg-qzbhb
Tokens:              robot-token-f4khf
Events:              <none>

      It should be:

      Name:                robot
Namespace:           project1
Labels:	             <none>
Annotations:	     <none>
Image pull secrets:  robot-dockercfg-qzbhb
Mountable secrets:   robot-dockercfg-qzbhb
Tokens:              <none>
Events:              <none>

      It's probably worth including a link to manually create this service account token to https://docs.openshift.com/container-platform/4.16/nodes/pods/nodes-pods-secrets.html#nodes-pods-secrets-creating-sa_nodes-pods-secrets 
      Additionally, it seems a bit confusing that this note is under "Automatically generated image pull secrets", this is regarding the legacy API token, not the token for pulling secrets.

      Version-Release number of selected component (if applicable):

      4.16+

      How reproducible:

          100%

      Steps to Reproduce:

          1. https://docs.openshift.com/container-platform/4.16/authentication/using-service-accounts-in-applications.html

      Actual results:

          Inconsistencies in doc about auto generated token

      Expected results:

          Consistent language and examples about token generation

      Additional info:

          https://issues.redhat.com/browse/OCPBUGS-34846 is very relevant

              rhn-support-ahoffer Andrea Hoffer
              gspence@redhat.com Grant Spence
              Xingxing Xia Xingxing Xia
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: