Details
-
Bug
-
Resolution: Done
-
Major
-
None
-
quay-v3.7.2
-
False
-
None
-
False
-
0
Description
Description of problem:
1. OCP 4.11 make reduction of secret-based service account tokens, the command "get-token" is deprecated.
$ oc version Client Version: 4.11.0-0.nightly-2022-06-06-201913 $ oc sa get-token --help Command "get-token" is deprecated, and will be removed in the future version. Use oc create token instead. Get a token assigned to a service account. ...... Usage: oc serviceaccounts get-token NAME [flags] [options]
So the step 6 of preparing OpenShift Container Platform for virtual builders won't work anymore.
6 btain the token for the Quay builder service account:
$ oc sa get-token -n virtual-builders quay-builder
The recommended command to get token in OCP 4.11 is
$ oc create token quay-builder -n virtual-builds
2. In OCP 4.11, the step 8 of 16.3.2.1. Preparing OpenShift Container Platform for virtual builders won't work anymore too.
8 Generate a self-signed SSL certificate with the .crt extension: $ SECRET=$(oc get sa openshift-apiserver-sa --namespace=openshift-apiserver -o json | jq -r '.secrets[] | select(.name | contains("openshift-apiserver-sa-token"))'.name) $ oc get secret $SECRET -n openshift-apiserver -o json | jq '.data."ca.crt"' -r | base64 -d > extra_ca_cert_build_cluster.crt
The secret "openshift-apiserver-sa-token" won't be in sa openshift-apiserver-sa anymore, so the above commands won't work as expected.
I found a easier way to get self-signed SSL certificate of virtual ocp builder.
$ oc extract cm/kube-root-ca.crt -n openshift-apiserver ca.crt $ mv ca.crt extra_ca_cert_build_cluster.crt
These command works on OCP 4.10 and OCP 4.11. If they work well on other OCP version,s maybe we can refine the step8 .
