Developer story

As a WMCO developer, I want to refactor the creation of the kubeconfig for WICD to avoid relying on automatically generated secrets so that the process does not breaks if they are removed in a future OpenShift Container Platform release.

Description

Do not rely on these automatically generated secrets for your own use; they might be removed in a future OpenShift Container Platform release.

Taken from official OCP documentation [1].   It is recommended to obtain bound service account tokens using the TokenRequest API instead of using service account token secrets. The tokens obtained from the TokenRequest API are more secure than the tokens stored in secrets, because they have a bounded lifetime and are not readable by other API clients.

[1] https://docs.openshift.com/container-platform/4.13/authentication/using-service-accounts-in-applications.html#auto-generated-sa-token-secrets_using-service-accounts

Required

• WICD should be able to refresh the token at 80% of lifespan

  Nice to have

NA

Engineering Details

WMCO uses the token from the automatically generated secrets for the WICD service account to generate a kubeconfig passed to WICD at bootstrap. 

You can use

. These tokens are audience and time-bound. This facilitates the authentication of a service account to an IAM role and the generation of temporary credentials mounted to a pod. You can request bound service account tokens by using volume projection and the TokenRequest API.

Instead, leverage the TokenRequest API to generate a token

https://github.com/openshift/windows-machine-config-operator/blob/a1db0dab838838833a3e9497076eec6a7ac7680e/pkg/nodeconfig/nodeconfig.go#L289

Acceptance Criteria

• WICD uses bound service account token to communication with the API
• e2e test passes
• QE acceptance: regression testing