Major Developer story
As a WMCO developer, I want to refactor the creation of the kubeconfig for WICD to avoid relying on automatically generated secrets so that the process does not breaks if they are removed in a future OpenShift Container Platform release.
Description
Do not rely on these automatically generated secrets for your own use; they might be removed in a future OpenShift Container Platform release.
Taken from official OCP documentation [1]. It is recommended to obtain bound service account tokens using the TokenRequest API instead of using service account token secrets. The tokens obtained from the TokenRequest API are more secure than the tokens stored in secrets, because they have a bounded lifetime and are not readable by other API clients.
Required
NA
Engineering Details
WMCO uses the token from the automatically generated secrets for the WICD service account to generate a kubeconfig passed to WICD at bootstrap.
You can use
. These tokens are audience and time-bound. This facilitates the authentication of a service account to an IAM role and the generation of temporary credentials mounted to a pod. You can request bound service account tokens by using volume projection and the TokenRequest API.
Instead, leverage the TokenRequest API to generate a token
https://github.com/openshift/windows-machine-config-operator/blob/a1db0dab838838833a3e9497076eec6a7ac7680e/pkg/nodeconfig/nodeconfig.go#L289
Acceptance Criteria
- WICD uses bound service account token to communication with the API
- e2e test passes
- QE acceptance: regression testing
- is triggered by
-
OCPBUGS-22680 Missing automatically generated secrets for WICD service account
-
- Closed
-
- links to
-
RHBA-2024:132594
Red Hat OpenShift for Windows Containers 10.17.0 product release
- mentioned on
