From f2ba1eac6d85303360c55fee145de11b3852822a Mon Sep 17 00:00:00 2001
From: Angel Misevski <amisevsk@redhat.com>
Date: Thu, 27 Oct 2022 14:09:08 -0400
Subject: [PATCH 1/2] Update process for logging in as DWO SA when using make
 run/debug

As of Kubernetes 1.24, serviceaccounttoken secrets are no longer created
by default, and so this method cannot be used to login as the workspace
serviceaccount when running locally.

Instead, it's possible to use
    kubectl create token <sa-name> -n <namespace>
to get the token used for the serviceaccount.

Signed-off-by: Angel Misevski <amisevsk@redhat.com>
---
 build/make/deploy.mk | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/build/make/deploy.mk b/build/make/deploy.mk
index f94e07eef..14327d520 100644
--- a/build/make/deploy.mk
+++ b/build/make/deploy.mk
@@ -131,9 +131,15 @@ _check_cert_manager:
   endif
 
 _login_with_devworkspace_sa:
-	$(eval SA_TOKEN := $(shell $(K8S_CLI) get secrets -o=json -n $(NAMESPACE) | jq -r '[.items[] | select (.type == "kubernetes.io/service-account-token" and .metadata.annotations."kubernetes.io/service-account.name" == "$(DEVWORKSPACE_CTRL_SA)")][0].data.token' | base64 --decode ))
-	echo "Logging as controller's SA in $(NAMESPACE)"
-	oc login --token=$(SA_TOKEN) --kubeconfig=$(BUMPED_KUBECONFIG)
+  # Kubernetes 1.23 and below: get SA token from service-account-token secret; Kubernetes 1.24 and above, use `kubectl create token`
+	SA_TOKEN=$$($(K8S_CLI) get secrets -o=json -n $(NAMESPACE) \
+	  | jq -r '[.items[] | select (.type == "kubernetes.io/service-account-token" and .metadata.annotations."kubernetes.io/service-account.name" == "$(DEVWORKSPACE_CTRL_SA)")][0].data.token' \
+	  | base64 --decode ); \
+	if [[ "$$SA_TOKEN" == $$(echo 'null' | base64 -d) ]]; then \
+	  SA_TOKEN=$$($(K8S_CLI) create token -n "$(NAMESPACE)" "$(DEVWORKSPACE_CTRL_SA)"); \
+	fi; \
+	echo "Logging as controller's SA in $(NAMESPACE)"; \
+	oc login --token="$$SA_TOKEN" --kubeconfig=$(BUMPED_KUBECONFIG)
 
 ### install_cert_manager: Installs Cert Mananger v1.5.4 on the cluster
 install_cert_manager:

From 8f15802c47dc1dcf3f55bb4888c2fb51a3d651a5 Mon Sep 17 00:00:00 2001
From: Angel Misevski <amisevsk@redhat.com>
Date: Thu, 27 Oct 2022 14:09:53 -0400
Subject: [PATCH 2/2] Avoid waiting 5 seconds for image pull secret on every
 k8s start

Recent versions of Kubernetes do not automatically mount image pull
secrets to serviceaccounts, meaning that most workspace starts idle for
5 seconds waiting for something that is not going to happen. Instead we
scope the check for waiting for image pull secrets to only be performed
when running on OpenShift.

On OpenShift, there is a race between the controller and the cluster
API, where sometimes DWO creates a deployment that is immediately
updated with image pull secrets, slowing workspace start due to the
workspace pod needing to terminate.

Signed-off-by: Angel Misevski <amisevsk@redhat.com>
---
 pkg/provision/workspace/pull_secret.go | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/pkg/provision/workspace/pull_secret.go b/pkg/provision/workspace/pull_secret.go
index ec2b46eaa..afb72cfb9 100644
--- a/pkg/provision/workspace/pull_secret.go
+++ b/pkg/provision/workspace/pull_secret.go
@@ -22,6 +22,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/devfile/devworkspace-operator/pkg/infrastructure"
 	"github.com/devfile/devworkspace-operator/pkg/provision/sync"
 	"k8s.io/apimachinery/pkg/types"
 
@@ -80,12 +81,14 @@ func PullSecrets(clusterAPI sync.ClusterAPI, serviceAccountName, namespace strin
 		}
 	}
 
-	if len(serviceAccount.ImagePullSecrets) == 0 && serviceAccount.CreationTimestamp.Add(pullSecretCreationTimeout).After(time.Now()) {
-		return PullSecretsProvisioningStatus{
-			ProvisioningStatus: ProvisioningStatus{
-				Requeue: true,
-				Message: "Waiting for image pull secrets",
-			},
+	if infrastructure.IsOpenShift() {
+		if len(serviceAccount.ImagePullSecrets) == 0 && serviceAccount.CreationTimestamp.Add(pullSecretCreationTimeout).After(time.Now()) {
+			return PullSecretsProvisioningStatus{
+				ProvisioningStatus: ProvisioningStatus{
+					Requeue: true,
+					Message: "Waiting for image pull secrets",
+				},
+			}
 		}
 	}