Skip to content

WIP 4.16 add Bound service account token type #1761

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

WIP 4.16 add Bound service account token type #1761

wants to merge 4 commits into from

Conversation

@sanchezl
Copy link
Contributor

@sanchezl sanchezl commented Feb 8, 2024
edited
Loading

Introduce a configuration option to allow users to specify the type of service account token to use for the integrated image registry image pull secret auth.

apiVersion: operator.openshift.io/v1
kind: OpenShiftControllerManager
spec:
  imageRegistryAuthTokenType: Legacy

In version v4.15:

  • The default, and only value, will be Legacy.
  • The value will explicitly be added to the OCM-O config.

In version 4.16:

  • The default value will be Bound.
  • The value will not be explicitly set.
  • Users who upgrade from v4.15 will still be configured to use the Legacy service account tokens until they update the OCM-O config to switch to Bound.

@sanchezl
Copy link
Contributor Author

sanchezl commented Feb 8, 2024
edited
Loading

/hold for #1758 to make it into 4.15

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 8, 2024

Hello @sanchezl! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

@openshift-ci openshift-ci bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Feb 8, 2024
@sanchezl sanchezl changed the title token type 416 add Bound service account token type Feb 8, 2024
@openshift-ci openshift-ci bot requested review from JoelSpeed and bparees February 8, 2024 16:53
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 8, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sanchezl
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@sanchezl sanchezl mentioned this pull request Feb 8, 2024
Closed
JoelSpeed
JoelSpeed reviewed Feb 8, 2024
View reviewed changes
operator/v1/types_openshiftcontrollermanager.go Outdated
// imageRegistryAuthTokenType directs the openshift-controller-manager to use either a
// legacy,(unbound, long-lived) service acccount tokens or a bound service account
// token when generating image pull secrets for the integrated image registry.
// +kubebuilder:default=Legacy
Copy link
Contributor

@JoelSpeed JoelSpeed Feb 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you tried spinning up a cluster, upgrading it to this CRD, reading it, then removing the default from the CRD spec, and confirming that the resource has got the default as applied? If this is the mechanism for making sure that old clusters upgrade and retain the value, I'm not sure this is going to be effective, you may need a controller to set the value in 4.15

Copy link
Contributor Author

@sanchezl sanchezl Feb 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The idea is to backport #1758 to 4.15. This PR would be the 4.16 follow-up.

@openshift-ci openshift-ci bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Feb 8, 2024
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 8, 2024

@sanchezl: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@sanchezl sanchezl marked this pull request as draft February 8, 2024 19:44
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 8, 2024
@sanchezl sanchezl changed the title add Bound service account token type WIP 4.16 add Bound service account token type Feb 9, 2024
@sanchezl sanchezl closed this Feb 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bparees bparees Awaiting requested review from bparees

1 more reviewer

@JoelSpeed JoelSpeed JoelSpeed left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sanchezl @JoelSpeed