WIP: BoundServiceAccountTokenVolume + service-ca.crt experiment

[mtrmac]

I don’t really know what I’m doing, mostly curious to see how this fails.

Even if this works, it further cements down the use of long-term service account secrets. (I guess hypothetically we could continue to generate them, but only with the service-ca.crt component.)

What type of PR is this?

/kind bug

What this PR does / why we need it:

Re-enable BoundServiceAccountTokenVolume ; to preserve the service-ca.crt file that was previously included in the mounted secret, just add a reference to the old secret in the created projected volume — the token controller generating the secrets with service-ca.crt included is still running and generating secrets in the right namespace.

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[openshift-ci-robot]

@mtrmac: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• ba7af34|WIP: Use the still-created token secrets to provide service-ca.crt: does not specify an upstream backport in the commit message
• d6a2858|Revert "UPSTREAM: : disable BoundServiceAccountTokenVolume by default": does not specify an upstream backport in the commit message

[openshift-ci-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mtrmac
To complete the pull request process, please assign marun after the PR has been reviewed.
You can assign the PR to them by writing /assign @marun in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• DOWNSTREAM_OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mtrmac]

/test all

[openshift-ci-robot]

@mtrmac: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 2be878a|UPSTREAM: : Revert "UPSTREAM: : disable BoundServiceAccountTokenVolume by default": does not specify an upstream backport in the commit message
• a77aee7|UPSTREAM: : WIP: Use the still-created token secrets to provide service-ca.crt: does not specify an upstream backport in the commit message

[mtrmac]

/test all

[openshift-ci-robot]

@mtrmac: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 8eb976a|UPSTREAM: : Revert "UPSTREAM: : disable BoundServiceAccountTokenVolume by default": does not specify an upstream backport in the commit message
• cd4cca3|UPSTREAM: : WIP: Use the still-created token secrets to provide service-ca.crt: does not specify an upstream backport in the commit message

[mtrmac]

/test all

[openshift-ci-robot]

@mtrmac: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 5639969|UPSTREAM: : Revert "UPSTREAM: : disable BoundServiceAccountTokenVolume by default": does not specify an upstream backport in the commit message
• 70ffe00|UPSTREAM: : WIP: Use the still-created token secrets to provide service-ca.crt: does not specify an upstream backport in the commit message

[mtrmac]

/test all

[openshift-ci-robot]

@mtrmac: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 3616d16|UPSTREAM: : Revert "UPSTREAM: : disable BoundServiceAccountTokenVolume by default": does not specify an upstream backport in the commit message
• a43a373|UPSTREAM: : WIP: Use the still-created token secrets to provide service-ca.crt: does not specify an upstream backport in the commit message

[mtrmac]

/test all

[openshift-ci-robot]

@mtrmac: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 68ba35e|UPSTREAM: : Revert "UPSTREAM: : disable BoundServiceAccountTokenVolume by default": does not specify an upstream backport in the commit message
• eac517b|UPSTREAM: : WIP: Use the still-created token secrets to provide service-ca.crt: does not specify an upstream backport in the commit message

[mtrmac]

/test all

[openshift-ci]

@mtrmac: The following tests failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/verify	68ba35e	link	/test verify
ci/prow/e2e-aws-csi	68ba35e	link	/test e2e-aws-csi
ci/prow/e2e-gcp	68ba35e	link	/test e2e-gcp
ci/prow/k8s-e2e-gcp	68ba35e	link	/test k8s-e2e-gcp
ci/prow/e2e-aws-fips	68ba35e	link	/test e2e-aws-fips
ci/prow/e2e-gcp-upgrade	68ba35e	link	/test e2e-gcp-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.