Create secrets for serviceaccounts

[vthapar]

K8s 1.24+ doesn't autocreate secret for serviceaccount. This
breaks submariner deployments which expects secret to be created
and associated to the corresponding serviceaccount.

The fix ensures the Secret of type service-account-token exists,
is annotated with ServiceAccount.Name, and is added to Secrets list in
the ServiceAccount.

Fixes #102

Signed-off-by: Vishal Thapar [email protected]

[submariner-bot]

🤖 Created branch: z_pr125/vthapar/secret-tokens
🚀 Full E2E won't run until the "ready-to-test" label is applied. I will add it automatically once the PR has 2 approvals, or you can add it manually.

Reworked the code, addressed comments

[vthapar]

@skitt @tpantelis This is ready for review. I have only tweaked the UTs just enough to pass so that we can get this in and unblock submariner-io/shipyard#825 I can add UTs in a subsequent PR, unless you think UTs need to come in this patch itself.

[nyechiel]

@vthapar is this ready for review? It looks like two CI jobs are failing

[vthapar]

@vthapar is this ready for review? It looks like two CI jobs are failing

Upgrade job is the only one that failed more than once, e2e has failed just once. Re-ran the jobs to see if e2e fails again. Looking into upgrade job issue.

[submariner-bot]

🤖 I had an issue pushing the updated branch: already up-to-date

[nyechiel]

@skitt @sridhargaddam @tpantelis this one needs review

[skitt]

My previous comment still applies, unless I’ve missed something:

I would prefer the secret handling to be hidden in the SA handling — callers shouldn’t have to know that to set up a service account correctly, they have to set up a secret.

In other words, there should only be a call to serviceaccount.Ensure() in this function, and serviceaccount.Ensure() should handle the secret (perhaps by calling EnsureSecretFromSA(), of course, but that should be transparent to the caller).

[vthapar]

My previous comment still applies, unless I’ve missed something:

I would prefer the secret handling to be hidden in the SA handling — callers shouldn’t have to know that to set up a service account correctly, they have to set up a secret.

In other words, there should only be a call to serviceaccount.Ensure() in this function, and serviceaccount.Ensure() should handle the secret (perhaps by calling EnsureSecretFromSA(), of course, but that should be transparent to the caller).

Got it. I missed the context of comment for Ensure and only addressed for EnsureFromYaml.

[nyechiel]

@vthapar can you please address Stephen's comment?

[vthapar]

@vthapar can you please address Stephen's comment?

Done.

[tpantelis]

We should distinguish NotFound error

Suggested change

	if err == nil {
	return true, nil
	}
	if apierrors.IsNotFound(err)
	return nil
	}
	if err != nil {
	return err
	}

[submariner-bot]

🤖 I had an issue pushing the updated branch: already up-to-date

[skitt]

There’s something missing here, I presume.

[vthapar]

There’s something missing here, I presume.

Missed cleanup after refactor.

[skitt]

Can’t we use GenerateName here?

[skitt]

We can fix this up later, this shouldn’t block the PR.

[vthapar]

I used GenerateName in intial draft, but then needed to do another Get to find the generated name. Went with this coz similar to what OCP's controller is doing.

[submariner-bot]

🤖 Closed branches: [z_pr125/vthapar/secret-tokens]