From 5c9d0c7ef93a6735bd29bdeb070291ceeb20002b Mon Sep 17 00:00:00 2001
From: "Jose R. Gonzalez" <komish@flutes.dev>
Date: Wed, 17 Jul 2024 12:24:07 -0500
Subject: [PATCH] Ensure service account token generation for workflows

Signed-off-by: Jose R. Gonzalez <komish@flutes.dev>
---
 scripts/src/saforcertadmin/create_sa.sh       |  3 ++-
 scripts/src/saforcertadmin/token_secret.yaml  |  8 ++++++++
 .../saforcharttesting/saforcharttesting.py    | 19 +++++++++++++++++++
 3 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 scripts/src/saforcertadmin/token_secret.yaml

diff --git a/scripts/src/saforcertadmin/create_sa.sh b/scripts/src/saforcertadmin/create_sa.sh
index dc59c7f2a..5c17e7025 100755
--- a/scripts/src/saforcertadmin/create_sa.sh
+++ b/scripts/src/saforcertadmin/create_sa.sh
@@ -1,8 +1,9 @@
 #!/usr/bin/env bash
 
 user_name='rh-cert-user'
+token_secret='rh-cert-user-token'
 oc create sa $user_name
-token_secret=$(oc get secrets --field-selector=type=kubernetes.io/service-account-token -o=jsonpath="{.items[?(@.metadata.annotations.kubernetes\.io/service-account\.name=='"$user_name"')].metadata.name}")
+oc apply -f token_secret.yaml
 token=$(oc get secret $token_secret -o json | jq -r .data.token | base64 -d)
 oc apply -f cluster_role_binding.yaml
 
diff --git a/scripts/src/saforcertadmin/token_secret.yaml b/scripts/src/saforcertadmin/token_secret.yaml
new file mode 100644
index 000000000..ed94088de
--- /dev/null
+++ b/scripts/src/saforcertadmin/token_secret.yaml
@@ -0,0 +1,8 @@
+# Creates the secret. Cluster will populate with data.
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/service-account-token
+metadata:
+  name: rh-cert-user-token
+  annotations:
+    kubernetes.io/service-account.name: rh-cert-user
diff --git a/scripts/src/saforcharttesting/saforcharttesting.py b/scripts/src/saforcharttesting/saforcharttesting.py
index aab88d0f3..bb061ab2d 100644
--- a/scripts/src/saforcharttesting/saforcharttesting.py
+++ b/scripts/src/saforcharttesting/saforcharttesting.py
@@ -24,6 +24,16 @@
   namespace: ${name}
 """
 
+token_template = """\
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/service-account-token
+metadata:
+  name: token-${name}
+  annotations:
+    kubernetes.io/service-account.name: ${name}
+"""
+
 role_template = """\
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
@@ -164,6 +174,14 @@ def create_serviceaccount(namespace):
         print("[ERROR] creating ServiceAccount:", stderr)
 
 
+def create_tokensecret(namespace):
+    print("creating token Secret:", namespace)
+    stdout, stderr = apply_config(token_template, name=namespace)
+    print("stdout:\n", stdout, sep="")
+    if stderr.strip():
+        print("[ERROR] creating token Secret:", stderr)
+
+
 def create_role(namespace):
     print("creating Role:", namespace)
     stdout, stderr = apply_config(role_template, name=namespace)
@@ -344,6 +362,7 @@ def main():
     if args.create:
         create_namespace(args.create)
         create_serviceaccount(args.create)
+        create_tokensecret(args.create)
         create_role(args.create)
         create_rolebinding(args.create)
         create_clusterrole(args.create)