Do not make use of ServiceAccount.Secrets list

This commit stops using the ServiceAccount.Secrets list, as noted my k8s this should not be used to find SA's associated secrets and this is no longer being automatically managed by k8s since v1.24. Signed-off-by: David Cassany <dcassany@suse.com>
rancher · Jul 13, 2023 · 454b97c · 454b97c
1 parent bd16383
commit 454b97c
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 18 deletions.
diff --git a/api/v1beta1/common_consts.go b/api/v1beta1/common_consts.go
@@ -19,4 +19,7 @@ package v1beta1
 const (
 	// ElementalManagedLabel label used to put on resources managed by the elemental operator.
 	ElementalManagedLabel = "elemental.cattle.io/managed"
+
+	// SASecretSuffix is the suffix used to name registration service account's token secret
+	SASecretSuffix = "-token"
 )
diff --git a/controllers/machineregistration_controller.go b/controllers/machineregistration_controller.go
@@ -240,19 +240,14 @@ func (r *MachineRegistrationReconciler) createRBACObjects(ctx context.Context, m
 				elementalv1.ElementalManagedLabel: "true",
 			},
 		},
-		Secrets: []corev1.ObjectReference{
-			{
-				Name: mRegistration.Name + "-token",
-			},
-		},
 	}); err != nil && !apierrors.IsAlreadyExists(err) {
 		return fmt.Errorf("failed to create service account: %w", err)
 	}
 
 	logger.Info("Creating token secret for the service account")
 	if err := r.Create(ctx, &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:            mRegistration.Name + "-token",
+			Name:            mRegistration.Name + elementalv1.SASecretSuffix,
 			Namespace:       mRegistration.Namespace,
 			OwnerReferences: ownerReferences,
 			Annotations: map[string]string{

diff --git a/pkg/server/api_registration.go b/pkg/server/api_registration.go
@@ -137,13 +137,9 @@ func (i *InventoryServer) writeMachineInventoryCloudConfig(conn *websocket.Conn,
 		return fmt.Errorf("failed to get service account: %w", err)
 	}
 
-	if len(sa.Secrets) == 0 {
-		return fmt.Errorf("no secrets associated to the %s/%s service account", sa.Namespace, sa.Name)
-	}
-
 	secret := &corev1.Secret{}
 	err := i.Get(i, types.NamespacedName{
-		Name:      sa.Secrets[0].Name,
+		Name:      sa.Name + elementalv1.SASecretSuffix,
 		Namespace: sa.Namespace,
 	}, secret)
 

diff --git a/pkg/server/api_registration_test.go b/pkg/server/api_registration_test.go
@@ -787,7 +787,7 @@ func createDefaultResources(t *testing.T, server *InventoryServer) {
 	t.Helper()
 	server.Client.Create(context.Background(), &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: "test-secret",
+			Name: "test-account-token",
 		},
 
 		Type: v1.SecretTypeServiceAccountToken,
@@ -797,12 +797,6 @@ func createDefaultResources(t *testing.T, server *InventoryServer) {
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "test-account",
 		},
-
-		Secrets: []v1.ObjectReference{
-			{
-				Name: "test-secret",
-			},
-		},
 	})
 
 	server.Client.Create(context.Background(), &managementv3.Setting{