Bug 1813892

Summary: stop adding service-ca to token secret in 4.5
Product: OpenShift Container Platform Reporter: David Eads <deads>
Component: kube-apiserverAssignee: Stefan Schimanski <sttts>
Status: CLOSED DUPLICATE QA Contact: Xingxing Xia <xxia>
Severity: high Docs Contact:
Priority: high    
Version: 4.5CC: aos-bugs, mfojtik
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-06 11:03:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Eads 2020-03-16 12:31:37 UTC 
with the goal of removing https://github.com/openshift/kubernetes/pull/116/commits/66d4751e4f866a9e51386eaac93bbdb3537f4813 in 4.6

1. find the initial deprecation notice in docs
2. have the value be off by default, with some ugly wiring (probably env var) to turn back on.
2.5. write a controller in the operator that removes the service-ca from all secrets.
3. create a new field in kcm.operator.openshift.io named `enableDeprecatedAndRemovedServiceCAKeyUntilNextRelease_ThisMakesClusterImpossibleToUpgrade`.  The name is abusive and clear.  People who set it should be very aware and not call us.
4. if the value is set, set the env var and mark the cluster upgradeable==false

In 4.6, we can remove the code entirely because no one can be relying on it.
Comment 1 Stefan Schimanski 2020-05-06 11:03:47 UTC 

*** This bug has been marked as a duplicate of bug 1813894 ***