Bug 1813892 - stop adding service-ca to token secret in 4.5
Summary: stop adding service-ca to token secret in 4.5
Keywords:
Status: CLOSED DUPLICATE of bug 1813894
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.5
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.5.0
Assignee: Stefan Schimanski
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-16 12:31 UTC by David Eads
Modified: 2020-05-06 11:03 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-06 11:03:47 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description David Eads 2020-03-16 12:31:37 UTC 
with the goal of removing https://github.com/openshift/kubernetes/pull/116/commits/66d4751e4f866a9e51386eaac93bbdb3537f4813 in 4.6

1. find the initial deprecation notice in docs
2. have the value be off by default, with some ugly wiring (probably env var) to turn back on.
2.5. write a controller in the operator that removes the service-ca from all secrets.
3. create a new field in kcm.operator.openshift.io named `enableDeprecatedAndRemovedServiceCAKeyUntilNextRelease_ThisMakesClusterImpossibleToUpgrade`.  The name is abusive and clear.  People who set it should be very aware and not call us.
4. if the value is set, set the env var and mark the cluster upgradeable==false

In 4.6, we can remove the code entirely because no one can be relying on it.
Comment 1 Stefan Schimanski 2020-05-06 11:03:47 UTC 

*** This bug has been marked as a duplicate of bug 1813894 ***
Note You need to log in before you can comment on or make changes to this bug.