with the goal of removing https://github.com/openshift/kubernetes/pull/116/commits/66d4751e4f866a9e51386eaac93bbdb3537f4813 in 4.6 1. find the initial deprecation notice in docs 2. have the value be off by default, with some ugly wiring (probably env var) to turn back on. 2.5. write a controller in the operator that removes the service-ca from all secrets. 3. create a new field in kcm.operator.openshift.io named `enableDeprecatedAndRemovedServiceCAKeyUntilNextRelease_ThisMakesClusterImpossibleToUpgrade`. The name is abusive and clear. People who set it should be very aware and not call us. 4. if the value is set, set the env var and mark the cluster upgradeable==false In 4.6, we can remove the code entirely because no one can be relying on it.
Corrected commit targeted for removal: https://github.com/openshift/kubernetes/commit/46562f3b5e34287b6ef79b92e54d9bee78ab735d
Initial deprecation notice: https://github.com/openshift/openshift-docs/blob/enterprise-4.1/release_notes/ocp-4-1-release-notes.adoc#service-ca-bundle-changes
*** Bug 1813892 has been marked as a duplicate of this bug. ***
PR to remove the code has been posted, and its merge should be deferred until 4.6: https://github.com/openshift/origin/pull/24393
Still waiting on the updates to the following operators: - openshift/cluster-kube-controller-manager-operator (submitted but blocked by persistent and unrelated test flake) - openshift/cluster-samples-operator (coordinating with maintainers of jboss-container-images to get required upstream changes merged)
The cluster-samples-operator fix is still in-progress, but testing the change is now possible. The change can be tested by creating a pod in a 4.5 cluster and verifying the absence of the service serving CA in the pod filesystem: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
The openshift/library PR has merged: https://github.com/openshift/library/pull/219 Tomorrow (June 3rd), once a nightly job has made the necessary updates to the branch, cluster-samples-operator will be able to vendor the change. This vendoring change will need to merge to master and then backported to 4.5.
The change can be tested by creating a pod in a 4.5 cluster and verifying the absence of the service serving CA in service account token secrets and on the pod filesystem: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
As per https://bugzilla.redhat.com/show_bug.cgi?id=1845188 this change represents a backwards-incompatible change that was insufficiently communicated. Deferring to 4.6 and even then making this change will depend on being able to avoid breaking customer workloads.
This change is already present in master (it was reverted for release-4.5) and awaits QA verification.
Given a lack of visibility into the customer impact of this change, this change will not appear in 4.6. I dropped the removal PR as part of the 1.19 rebase. I'm closing for now and we can re-open if/when we can justify the time and energy required to not have this change negatively impact customers.