Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2108241

Summary: "oc sa create-kubeconfig" does not work
Product: OpenShift Container Platform Reporter: Hongkai Liu <hongkliu>
Component: ocAssignee: Jan Chaloupka <jchaloup>
oc sub component: oc QA Contact: zhou ying <yinzhou>
Status: CLOSED NOTABUG Docs Contact:
Severity: medium    
Priority: unspecified CC: aguclu, hongkliu, jchaloup, knarra, mfojtik, wking
Version: 4.12   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-16 10:51:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hongkai Liu 2022-07-18 16:30:53 UTC 
Description of problem:

oc --context build02 sa create-kubeconfig --namespace ci config-updater
Command "create-kubeconfig" is deprecated, and will be removed in the future version. Use oc create token instead.
error: could not find a service account token for service account "config-updater"


Version-Release number of selected component (if applicable):

oc version --context build02
Client Version: 4.11.0-rc.3
Kustomize Version: v4.5.4
Server Version: 4.11.0-fc.3
Kubernetes Version: v1.24.0+284d62a

oc get clusterversion version --context build02
NAME      VERSION       AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.0-fc.3   True        False         19d     Cluster version is 4.11.0-fc.3


1. Why does it error out if it is ONLY deprecated?
2. What is the replacement with "oc create token" to generate a SA's kubeconfig?

I also tested against build01: It works. So I am not sure if it is a cli's bug.


oc --context build01 get clusterversion version
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.23   True        False         2d8h    Cluster version is 4.10.23

oc --context build01 sa create-kubeconfig --namespace ci config-updater
Command "create-kubeconfig" is deprecated, and will be removed in the future version. Use oc create token instead.
apiVersion: v1
clusters:
...
Comment 2 Arda Guclu 2022-08-02 08:06:50 UTC 
Hi Hongkai Liu;

After upstream decided to switch short-lived tokens, we had to deprecate all `oc serviceaccounts` commands. According to the Slack discussion, there was a solution proposed which will work;

$ KUBECONFIG=yournewkubeconfig oc login URL --token $(oc create token  ...) 

But in automated cases, as you said getting the URL might be difficult. Instead I'd suggest directly using "set-credentials" command like this;

$ oc config set-credentials --kubeconfig=yourkubeconfig --token=$(oc create token $(service_account) --kubeconfig=yourkubeconfig)

That will set the new token into  your kubeconfig(/tmp/build-farm-credentials/...).

Apart from that, this deprecation is deliberate and I'd not consider this as a bug. But if the suggested command does not work for you, let me know and find a better solution.

Thanks.
Comment 3 Hongkai Liu 2022-08-02 11:44:35 UTC 
Thanks Arda for the reply.

> 1. Why does it error out if it is ONLY deprecated?
> 2. What is the replacement with "oc create token" to generate a SA's kubeconfig?

I would like to know answers of the above questions, or confirm my understanding below.

1. It is not only deprecated, it has been removed when working again 4.12 cluster. So the deprecating message is not accurate. To me, deprecation means it is still working now but might not work in the future.
2. There won't be any replacement of "oc sa create-kubeconfig", or at least nothing planed in the near future. I know the workaround of compositing a couple of oc-cmds, but the workaround is not a direct command to print the kubeconfig in the standard outout. The command is heavily used in CI automation. It would be very helpful to recover it. I understand that it is upstream's decision to switch to short-lived token but oc can still do "oc sa create-kubeconfig" to print the short-lived kubeconfig.
Comment 4 Jan Chaloupka 2022-08-02 11:50:42 UTC 
> 1. It is not only deprecated, it has been removed when working again 4.12 cluster. So the deprecating message is not accurate. To me, deprecation means it is still working now but might not work in the future.

Unfortunately, the functionality was suddenly removed by upstream. The standard procedure is to first deprecate a functionality and then remove it in the next release. However, given the functionality is already gone, we can only report its deprecation.
Comment 5 Jan Chaloupka 2022-08-02 11:52:49 UTC 
> 2. There won't be any replacement of "oc sa create-kubeconfig", or at least nothing planed in the near future. I know the workaround of compositing a couple of oc-cmds, but the workaround is not a direct command to print the kubeconfig in the standard outout. The command is heavily used in CI automation. It would be very helpful to recover it. I understand that it is upstream's decision to switch to short-lived token but oc can still do "oc sa create-kubeconfig" to print the short-lived kubeconfig.

The original "oc sa create-kubeconfig" functionality was mainly located in the kube-apiserver. Given the code was already removed, backporting the original code into oc will not make any difference.
Comment 6 Hongkai Liu 2022-08-02 18:01:52 UTC 
Thanks for the clarification.
Comment 7 Arda Guclu 2022-09-06 11:29:45 UTC 
*** Bug 2109799 has been marked as a duplicate of this bug. ***