2108241 – "oc sa create-kubeconfig" does not work

Bug 2108241 - "oc sa create-kubeconfig" does not work

Summary: "oc sa create-kubeconfig" does not work

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	oc
Sub Component:
Version:	4.12
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Jan Chaloupka
QA Contact:	zhou ying
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2109799 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-07-18 16:30 UTC by Hongkai Liu
Modified:	2022-09-06 11:29 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-08-16 10:51:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Hongkai Liu 2022-07-18 16:30:53 UTC

Description of problem:

oc --context build02 sa create-kubeconfig --namespace ci config-updater
Command "create-kubeconfig" is deprecated, and will be removed in the future version. Use oc create token instead.
error: could not find a service account token for service account "config-updater"


Version-Release number of selected component (if applicable):

oc version --context build02
Client Version: 4.11.0-rc.3
Kustomize Version: v4.5.4
Server Version: 4.11.0-fc.3
Kubernetes Version: v1.24.0+284d62a

oc get clusterversion version --context build02
NAME      VERSION       AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.0-fc.3   True        False         19d     Cluster version is 4.11.0-fc.3


1. Why does it error out if it is ONLY deprecated?
2. What is the replacement with "oc create token" to generate a SA's kubeconfig?

I also tested against build01: It works. So I am not sure if it is a cli's bug.


oc --context build01 get clusterversion version
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.23   True        False         2d8h    Cluster version is 4.10.23

oc --context build01 sa create-kubeconfig --namespace ci config-updater
Command "create-kubeconfig" is deprecated, and will be removed in the future version. Use oc create token instead.
apiVersion: v1
clusters:
...

Comment 2 Arda Guclu 2022-08-02 08:06:50 UTC

Hi Hongkai Liu;

After upstream decided to switch short-lived tokens, we had to deprecate all `oc serviceaccounts` commands. According to the Slack discussion, there was a solution proposed which will work;

$ KUBECONFIG=yournewkubeconfig oc login URL --token $(oc create token  ...) 

But in automated cases, as you said getting the URL might be difficult. Instead I'd suggest directly using "set-credentials" command like this;

$ oc config set-credentials --kubeconfig=yourkubeconfig --token=$(oc create token $(service_account) --kubeconfig=yourkubeconfig)

That will set the new token into  your kubeconfig(/tmp/build-farm-credentials/...).

Apart from that, this deprecation is deliberate and I'd not consider this as a bug. But if the suggested command does not work for you, let me know and find a better solution.

Thanks.

Comment 3 Hongkai Liu 2022-08-02 11:44:35 UTC

Thanks Arda for the reply.

> 1. Why does it error out if it is ONLY deprecated?
> 2. What is the replacement with "oc create token" to generate a SA's kubeconfig?

I would like to know answers of the above questions, or confirm my understanding below.

1. It is not only deprecated, it has been removed when working again 4.12 cluster. So the deprecating message is not accurate. To me, deprecation means it is still working now but might not work in the future.
2. There won't be any replacement of "oc sa create-kubeconfig", or at least nothing planed in the near future. I know the workaround of compositing a couple of oc-cmds, but the workaround is not a direct command to print the kubeconfig in the standard outout. The command is heavily used in CI automation. It would be very helpful to recover it. I understand that it is upstream's decision to switch to short-lived token but oc can still do "oc sa create-kubeconfig" to print the short-lived kubeconfig.

Comment 4 Jan Chaloupka 2022-08-02 11:50:42 UTC

> 1. It is not only deprecated, it has been removed when working again 4.12 cluster. So the deprecating message is not accurate. To me, deprecation means it is still working now but might not work in the future.

Unfortunately, the functionality was suddenly removed by upstream. The standard procedure is to first deprecate a functionality and then remove it in the next release. However, given the functionality is already gone, we can only report its deprecation.

Comment 5 Jan Chaloupka 2022-08-02 11:52:49 UTC

> 2. There won't be any replacement of "oc sa create-kubeconfig", or at least nothing planed in the near future. I know the workaround of compositing a couple of oc-cmds, but the workaround is not a direct command to print the kubeconfig in the standard outout. The command is heavily used in CI automation. It would be very helpful to recover it. I understand that it is upstream's decision to switch to short-lived token but oc can still do "oc sa create-kubeconfig" to print the short-lived kubeconfig.

The original "oc sa create-kubeconfig" functionality was mainly located in the kube-apiserver. Given the code was already removed, backporting the original code into oc will not make any difference.

Comment 6 Hongkai Liu 2022-08-02 18:01:52 UTC

Thanks for the clarification.

Comment 7 Arda Guclu 2022-09-06 11:29:45 UTC

*** Bug 2109799 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.