operator: explicitly add Secrets to registration ServiceAccounts

With Kubernetes 1.24, creation of ServiceAccounts no more triggers the creation of an associated Secret resource automatically: we need it for the ServiceAccount bound to the MachineRegistation resources. Explicitly create it in any case. Fixes #176 Signed-off-by: Francesco Giudici <[email protected]>
rancher · Sep 23, 2022 · ea712b2 · ea712b2
1 parent deef765
commit ea712b2
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/pkg/controllers/registration/registration.go b/pkg/controllers/registration/registration.go
@@ -91,11 +91,30 @@ func (h *handler) OnChange(obj *elm.MachineRegistration, status elm.MachineRegis
 		return status, err
 	}
 
+	secretName := obj.Name + "-token"
+	_, err = h.clients.Core().Secret().Create(&corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      secretName,
+			Namespace: obj.Namespace,
+			Annotations: map[string]string{
+				"kubernetes.io/service-account.name": obj.Name,
+			},
+		},
+		Type: "kubernetes.io/service-account-token",
+	})
+	if err != nil && !apierrors.IsAlreadyExists(err) {
+		return status, fmt.Errorf("add Secret to %s ServiceAccount: %w", obj.Name, err)
+	}
 	_, err = h.clients.Core().ServiceAccount().Create(&corev1.ServiceAccount{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      obj.Name,
 			Namespace: obj.Namespace,
 		},
+		Secrets: []corev1.ObjectReference{
+			{
+				Name: secretName,
+			},
+		},
 	})
 	if err != nil && !apierrors.IsAlreadyExists(err) {
 		return status, err