-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[release-4.16] NO-JIRA: quota.sh: 4.16 no longer creates legacy API tokens #28810
[release-4.16] NO-JIRA: quota.sh: 4.16 no longer creates legacy API tokens #28810
Conversation
The `quota.sh` testcase is making assumptions on how many secrets are automatically created in namespaces, and this number is lower in OCP 4.16. Context provided by Luis Sanchez: > As of OCP 4.11, service account API token secrets (now referred to as “legacy”) were no longer generated automatically for each service account. > All users were supposed to migrate to using the TokenRequest API. > Unfortunately, the integrated image registry was also generating a legacy service account API token for its own use, and some users started to accidentally pick up the token intended for the image registry and missed migrating to the TokenRequest API. > Starting in v4.15, if the image registry is not enabled, the tokens will not be generated. The image registry is still enabled by default, so again another missed opportunity to catch people not using the TokenRequest API. > Finally, in v4.16 the image registry no longer generates the legacy service account API token at all. Based on the above, it seems that the testcase should be improved to expect some specific conditions (and e.g. dont allow high numbers for 4.16 clusters) but @soltysh indicated there's an intent to port this testcase to Go, so any logic improvements will be done at that time and for now we can just allow several smaller counts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
/label backport-risk-assessed
/label acknowledge-critical-fixes-only |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: LalatenduMohanty, openshift-cherrypick-robot, soltysh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@openshift-cherrypick-robot: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
3c10005
into
openshift:release-4.16
[ART PR BUILD NOTIFIER] This PR has been included in build openshift-enterprise-tests-container-v4.16.0-202405201532.p0.g3c10005.assembly.stream.el9 for distgit openshift-enterprise-tests. |
This is an automated cherry-pick of #28808
/assign petr-muller