fix: create serviceaccount token for v1.24 clusters

[danielhelfand]

Closes #9422

This pull request allows users to add v1.24 Kubernetes clusters to be managed by Argo CD by creating a service account secret with a bearer token. In previous versions of Kubernetes, this secret was created when serviceaccounts were created, but was removed in order to discourage the use of long lived tokens.

Two approaches were explored to address this:

1. Create the secret for serviceaccounts via Argo CD UX experiences
2. Use the TokenRequest API provided by Kubernetes to request tokens with configurable expiration

The decision was made to go with option 1 above since using the tokenrequest api would require moving the InstallClusterManagerRBAC func behind an API endpoint. This would need to be done in order to persist a TokenManager that would be injected into the cluster server upon start up to manage tokens created by the token request api.

There may need to be a longer term discussion on adding this new endpoint/token manager to the cluster server so the current proposal would keep the use of secrets for storing bearer tokens for service accounts.

Due to k3s not having a stable 1.24 release available, testing for 1.24 clusters was conducted manually using kind.

Note on DCO:

If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• Optional. My organization is added to USERS.md.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).

[codecov]

Codecov Report

Merging #9546 (4e1db7d) into master (68c7e7d) will increase coverage by 0.10%.
The diff coverage is 70.00%.

@@            Coverage Diff             @@
##           master    #9546      +/-   ##
==========================================
+ Coverage   45.79%   45.89%   +0.10%     
==========================================
  Files         222      222              
  Lines       26377    26458      +81     
==========================================
+ Hits        12079    12143      +64     
- Misses      12650    12658       +8     
- Partials     1648     1657       +9     

Impacted Files	Coverage Δ
cmd/argocd/commands/admin/cluster.go	0.00% <0.00%> (ø)
cmd/argocd/commands/cluster.go	9.17% <0.00%> (ø)
util/clusterauth/clusterauth.go	68.32% <73.13%> (+1.65%)	⬆️
...licationset/generators/generator_spec_processor.go	51.66% <0.00%> (-5.91%)	⬇️
util/helm/helm.go	41.89% <0.00%> (-0.78%)	⬇️
util/io/path/resolved.go	76.92% <0.00%> (ø)
util/settings/settings.go	48.16% <0.00%> (ø)
...is/applicationset/v1alpha1/applicationset_types.go	34.69% <0.00%> (ø)
applicationset/generators/matrix.go	72.60% <0.00%> (+0.38%)	⬆️
applicationset/generators/merge.go	60.60% <0.00%> (+0.40%)	⬆️
... and 4 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 68c7e7d...4e1db7d. Read the comment docs.

[rishabh625]

Hey @danielhelfand , Thanks for the awesome work

[crenshaw-dev]

All the nitpicks. :-)

I think the only substantial things are:

1. timeouts for requests
2. using patch instead of update for the sa

[crenshaw-dev]

How about an outside-the-loop context with a 30s timeout and an inside-the-loop context with a 10s timeout?

If for some absurd reason there are 100 secrets, the outer context will keep us from waiting forever.

If there's high latency, inner context will make sure we give a nice amount of time to get the secret.

If there's high latency and 3+ secrets and the target secret isn't in the first 3... well that's just a bummer.

[crenshaw-dev]

How bout the ol' 10s. Maybe we need a constant. :-P

[leoluz]

LGTM
Thank you Daniel!

[crenshaw-dev]

Tested adding a 1.24 docker-desktop cluster from a 1.20 minikube cluster. lgtm. Thanks so much!

[crenshaw-dev]

Cherry-picked onto 2.4.

[rishabh625]

Hi @crenshaw-dev will this be backported to 2.3 too?

[crenshaw-dev]

Good question... I'm not opposed to it, if anyone needs it. Want to ask in #argo-contributors on CNCF Slack?

[rishabh625]

Yeah sure, we'll need it

[crenshaw-dev]

Cherry-picked onto release-2.3 for 2.3.7.