Support ServiceAccount token volume projection #22012

l0rd · 2023-02-19T13:34:09Z

Is your enhancement related to a problem? Please describe

The default ServiceAccount token mounted in workspaces Pods:

doesn't have an audience set
is always mounted under the same path
has an hardcoded expirationSeconds

This can be problematic in scenarios such as workload identity federation where the token audience needs to be specified.

Describe the solution you'd like

A new CheCluster spec.devEnvironments.serviceAccountTokens property:

spec:
  devEnvironments:
    serviceAccountTokens:
      - name: <name>
        mounthPath: <mount-path>
        audience: <audience>
        expirationSeconds: <expiration>
        path: <path>

that, if set, will result in the workspaces pods specifying the corresponding service account token volumes projections:

kind: Pod
(...)
spec:
(...)
  containers:
    (...)
    volumeMounts:
    - mountPath: <mount-path>
      name: <name>
  volumes:
  (...)
  - name: <name>
    projected:
      sources:
      - serviceAccountToken:
          path: <path>
          expirationSeconds: <expiration>
          audience: <audience>

The text was updated successfully, but these errors were encountered:

AObuchow · 2023-03-06T15:32:01Z

@l0rd do you know if the name field in spec.devEnvironments.serviceAccountTokens should be propagated to both the volume and volumeMount name in the pod spec?

For example, the given spec.devEnvironments.serviceAccountTokens:

spec:
  devEnvironments:
    serviceAccountTokens:
      - name: dev-token
        mounthPath: /var/run/secrets/tokens
        audience: openshift
        expirationSeconds: 3600

would result in:

kind: Pod
(...)
spec:
(...)
  containers:
    (...)
    volumeMounts:
    - mountPath: /var/run/secrets/tokens
      name: dev-token
  volumes:
  (...)
  - name: dev-token
    projected:
      sources:
      - serviceAccountToken:
          path: dev-token
          expirationSeconds: 3600
          audience: openshift

This is the approach I'm currently taking, though perhaps the name fields should be generated based on the workspace ID, as we do for other areas of DWO.

l0rd · 2023-03-09T12:54:23Z

@AObuchow yes, the serviceAccountToken name should be used for:

spec.containers[].volumeMounts[].name
spec.volumes[].name
I don't think there is any reason we should use the workspaceid (i.e. 2 workspaces can have SA tokens with the same name).

In my original proposal, in the serviceAccountToken, we could not specify the path, so I updated that. And I also clarified that the name should be usd in both volumeMounts and volume

This commit adds a new field to the DWOC `workspace.serviceAccountTokens`, which is a an array of ServiceAccount tokens that will be mounted to workspace pods as projected volumes. Part of eclipse-che/che#22012 Signed-off-by: Andrew Obuchowicz <[email protected]>

This commit adds a new field to the DWOC `workspace.serviceAccountTokens`, which is an array of ServiceAccount tokens that will be mounted to workspace pods as projected volumes. Part of eclipse-che/che#22012 Signed-off-by: Andrew Obuchowicz <[email protected]>

max-cx · 2023-05-03T11:27:19Z

sync'd to Red Hat JIRA https://issues.redhat.com/browse/CRW-4345

devstudio-release · 2023-05-03T11:50:32Z

sync'd to Red Hat JIRA https://issues.redhat.com/browse/CRW-4345

l0rd added the kind/enhancement A feature request - must adhere to the feature request template. label Feb 19, 2023

che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Feb 19, 2023

AObuchow self-assigned this Mar 1, 2023

l0rd mentioned this issue Mar 6, 2023

Sprint 233 (Team B) #22035

Closed

7 tasks

l0rd mentioned this issue Mar 6, 2023

Sprint 232 (Team B) #22001

Closed

This was referenced Mar 15, 2023

Support for ServiceAccount token projection devfile/devworkspace-operator#1065

Merged

feat: configure DWOC ServiceAccount tokens from devEnvironments.serviceAccountTokens eclipse-che/che-operator#1643

Merged

l0rd mentioned this issue Mar 22, 2023

Sprint 234 (Team B) #22089

Closed

AObuchow mentioned this issue Apr 12, 2023

chore: update to DevWorkspace-Operator 0.20.0 eclipse-che/che-operator#1659

Closed

10 tasks

tolusha mentioned this issue Apr 13, 2023

feat: Update Dev Workspace Operator v0.20.0 eclipse-che/che-operator#1660

Merged

10 tasks

AObuchow mentioned this issue Apr 13, 2023

update DEPENDENCIES.md eclipse-che/che-operator#1661

Merged

10 tasks

l0rd closed this as completed Apr 17, 2023

l0rd mentioned this issue Apr 26, 2023

Add ability to annotate Service Account #22134

Closed

l0rd added this to the 7.64 milestone Apr 27, 2023

nickboldt added the new&noteworthy For new and/or noteworthy issues that deserve a blog post, new docs, or emphasis in release notes label May 3, 2023

l0rd mentioned this issue Jan 11, 2024

Allow pod-overrides of volumes and container-overrides of volumeMounts in Devfiles #22751

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support ServiceAccount token volume projection #22012

Support ServiceAccount token volume projection #22012

l0rd commented Feb 19, 2023 •

edited

Loading

AObuchow commented Mar 6, 2023

l0rd commented Mar 9, 2023

max-cx commented May 3, 2023

devstudio-release commented May 3, 2023

Support ServiceAccount token volume projection #22012

Support ServiceAccount token volume projection #22012

Comments

l0rd commented Feb 19, 2023 • edited Loading

Is your enhancement related to a problem? Please describe

Describe the solution you'd like

AObuchow commented Mar 6, 2023

l0rd commented Mar 9, 2023

max-cx commented May 3, 2023

devstudio-release commented May 3, 2023

l0rd commented Feb 19, 2023 •

edited

Loading