Update openshift management token instructions #1864
Conversation
| type: kubernetes.io/service-account-token | ||
| EOF | ||
| # oc describe sa -n $project_name $service_account_name |
There was a problem hiding this comment.
NOTE I dropped the leading # from here because the examples that this is included into do not have that (e.g. oc policy add-role-to-user -n $project_name admin -z $service_account_name) and it also made bash markdown think this was a comment
_includes/provider-ocp-mgt-token.md
Outdated
| ... | ||
| Tokens: management-admin-token-0f3fh | ||
| management-admin-token-q7a87 | ||
| oc describe secret -n $project_name $service_account_name-secret |
There was a problem hiding this comment.
Alternatively, does it make sense to do something like the following to get directly at the token?
oc describe secret -n $project_name -o json $service_account_name-secret | jq -r .data.token
There was a problem hiding this comment.
-o json isn't valid for oc describe but we could use oc get
This would require people have jq installed which I don't think we require anywhere else?
There was a problem hiding this comment.
ibm cloud docs have jq even so it feels so ubiquitous to me now, but yeah, maybe we err on the side of not having jq.
There was a problem hiding this comment.
Here we go, oc get secret -o template $service_account_name-secret -n $project_name --template={{.data.token}
There was a problem hiding this comment.
oh yeah I forgot you can do that - that's fantastic
agrare
force-pushed
the
update_openshift_token_instructions
branch
3 times, most recently
from
1524f42 to
4c2d8a5
Compare
_includes/provider-ocp-mgt-token.md
Outdated
| ==== | ||
| token: eyJhbGciOiJSUzI1NiI... | ||
| ```bash | ||
| oc get secret -o template $service_account_name-secret -n $project_name --template={{.data.token} |
There was a problem hiding this comment.
think there's a typo in the template. Also, I think it's clearer if the template lives next to the -o template. Also typically you put the namespace first, then other options, then the object last.
So something like:
| oc get secret -o template $service_account_name-secret -n $project_name --template={{.data.token} | |
| oc get secret -n $project_name -o template --template={{.data.token}} $service_account_name-secret |
There was a problem hiding this comment.
Oh yeah missed last character while copy&pasting, fixed
NOTE I kept the namespace+name together instead of splitting them up with the -o template --template in the middle but I did keep the -o template --template together
agrare
force-pushed
the
update_openshift_token_instructions
branch
from
4c2d8a5 to
dc7504c
Compare
|
Backported to |
Update openshift management token instructions (cherry picked from commit e763a02)
2 participants
Service Account Tokens are no longer automatically generated when the service account gets created,
oc sa new-tokenis deprecated, andoc create tokenhas a limited duration (even if it can be years) and has not well documented default.https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-long-lived-api-token-for-a-serviceaccount describes how to create a long-lived service account token which matches what
oc sa new-tokenwould generate.