Merge pull request #71256 from bergerhoffer/OSDOCS-8971

bergerhoffer · web-flow · commit e9404c73587f · 2024-02-09T10:14:24.000-05:00
OSDOCS#8971: Docs for change in secret generation behavior when the i…
diff --git a/installing/cluster-capabilities.adoc b/installing/cluster-capabilities.adoc
@@ -118,6 +118,7 @@ include::modules/cluster-image-registry-operator.adoc[leveloffset=+2]
 [role="_additional-resources"]
 .Additional resources
 * xref:../registry/configuring-registry-operator.adoc#configuring-registry-operator[Image Registry Operator in {product-title}]
+* xref:../nodes/pods/nodes-pods-secrets.adoc#auto-generated-sa-token-secrets_nodes-pods-secrets[Automatically generated secrets]
 
 [role="_additional-resources"]
 [id="additional-resources_{context}"]
diff --git a/modules/cluster-image-registry-operator.adoc b/modules/cluster-image-registry-operator.adoc
@@ -34,6 +34,13 @@ If insufficient information is available to define a complete `image-registry` r
 The Cluster Image Registry Operator runs in the `openshift-image-registry` namespace and it also manages the registry instance in that location. All configuration and workload resources for the registry reside in that namespace.
 
 ifdef::cluster-caps[]
+In order to integrate the image registry into the cluster's user authentication and authorization system, a service account token secret and an image pull secret are generated for each service account in the cluster.
+
+[IMPORTANT]
+====
+If you disable the `ImageRegistry` capability or if you disable the integrated {product-registry} in the Cluster Image Registry Operator's configuration, the service account token secret and image pull secret are not generated for each service account.
+====
+
 If you disable the `ImageRegistry` capability, you can reduce the overall resource footprint of {product-title} in Telco environments. Depending on your deployment, you can disable this component if you do not need it.
 endif::[]
 
@@ -47,4 +54,4 @@ ifeval::["{context}" == "cluster-operators-ref"]
 endif::[]
 ifeval::["{context}" == "cluster-capabilities"]
 :!cluster-caps:
-endif::[]
+endif::[]
diff --git a/modules/service-account-auto-secret-removed.adoc b/modules/service-account-auto-secret-removed.adoc
@@ -5,10 +5,13 @@
 
 :_mod-docs-content-type: CONCEPT
 [id="auto-generated-sa-token-secrets_{context}"]
-= About automatically generated service account token secrets
+= Automatically generated secrets
 
-When a service account is created, a service account token secret is automatically generated for it. This service account token secret, along with an automatically generated docker configuration secret, is used to authenticate to the internal {product-title} registry. Do not rely on these automatically generated secrets for your own use; they might be removed in a future {product-title} release.
+By default, {product-title} creates the following secrets for each service account:
 
+* A dockercfg image pull secret
+* A service account token secret
++
 [NOTE]
 ====
 Prior to {product-title} 4.11, a second service account token secret was generated when a service account was created. This service account token secret was used to access the Kubernetes API.
@@ -18,6 +21,15 @@ Starting with {product-title} 4.11, this second service account token secret is
 After upgrading to {product-version}, any existing service account token secrets are not deleted and continue to function.
 ====
 
+This service account token secret and docker configuration image pull secret are necessary to integrate the {product-registry} into the cluster's user authentication and authorization system.
+
+However, if you do not enable the `ImageRegistry` capability or if you disable the integrated {product-registry} in the Cluster Image Registry Operator's configuration, these secrets are not generated for each service account.
+
+[WARNING]
+====
+Do not rely on these automatically generated secrets for your own use; they might be removed in a future {product-title} release.
+====
+
 Workloads are automatically injected with a projected volume to obtain a bound service account token. If your workload needs an additional service account token, add an additional projected volume in your workload manifest. Bound service account tokens are more secure than service account token secrets for the following reasons:
 
 * Bound service account tokens have a bounded lifetime.
