Currently, only ServiceAccount tokens are supported for authentication against the metal-api. These tokens eventually expire, requiring a manual rotation. It would be great, if authentication would only need to be established once.
Regarding implementation, a ServiceAccount, which can create a TokenRequest for itself is capable of rotating it's token before expiry. This would lead to some sort of bootstrap token mechanism. It's unclear to me right now, how to model that cleanly given the current APIs.
Summary
Currently, only
ServiceAccount
tokens are supported for authentication against the metal-api. These tokens eventually expire, requiring a manual rotation. It would be great, if authentication would only need to be established once.Regarding implementation, a
ServiceAccount
, which can create aTokenRequest
for itself is capable of rotating it's token before expiry. This would lead to some sort of bootstrap token mechanism. It's unclear to me right now, how to model that cleanly given the current APIs.