Currently, only ServiceAccount tokens are supported for authentication against the metal-api. These tokens eventually expire, requiring a manual rotation. It would be great, if authentication would only need to be established once.
Regarding implementation, a ServiceAccount, which can create a TokenRequest for itself is capable of rotating it's token before expiry. This would lead to some sort of bootstrap token mechanism. It's unclear to me right now, how to model that cleanly given the current APIs.
Summary
Currently, only
ServiceAccounttokens are supported for authentication against the metal-api. These tokens eventually expire, requiring a manual rotation. It would be great, if authentication would only need to be established once.Regarding implementation, a
ServiceAccount, which can create aTokenRequestfor itself is capable of rotating it's token before expiry. This would lead to some sort of bootstrap token mechanism. It's unclear to me right now, how to model that cleanly given the current APIs.