Merge pull request #87965 from bergerhoffer/OCPBUGS-43809

OCPBUGS#43809: Clarifying what's created for each service account

Author: bergerhoffer

authentication/understanding-and-creating-service-accounts.adoc

@@ -8,6 +8,8 @@ toc::[]
 
 include::modules/service-accounts-overview.adoc[leveloffset=+1]
 
+include::modules/service-account-auto-secret-removed.adoc[leveloffset=+2]
+
 // include::modules/service-accounts-enabling-authentication.adoc[leveloffset=+1]
 
 include::modules/service-accounts-creating.adoc[leveloffset=+1]

modules/service-accounts-creating.adoc

@@ -22,9 +22,9 @@ $ oc get sa
 [source,terminal]
 ----
 NAME       SECRETS   AGE
-builder    2         2d
-default    2         2d
-deployer   2         2d
+builder    1         2d
+default    1         2d
+deployer   1         2d
 ----
 
 . To create a new service account in the current project:
@@ -67,10 +67,10 @@ $ oc describe sa robot
 ----
 Name:                robot
 Namespace:           project1
-Labels:	             <none>
-Annotations:	     <none>
+Labels:              <none>
+Annotations:         openshift.io/internal-registry-pull-secret-ref: robot-dockercfg-qzbhb
 Image pull secrets:  robot-dockercfg-qzbhb
 Mountable secrets:   robot-dockercfg-qzbhb
-Tokens:              robot-token-f4khf
+Tokens:              <none>
 Events:              <none>
 ----

modules/service-accounts-granting-roles.adoc

@@ -3,7 +3,7 @@
 // * authentication/using-service-accounts.adoc
 
 [id="service-accounts-granting-roles_{context}"]
-= Examples of granting roles to service accounts
+= Granting roles to service accounts
 
 You can grant roles to service accounts in the same way that you grant roles
 to a regular user account.

modules/service-accounts-overview.adoc

@@ -15,11 +15,12 @@ When you use the {product-title} CLI or web console, your API token
 authenticates you to the API. You can associate a component with a service account
 so that they can access the API without using a regular user's credentials.
 ifdef::openshift-online,openshift-origin,openshift-enterprise,openshift-webscale[]
+
 For example, service accounts can allow:
 
-* Replication controllers to make API calls to create or delete pods.
-* Applications inside containers to make API calls for discovery purposes.
-* External applications to make API calls for monitoring or integration purposes.
+* Replication controllers to make API calls to create or delete pods
+* Applications inside containers to make API calls for discovery purposes
+* External applications to make API calls for monitoring or integration purposes
 endif::[]
 
 Each service account's user name is derived from its project and name:
@@ -45,12 +46,3 @@ Every service account is also a member of two groups:
 specified project.
 
 |===
-
-Each service account automatically contains two secrets:
-
-* An API token
-* Credentials for the OpenShift Container Registry
-
-The generated API token and registry credentials do not expire, but you can
-revoke them by deleting the secret. When you delete the secret, a new one is
-automatically generated to take its place.