sassoftware · gsmith-sas · Sep 12, 2024 · Aug 21, 2024 · Aug 28, 2024 · Aug 28, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,13 +1,19 @@
 # SAS Viya Monitoring for Kubernetes
 
 ## Unreleased
+* **Overall**
+  * [DOCUMENTATION] Reorganization of content to improve readability and flow.
+  * [TASK] Updated links (within markdown files, dashboards, etc.) to reflect documentation reorganization
+
 * **Logging**
   * [CHANGE] Updated link to SAS documentation in the SAS Update Checker Report (within 
 OpenSearch Dashboards) to be version-independent
 
 * **Metrics**
   * [FIX] Changed metric label (from 'CAS Version' to 'OS Version') on SAS CAS Overview 
 dashboard (within Grafana) to reflect information displayed
+  * [FIX] Replace deprecated `oc serviceacounts get-token` command in deploy_monitoring_openshift.sh for OpenShift 4.16+
+
 
 ## Version 1.2.28 (13AUG2024)
 * **Logging**

diff --git a/monitoring/bin/deploy_monitoring_openshift.sh b/monitoring/bin/deploy_monitoring_openshift.sh
@@ -80,20 +80,38 @@ if [ -z "$(kubectl get serviceAccount -n $MON_NS grafana-serviceaccount -o name
   kubectl create serviceaccount -n $MON_NS grafana-serviceaccount
 fi
 
-# OCP 4.11: We need to patch service account to add API Token
-  if [ "$OSHIFT_MAJOR_VERSION" -eq "4" ] && [ "$OSHIFT_MINOR_VERSION" -gt "10" ]; then
-     token=$(kubectl describe -n $MON_NS serviceaccount grafana-serviceaccount |grep "Tokens:"|awk '{print $2}')
-     log_debug "Patching serviceAccount to link to token...[$token]"
-     kubectl -n $MON_NS patch serviceaccount grafana-serviceaccount --type=json -p='[{"op":"add","path":"/secrets/1","value":{"name":"'$token'"}}]'
-  fi
+if [ -z "$(kubectl get serviceAccount -n $MON_NS grafana-serviceaccount -o name 2>/dev/null)" ]; then
+  log_info "Creating Grafana serviceAccount..."
+  kubectl create serviceaccount -n $MON_NS grafana-serviceaccount
+fi
 
 #Container Security: Disable serviceAccount Token Automounting
 disable_sa_token_automount $MON_NS grafana-serviceaccount
 
 log_debug "Adding cluster role..."
 oc adm policy add-cluster-role-to-user cluster-monitoring-view -z grafana-serviceaccount -n $MON_NS
+
+if [ "$OSHIFT_MAJOR_VERSION" -eq "4" ] && [ "$OSHIFT_MINOR_VERSION" -gt "10" ] && [ "$OSHIFT_MINOR_VERSION" -lt "16" ] ; then
+
+    # OCP versions 4.11-4.15: We need to patch service account to add API Token
+
+    # NOTE: $token below is the *name* of the Kubernetes secret
+    #       containing the autogenerated serviceaccount token
+    token=$(kubectl describe -n $MON_NS serviceaccount grafana-serviceaccount |grep "Tokens:"|awk '{print $2}')
+    log_debug "Patching serviceAccount to link to token...[$token]"
+    kubectl -n $MON_NS patch serviceaccount grafana-serviceaccount --type=json -p='[{"op":"add","path":"/secrets/1","value":{"name":"'$token'"}}]'
+fi
+
 log_debug "Obtaining token..."
-grafanaToken=$(oc serviceaccounts get-token grafana-serviceaccount -n $MON_NS)
+# NOTE: $grafanaToken is an actual token and NOT the name of a k8s resouce
+if [ "$OSHIFT_MAJOR_VERSION" -eq "4" ] && [ "$OSHIFT_MINOR_VERSION" -gt "15" ]; then
+   # OCP 4.16: removed deprecated oc serviceaccounts get-token command
+   # NOTE: 12000 hours = 500 days although OpenShift *may* expire token after 12 months
+   grafanaToken=$(oc create token grafana-serviceaccount -n $MON_NS --duration 12000h)
+else
+   grafanaToken=$(oc serviceaccounts get-token grafana-serviceaccount -n $MON_NS)
+fi
+
 if [ "$grafanaToken" == "" ]; then
   log_error "Unable to obtain authentication token for [grafana-serviceaccount]"
   exit 1