KEP-740: promote external token signing to beta

Author: liggitt

keps/prod-readiness/sig-auth/740.yaml

@@ -1,3 +1,5 @@
 kep-number: 740
 alpha:
-  approver: "@soltysh"
+  approver: "@soltysh"
+beta:
+  approver: "@soltysh"

keps/sig-auth/740-service-account-external-signing/README.md

@@ -24,7 +24,6 @@
       - [Prerequisite testing updates](#prerequisite-testing-updates)
       - [Unit tests](#unit-tests)
       - [Integration tests](#integration-tests)
-      - [e2e tests](#e2e-tests)
   - [Graduation Criteria](#graduation-criteria)
     - [Alpha](#alpha)
     - [Beta](#beta)
@@ -50,20 +49,16 @@
 
 Items marked with (R) are required *prior to targeting to a milestone / release*.
 
-- [ ] (R) Enhancement issue in release milestone, which links to KEP dir in [kubernetes/enhancements] (not the initial KEP PR)
-- [ ] (R) KEP approvers have approved the KEP status as `implementable`
+- [x] (R) Enhancement issue in release milestone, which links to KEP dir in [kubernetes/enhancements] (not the initial KEP PR)
+- [x] (R) KEP approvers have approved the KEP status as `implementable`
 - [x] (R) Design details are appropriately documented
-- [ ] (R) Test plan is in place, giving consideration to SIG Architecture and SIG Testing input (including test refactors)
-  - [ ] e2e Tests for all Beta API Operations (endpoints)
-  - [ ] (R) Ensure GA e2e tests meet requirements for [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md) 
-  - [ ] (R) Minimum Two Week Window for GA e2e tests to prove flake free
-- [ ] (R) Graduation criteria is in place
-  - [ ] (R) [all GA Endpoints](https://github.com/kubernetes/community/pull/1806) must be hit by [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md) 
-- [ ] (R) Production readiness review completed
-- [ ] (R) Production readiness review approved
+- [x] (R) Test plan is in place, giving consideration to SIG Architecture and SIG Testing input (including test refactors)
+- [x] (R) Graduation criteria is in place
+- [x] (R) Production readiness review completed
+- [x] (R) Production readiness review approved
 - [ ] "Implementation History" section is up-to-date for milestone
-- [ ] User-facing documentation has been created in [kubernetes/website], for publication to [kubernetes.io]
-- [ ] Supporting documentation—e.g., additional design documents, links to mailing list discussions/SIG meetings, relevant PRs/issues, release notes
+- [x] User-facing documentation has been created in [kubernetes/website], for publication to [kubernetes.io]
+- [x] Supporting documentation—e.g., additional design documents, links to mailing list discussions/SIG meetings, relevant PRs/issues, release notes
 
 [kubernetes.io]: https://kubernetes.io/
 [kubernetes/enhancements]: https://git.k8s.io/enhancements
@@ -142,9 +137,9 @@ A new versioned grpc API (ExternalJWTSigner) will be created under `k8s.io/kuber
 #### Support for Legacy Tokens
 
 Implementers will have following options for legacy token support:
-1. Let the Controller loop run as it is with static signing keys. Stitch the public keys in external signer's JWKs.
-2. Turn off the loop (don't support legacy tokens) if external signing is enabled.
-3. Create a custom external signer for legacy tokens using Controller loop from staging repo (This option will only be available if demanded by Community as part of feedback for Beta graduation).
+1. Turn off the loop (don't support legacy tokens) if external signing is enabled. (recommended to avoid non-expiring tokens)
+2. Let the Controller loop run as it is with static signing keys. Stitch the public keys in external signer's JWKs.
+3. Turn off the loop in kube-controller-manager and create a custom external signer for legacy tokens that obtains them via the external signer.
 
 ### Risks and Mitigations
 
@@ -280,10 +275,6 @@ to implement this enhancement.
 ##### Integration tests
 
 - Create a cluster with ExternalJWTSigner to configure an external signer and verify TokenRequest and TokenReview APIs work properly.
-
-##### e2e tests
-
-- Create a cluster with ExternalJWTSigner configured.
 - Request a token for a service account principal.
 - Use a token as bearer for making requests to kube-apiserver and ensure it succeeds.
 
@@ -296,13 +287,15 @@ to implement this enhancement.
 
 #### Beta
 
-- E2E tests are completed.
-- We have at least one ExternalSigner implementation working with this change.
+- All tests are completed.
+- We have at least one ExternalSigner integration working with this change.
+  - GKE integration is complete
 - Decide whether to externalize legacy token controller code in a staging repo. Check [Support for Legacy Tokens](#support-for-legacy-tokens) for details.
+  - Decided not to externalize legacy token controller code
 
 #### GA
 
-- More than one ExternalSigner implementations are completed.
+- More than one ExternalSigner integration are completed.
 - Feature is tuned with feedback from distributions.
 
 ### Upgrade/Downgrade Strategy
@@ -590,6 +583,10 @@ Initial PRs:
 - kubernetes/kubernetes#73110
 - kubernetes/kubernetes#125177
 
+1.32: Alpha release
+
+1.34: Beta release
+
 ## Drawbacks
 
 Enabling the feature puts a remote service in the critical path of kube-apiserver. Thus, it can easily cause an outage. However, we have some relief in that it is an opt-in/configurable feature. 

keps/sig-auth/740-service-account-external-signing/kep.yaml

@@ -17,10 +17,11 @@ approvers:
 
 stage: alpha
 
-latest-milestone: "v1.33"
+latest-milestone: "v1.34"
 
 milestone:
   alpha: "v1.32"
+  beta: "v1.34"
 
 feature-gates:
   - name: ExternalServiceAccountTokenSigner