Bug Description

getServiceAccountSecret assumes 1) secret-based tokens will always be created for service accounts, and 2) a manually provided secret name will be referenced from the service account

Neither of those assumptions are universally correct.

In 1.21+ secret-based tokens are no longer used for mounting into pods (ephemeral time-limited tokens are).

In 1.24+, secret-based tokens are no longer auto-created by default for new service accounts.

Using ephemeral time-bound tokens is preferred in 1.21+ (see the TokenRequest API) if possible.

If a secret-based token is still desired, one can be created manually, but will not be referenced from the service account's .secrets list. If a secret name is explicitly provided to istioctl, it should be validated by looking at the type (kubernetes.io/service-account-token) and the kubernetes.io/service-account.name annotation (should match the service account name)

Version

n/a

Additional Information

No response