From 622cd1ee753b5633764a8b42fffd095c8d07de34 Mon Sep 17 00:00:00 2001
From: Zhiwei Yin <zyin@redhat.com>
Date: Wed, 11 Mar 2026 14:08:42 +0800
Subject: [PATCH] set tokenrequest UID to empty to avoid conflict with the
 ServiceAccount UID validation (#1423)

Signed-off-by: Zhiwei Yin <zyin@redhat.com>
---
 pkg/server/services/tokenrequest/tokenreqeust.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/server/services/tokenrequest/tokenreqeust.go b/pkg/server/services/tokenrequest/tokenreqeust.go
index dcf815314..db8113abb 100644
--- a/pkg/server/services/tokenrequest/tokenreqeust.go
+++ b/pkg/server/services/tokenrequest/tokenreqeust.go
@@ -56,6 +56,9 @@ func (t *TokenRequestService) HandleStatusUpdate(ctx context.Context, evt *cloud
 
 	switch eventType.Action {
 	case types.CreateRequestAction:
+		// Clear the UID to avoid conflict with the ServiceAccount UID validation
+		// introduced by the TokenRequestServiceAccountUIDValidation feature gate (k8s 1.34+).
+		tokenRequest.UID = ""
 		// Create a token for the service account
 		tokenResponse, err := t.client.CoreV1().ServiceAccounts(tokenRequest.Namespace).CreateToken(ctx, tokenRequest.Name, tokenRequest, metav1.CreateOptions{})
 		if err != nil {