Assure that every agent token is used only once by improving the agent registration flow
There are (as far as I know) zero valid use cases currently for deploying multiple agents that reference the same agent config using the same token or different named tokens simultaneously. Despite this we have no mechanism to enforce or even warn users about this kind of misconfiguration. In fact, what I've seen of the agent token UI designs practically encourages users to generate multiple named tokens even though the only intended use case is token rotation.
I think we could borrow from how the runner registration flow works and flip the current flow on its head a bit to encourage people to do the right thing. That might look something like:
- User is presented with a registration token in the agent config project UI
- User deploys an agent with the registration token
- Agent exchanges the registration token for a long-lived agent token, which is then persisted to a secret
- Any other tokens for this agent are automatically revoked as part of this exchange
This would effectively prevent users from deploying multiple instances of the same agent across multiple clusters or in different namespaces of the same cluster. It would also eliminate the need for long-lived token generation to be part of the UI and make token rotation as simple as deleting a secret and restarting the agent.