fix(cni): support bound service account token by reloading periodical…

…ly (backport of #12592) (#12623) Manual backport of #12592 to `release-2.9` --------- Signed-off-by: Jay Chen <[email protected]>
kumahq · Jan 21, 2025 · fbef990 · fbef990
1 parent b45d789
commit fbef990
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/app/cni/pkg/install/installer_config.go b/app/cni/pkg/install/installer_config.go
@@ -12,6 +12,7 @@ import (
 	"github.com/pkg/errors"
 
 	"github.com/kumahq/kuma/pkg/config"
+	"github.com/kumahq/kuma/pkg/util/files"
 )
 
 const (
@@ -36,6 +37,7 @@ type InstallerConfig struct {
 	KubernetesServiceProtocol string `envconfig:"kubernetes_service_protocol" default:"https"`
 	MountedCniNetDir          string `envconfig:"mounted_cni_net_dir" default:"/host/etc/cni/net.d"`
 	ShouldSleep               bool   `envconfig:"sleep" default:"true"`
+	RefreshSATokenInterval    int    `envconfig:"refresh_sa_token_interval" default:"60"`
 }
 
 func (i InstallerConfig) Validate() error {
@@ -99,7 +101,11 @@ func prepareKubeconfig(ic *InstallerConfig, serviceAccountPath string) error {
 	caData := base64.StdEncoding.EncodeToString(kubeCa)
 
 	kubeconfig := kubeconfigTemplate(ic.KubernetesServiceProtocol, ic.KubernetesServiceHost, ic.KubernetesServicePort, string(serviceAccountToken), caData)
-	log.Info("writing kubernetes config", "path", kubeconfigPath)
+	logLevel := 0
+	if files.FileExists(kubeconfigPath) {
+		logLevel = 1
+	}
+	log.V(logLevel).Info("writing kubernetes config", "path", kubeconfigPath)
 	err = atomic.WriteFile(kubeconfigPath, strings.NewReader(kubeconfig))
 	if err != nil {
 		return err

diff --git a/app/cni/pkg/install/main.go b/app/cni/pkg/install/main.go
@@ -250,15 +250,25 @@ func runLoop(ic *InstallerConfig) error {
 		return nil
 	}
 
+	checkInstallTicker := time.NewTicker(time.Duration(ic.CfgCheckInterval) * time.Second)
+	refreshSATokenTicker := time.NewTicker(time.Duration(ic.RefreshSATokenInterval) * time.Second)
+	defer checkInstallTicker.Stop()
+	defer refreshSATokenTicker.Stop()
+
 	for {
 		select {
 		case <-osSignals:
 			return nil
-		case <-time.After(time.Duration(ic.CfgCheckInterval) * time.Second):
+		case <-checkInstallTicker.C:
 			err := checkInstall(ic.MountedCniNetDir+"/"+ic.CniConfName, ic.ChainedCniPlugin)
 			if err != nil {
 				return err
 			}
+		case <-refreshSATokenTicker.C:
+			err := prepareKubeconfig(ic, serviceAccountPath)
+			if err != nil {
+				return err
+			}
 		}
 	}
 }