Skip to content

Commit

Permalink
fix(cni): support bound service account token by reloading periodical…
Browse files Browse the repository at this point in the history 
…ly (#12592)

## Motivation

this should solve #12567 as a
simplified implementation.

Bart will come up with a more complete version based on his upcoming
refatoring.

## Implementation information

Setup a ticker and sync service account token into kubeconfig file
periodically

## Supporting documentation

<!-- Is there a MADR? An Issue? A related PR? -->

the official client-go SDK re-reads the token once a minute:

kubernetes/client-go#1255

> that method initiates a background process that rereads the token file
once a minute.

<!--
> Changelog: skip
-->
<!--
Uncomment the above section to explicitly set a [`> Changelog:` entry
here](https://github.com/kumahq/kuma/blob/master/CONTRIBUTING.md#submitting-a-patch)?
-->

Signed-off-by: Jay Chen <[email protected]>
  • Loading branch information
@jijiechen
jijiechen authored Jan 20, 2025
1 parent 8a00691 commit 64a72fe
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 1 deletion.
1 change: 1 addition & 0 deletions app/cni/pkg/install/installer_config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ type InstallerConfig struct {
KubernetesServiceProtocol string `envconfig:"kubernetes_service_protocol" default:"https"`
MountedCniNetDir string `envconfig:"mounted_cni_net_dir" default:"/host/etc/cni/net.d"`
ShouldSleep bool `envconfig:"sleep" default:"true"`
RefreshSATokenInterval int `envconfig:"refresh_sa_token_interval" default:"60"`
}

func (i InstallerConfig) Validate() error {
Expand Down
12 changes: 11 additions & 1 deletion app/cni/pkg/install/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -250,15 +250,25 @@ func runLoop(ic *InstallerConfig) error {
return nil
}

checkInstallTicker := time.NewTicker(time.Duration(ic.CfgCheckInterval) * time.Second)
refreshSATokenTicker := time.NewTicker(time.Duration(ic.RefreshSATokenInterval) * time.Second)
defer checkInstallTicker.Stop()
defer refreshSATokenTicker.Stop()

for {
select {
case <-osSignals:
return nil
case <-time.After(time.Duration(ic.CfgCheckInterval) * time.Second):
case <-checkInstallTicker.C:
err := checkInstall(ic.MountedCniNetDir+"/"+ic.CniConfName, ic.ChainedCniPlugin)
if err != nil {
return err
}
case <-refreshSATokenTicker.C:
err := prepareKubeconfig(ic, serviceAccountPath)
if err != nil {
return err
}
}
}
}

0 comments on commit 64a72fe

Please sign in to comment.