From 64a72fe5cff23043a672b7e01a2d363d85aa79b0 Mon Sep 17 00:00:00 2001
From: Jay Jijie Chen <1180092+jijiechen@users.noreply.github.com>
Date: Mon, 20 Jan 2025 16:01:36 +0800
Subject: [PATCH] fix(cni): support bound service account token by reloading
 periodically (#12592)

## Motivation

this should solve https://github.com/kumahq/kuma/issues/12567 as a
simplified implementation.

Bart will come up with a more complete version based on his upcoming
refatoring.

## Implementation information

Setup a ticker and sync service account token into kubeconfig file
periodically

## Supporting documentation

<!-- Is there a MADR? An Issue? A related PR? -->

the official client-go SDK re-reads the token once a minute:

https://github.com/kubernetes/client-go/issues/1255

> that method initiates a background process that rereads the token file
once a minute.

<!--
> Changelog: skip
-->
<!--
Uncomment the above section to explicitly set a [`> Changelog:` entry
here](https://github.com/kumahq/kuma/blob/master/CONTRIBUTING.md#submitting-a-patch)?
-->

Signed-off-by: Jay Chen <1180092+jijiechen@users.noreply.github.com>
---
 app/cni/pkg/install/installer_config.go |  1 +
 app/cni/pkg/install/main.go             | 12 +++++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/app/cni/pkg/install/installer_config.go b/app/cni/pkg/install/installer_config.go
index d90c9796888d..672a229699e0 100644
--- a/app/cni/pkg/install/installer_config.go
+++ b/app/cni/pkg/install/installer_config.go
@@ -36,6 +36,7 @@ type InstallerConfig struct {
 	KubernetesServiceProtocol string `envconfig:"kubernetes_service_protocol" default:"https"`
 	MountedCniNetDir          string `envconfig:"mounted_cni_net_dir" default:"/host/etc/cni/net.d"`
 	ShouldSleep               bool   `envconfig:"sleep" default:"true"`
+	RefreshSATokenInterval    int    `envconfig:"refresh_sa_token_interval" default:"60"`
 }
 
 func (i InstallerConfig) Validate() error {
diff --git a/app/cni/pkg/install/main.go b/app/cni/pkg/install/main.go
index 2295e48fac70..f9bb12115ca1 100644
--- a/app/cni/pkg/install/main.go
+++ b/app/cni/pkg/install/main.go
@@ -250,15 +250,25 @@ func runLoop(ic *InstallerConfig) error {
 		return nil
 	}
 
+	checkInstallTicker := time.NewTicker(time.Duration(ic.CfgCheckInterval) * time.Second)
+	refreshSATokenTicker := time.NewTicker(time.Duration(ic.RefreshSATokenInterval) * time.Second)
+	defer checkInstallTicker.Stop()
+	defer refreshSATokenTicker.Stop()
+
 	for {
 		select {
 		case <-osSignals:
 			return nil
-		case <-time.After(time.Duration(ic.CfgCheckInterval) * time.Second):
+		case <-checkInstallTicker.C:
 			err := checkInstall(ic.MountedCniNetDir+"/"+ic.CniConfName, ic.ChainedCniPlugin)
 			if err != nil {
 				return err
 			}
+		case <-refreshSATokenTicker.C:
+			err := prepareKubeconfig(ic, serviceAccountPath)
+			if err != nil {
+				return err
+			}
 		}
 	}
 }