[ExternalNode] Create Secret for vm-agent in RBAC

1. Crate a separate Secret for VM Agent in RBAC file, this because the Secret for a ServiceAccount is not created automatically since K8s v1.24. 2. Use the manually created Secret in Agent kubeconfig file. Signed-off-by: wenyingd <wenyingd@vmware.com>
antrea-io · Jan 18, 2023 · 75565f7 · 75565f7
1 parent bd0d275
commit 75565f7
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 4 deletions.
diff --git a/build/yamls/externalnode/vm-agent-rbac.yml b/build/yamls/externalnode/vm-agent-rbac.yml
@@ -5,6 +5,15 @@ metadata:
   name: vm-agent
   namespace: vm-ns # Change the Namespace to where vm-agent is expected to run.
 ---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vm-agent-service-account-token
+  namespace: vm-ns  # Change the Namespace to where vm-agent is expected to run.
+  annotations:
+    kubernetes.io/service-account.name: vm-agent
+type: kubernetes.io/service-account-token
+---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:

diff --git a/ci/jenkins/test-vm.sh b/ci/jenkins/test-vm.sh
@@ -193,8 +193,9 @@ function create_kubeconfig_files {
     echo "Creating files ${ANTREA_AGENT_KUBECONFIG} and ${ANTREA_AGENT_ANTREA_KUBECONFIG}"
     # Kubeconfig to access K8S API
 
+    SECRET_NAME="${SERVICE_ACCOUNT}-service-account-token"
     APISERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name==\"$CLUSTER_NAME\")].cluster.server}")
-    TOKEN=$(kubectl -n $TEST_NAMESPACE get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='$SERVICE_ACCOUNT')].data.token}"|base64 --decode)
+    TOKEN=$(kubectl -n $TEST_NAMESPACE get secrets ${SECRET_NAME} -o json | jq -r .data.token | base64 --decode)
     kubectl config --kubeconfig=${WORKDIR}/${ANTREA_AGENT_KUBECONFIG} set-cluster kubernetes --server=$APISERVER --insecure-skip-tls-verify=true
     kubectl config --kubeconfig=${WORKDIR}/${ANTREA_AGENT_KUBECONFIG} set-credentials antrea-agent --token=$TOKEN
     kubectl config --kubeconfig=${WORKDIR}/${ANTREA_AGENT_KUBECONFIG} set-context antrea-agent@kubernetes --cluster=kubernetes --user=antrea-agent
@@ -203,7 +204,6 @@ function create_kubeconfig_files {
     # Kubeconfig to access AntreaController
     ANTREA_API_SERVER_IP=$(kubectl get nodes -o wide --no-headers=true | awk -v role="$CONTROL_PLANE_NODE_ROLE" '$3 != role {print $6}')
     ANTREA_API_SERVER="https://${ANTREA_API_SERVER_IP}:32767"
-    TOKEN=$(kubectl -n $TEST_NAMESPACE get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='$SERVICE_ACCOUNT')].data.token}"|base64 --decode)
     kubectl config --kubeconfig=${WORKDIR}/${ANTREA_AGENT_ANTREA_KUBECONFIG} set-cluster antrea --server=$ANTREA_API_SERVER --insecure-skip-tls-verify=true
     kubectl config --kubeconfig=${WORKDIR}/${ANTREA_AGENT_ANTREA_KUBECONFIG} set-credentials antrea-agent --token=$TOKEN
     kubectl config --kubeconfig=${WORKDIR}/${ANTREA_AGENT_ANTREA_KUBECONFIG} set-context antrea-agent@antrea --cluster=antrea --user=antrea-agent

diff --git a/docs/external-node.md b/docs/external-node.md
@@ -208,7 +208,7 @@ spec:
    NAMESPACE="vm-ns"
    KUBECONFIG="antrea-agent.kubeconfig"
    APISERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name==\"$CLUSTER_NAME\")].cluster.server}")
-   TOKEN=$(kubectl -n $NAMESPACE get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='$SERVICE_ACCOUNT')].data.token}"|base64 --decode)
+   TOKEN=$(kubectl -n $NAMESPACE get secrets -o jsonpath="{.items[?(@.metadata.name=='${SERVICE_ACCOUNT}-service-account-token')].data.token}"|base64 --decode)
    kubectl config --kubeconfig=$KUBECONFIG set-cluster $CLUSTER_NAME --server=$APISERVER --insecure-skip-tls-verify=true
    kubectl config --kubeconfig=$KUBECONFIG set-credentials antrea-agent --token=$TOKEN
    kubectl config --kubeconfig=$KUBECONFIG set-context antrea-agent@$CLUSTER_NAME --cluster=$CLUSTER_NAME --user=antrea-agent
@@ -226,7 +226,7 @@ spec:
    ANTREA_CLUSTER_NAME="antrea"
    NAMESPACE="vm-ns"
    KUBECONFIG="antrea-agent.antrea.kubeconfig"
-   TOKEN=$(kubectl -n $NAMESPACE get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='$SERVICE_ACCOUNT')].data.token}"|base64 --decode)
+   TOKEN=$(kubectl -n $NAMESPACE get secrets -o jsonpath="{.items[?(@.metadata.name=='${SERVICE_ACCOUNT}-service-account-token')].data.token}"|base64 --decode)
    kubectl config --kubeconfig=$KUBECONFIG set-cluster $ANTREA_CLUSTER_NAME --server=$ANTREA_API_SERVER --insecure-skip-tls-verify=true
    kubectl config --kubeconfig=$KUBECONFIG set-credentials antrea-agent --token=$TOKEN
    kubectl config --kubeconfig=$KUBECONFIG set-context antrea-agent@$ANTREA_CLUSTER_NAME --cluster=$ANTREA_CLUSTER_NAME --user=antrea-agent