[ExternalNode] Create Secret for vm-agent in RBAC

[wenyingd]

1. Crate a separate Secret for VM Agent in RBAC file, because the Secret for a ServiceAccount is not created automatically since K8s v1.24.
2. Use the manually created Secret in Agent kubeconfig file.

Fix #4558

Signed-off-by: wenyingd wenyingd@vmware.com

[wenyingd]

/test-vm-e2e

[Anandkumar26]

Looks good to me.

[Anandkumar26]

Any particular reason to change it to use Secret Name instead of ServiceAccount Name?

[wenyingd]

This is to be compatible with the original K8s versions. After we changed the RBAC file for VM Agent, a new Secret with name "vm-agent-service-account-token" is always created. It should work fine with newer versions in K8s cluster as there is only one Secret (what is created by us) is found with the annotation "kubernetes.io/service-account.name: vm-agent". For previous versions, a default Secret is created along with the SA, there would be two Secrets found with the annotation, then the final token string is incorrect as a concat of two tokens. As a result, I change the script to leverage the Secret which must exist in both previous version and later version.

[Anandkumar26]

Sounds good. Thanks for the clarification.

[codecov]

Codecov Report

Merging #4560 (91b0893) into main (bd0d275) will increase coverage by 5.78%.
The diff coverage is n/a.

❗ Current head 91b0893 differs from pull request most recent head 75565f7. Consider uploading reports for the commit 75565f7 to get more accurate results

@@            Coverage Diff             @@
##             main    #4560      +/-   ##
==========================================
+ Coverage   64.58%   70.36%   +5.78%     
==========================================
  Files         390      376      -14     
  Lines       57640    56059    -1581     
==========================================
+ Hits        37225    39448    +2223     
+ Misses      17760    13881    -3879     
- Partials     2655     2730      +75     

Flag	Coverage Δ		*Carryforward flag
e2e-tests	38.34% <ø> (ø)		Carriedforward from bd0d275
integration-tests	34.57% <ø> (-0.01%)	⬇️
kind-e2e-tests	46.48% <ø> (ø)		Carriedforward from bd0d275
unit-tests	59.15% <ø> (+3.46%)	⬆️

*This pull request uses carry forward flags. Click here to find out more.

Impacted Files	Coverage Δ
pkg/features/antrea_features.go	64.00% <0.00%> (-36.00%)	⬇️
pkg/flowaggregator/certificate.go	63.52% <0.00%> (-12.00%)	⬇️
pkg/config/flowaggregator/default.go	91.30% <0.00%> (-8.70%)	⬇️
pkg/agent/flowexporter/exporter/exporter.go	65.54% <0.00%> (-5.99%)	⬇️
pkg/util/env/env.go	58.73% <0.00%> (-4.77%)	⬇️
pkg/antctl/runtime/runtime.go	33.33% <0.00%> (-3.34%)	⬇️
...catesigningrequest/ipsec_csr_signing_controller.go	61.65% <0.00%> (-2.46%)	⬇️
pkg/agent/util/net_linux.go	30.43% <0.00%> (-1.52%)	⬇️
pkg/controller/externalnode/controller.go	66.16% <0.00%> (-1.51%)	⬇️
pkg/ipam/poolallocator/allocator.go	73.09% <0.00%> (-0.48%)	⬇️
... and 83 more

[wenyingd]

/test-vm-e2e

[tnqn]

LGTM

[wenyingd]

/skip-all
VM Agent e2e test has passed in CI setup.