From 75565f7caa2bab8837b055fbf8e9fca110cdd21c Mon Sep 17 00:00:00 2001 From: wenyingd Date: Mon, 16 Jan 2023 15:02:16 +0800 Subject: [PATCH] [ExternalNode] Create Secret for vm-agent in RBAC 1. Crate a separate Secret for VM Agent in RBAC file, this because the Secret for a ServiceAccount is not created automatically since K8s v1.24. 2. Use the manually created Secret in Agent kubeconfig file. Signed-off-by: wenyingd --- build/yamls/externalnode/vm-agent-rbac.yml | 9 +++++++++ ci/jenkins/test-vm.sh | 4 ++-- docs/external-node.md | 4 ++-- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/build/yamls/externalnode/vm-agent-rbac.yml b/build/yamls/externalnode/vm-agent-rbac.yml index 7f088a899ad..45d15381e85 100644 --- a/build/yamls/externalnode/vm-agent-rbac.yml +++ b/build/yamls/externalnode/vm-agent-rbac.yml @@ -5,6 +5,15 @@ metadata: name: vm-agent namespace: vm-ns # Change the Namespace to where vm-agent is expected to run. --- +apiVersion: v1 +kind: Secret +metadata: + name: vm-agent-service-account-token + namespace: vm-ns # Change the Namespace to where vm-agent is expected to run. + annotations: + kubernetes.io/service-account.name: vm-agent +type: kubernetes.io/service-account-token +--- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: diff --git a/ci/jenkins/test-vm.sh b/ci/jenkins/test-vm.sh index c25ea4311fb..3b5ec19abae 100755 --- a/ci/jenkins/test-vm.sh +++ b/ci/jenkins/test-vm.sh @@ -193,8 +193,9 @@ function create_kubeconfig_files { echo "Creating files ${ANTREA_AGENT_KUBECONFIG} and ${ANTREA_AGENT_ANTREA_KUBECONFIG}" # Kubeconfig to access K8S API + SECRET_NAME="${SERVICE_ACCOUNT}-service-account-token" APISERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name==\"$CLUSTER_NAME\")].cluster.server}") - TOKEN=$(kubectl -n $TEST_NAMESPACE get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='$SERVICE_ACCOUNT')].data.token}"|base64 --decode) + TOKEN=$(kubectl -n $TEST_NAMESPACE get secrets ${SECRET_NAME} -o json | jq -r .data.token | base64 --decode) kubectl config --kubeconfig=${WORKDIR}/${ANTREA_AGENT_KUBECONFIG} set-cluster kubernetes --server=$APISERVER --insecure-skip-tls-verify=true kubectl config --kubeconfig=${WORKDIR}/${ANTREA_AGENT_KUBECONFIG} set-credentials antrea-agent --token=$TOKEN kubectl config --kubeconfig=${WORKDIR}/${ANTREA_AGENT_KUBECONFIG} set-context antrea-agent@kubernetes --cluster=kubernetes --user=antrea-agent @@ -203,7 +204,6 @@ function create_kubeconfig_files { # Kubeconfig to access AntreaController ANTREA_API_SERVER_IP=$(kubectl get nodes -o wide --no-headers=true | awk -v role="$CONTROL_PLANE_NODE_ROLE" '$3 != role {print $6}') ANTREA_API_SERVER="https://${ANTREA_API_SERVER_IP}:32767" - TOKEN=$(kubectl -n $TEST_NAMESPACE get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='$SERVICE_ACCOUNT')].data.token}"|base64 --decode) kubectl config --kubeconfig=${WORKDIR}/${ANTREA_AGENT_ANTREA_KUBECONFIG} set-cluster antrea --server=$ANTREA_API_SERVER --insecure-skip-tls-verify=true kubectl config --kubeconfig=${WORKDIR}/${ANTREA_AGENT_ANTREA_KUBECONFIG} set-credentials antrea-agent --token=$TOKEN kubectl config --kubeconfig=${WORKDIR}/${ANTREA_AGENT_ANTREA_KUBECONFIG} set-context antrea-agent@antrea --cluster=antrea --user=antrea-agent diff --git a/docs/external-node.md b/docs/external-node.md index 3bc59733dc3..5f8fd90ff25 100644 --- a/docs/external-node.md +++ b/docs/external-node.md @@ -208,7 +208,7 @@ spec: NAMESPACE="vm-ns" KUBECONFIG="antrea-agent.kubeconfig" APISERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name==\"$CLUSTER_NAME\")].cluster.server}") - TOKEN=$(kubectl -n $NAMESPACE get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='$SERVICE_ACCOUNT')].data.token}"|base64 --decode) + TOKEN=$(kubectl -n $NAMESPACE get secrets -o jsonpath="{.items[?(@.metadata.name=='${SERVICE_ACCOUNT}-service-account-token')].data.token}"|base64 --decode) kubectl config --kubeconfig=$KUBECONFIG set-cluster $CLUSTER_NAME --server=$APISERVER --insecure-skip-tls-verify=true kubectl config --kubeconfig=$KUBECONFIG set-credentials antrea-agent --token=$TOKEN kubectl config --kubeconfig=$KUBECONFIG set-context antrea-agent@$CLUSTER_NAME --cluster=$CLUSTER_NAME --user=antrea-agent @@ -226,7 +226,7 @@ spec: ANTREA_CLUSTER_NAME="antrea" NAMESPACE="vm-ns" KUBECONFIG="antrea-agent.antrea.kubeconfig" - TOKEN=$(kubectl -n $NAMESPACE get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='$SERVICE_ACCOUNT')].data.token}"|base64 --decode) + TOKEN=$(kubectl -n $NAMESPACE get secrets -o jsonpath="{.items[?(@.metadata.name=='${SERVICE_ACCOUNT}-service-account-token')].data.token}"|base64 --decode) kubectl config --kubeconfig=$KUBECONFIG set-cluster $ANTREA_CLUSTER_NAME --server=$ANTREA_API_SERVER --insecure-skip-tls-verify=true kubectl config --kubeconfig=$KUBECONFIG set-credentials antrea-agent --token=$TOKEN kubectl config --kubeconfig=$KUBECONFIG set-context antrea-agent@$ANTREA_CLUSTER_NAME --cluster=$ANTREA_CLUSTER_NAME --user=antrea-agent