bug: fixing running antrea-controller --version "outside of K8s" print warnings

[prakrit55]

fix: #5990

• added a function getAntreaAgentServiceAccount() which fixes the warnings outside k8s

kubectl exec -it antrea-controller-6b554d9c74-l9ms2 -n kube-system -- /bin/bash root@kind-worker:/# antrea-controller --version
antrea-controller version v2.0.0-dev-43ee1f47 linux/amd64 go1.21.7

docker run antrea/antrea-controller-ubuntu:v2.0.0-dev-43ee1f47 antrea-controll er --version antrea-controller version v2.0.0-dev-43ee1f47 linux/amd64 go1.21.7

[antoninbas]

the function implementation is not correct. If the absence of a POD_NAMESPACE env variable, using kube-system as the default is what we want

the function should just preserve the existing behavior return:

	strings.Join([]string{
		"system", "serviceaccount", env.GetAntreaNamespace(), "antrea-agent",
	}, ":")

[prakrit55]

Hey @antoninbas, need a reconfirmation, here the logic was to see if the namespace is present or not, obviously its absence as a container but as in a pod it would definitely have one. So, in pod it will peacefully execute the env.GetAntreaNamespace() but in container it wont have it and give the warnings. WDYS

[antoninbas]

the main case scenario in which the namespace is not defined is for unit tests, in this case we prefer to default to kube-system
it may also apply when running the antrea agent in a "simulator" context, outside of a K8s Node. In this case, we also prefer to default to kube-system IMO

[antoninbas]

Even though I don't think that verifyIdentity is called very often, we may want to just add antreaAgentServiceAccountName as a field to the ipsecCSRApprover struct, and initialize the field by calling getAntreaAgentServiceAccount() when we instantiate ipsecCSRApprover objects. It may be a good idea to have a newIPsecCSRApprover helper function to instantiate.

[antoninbas]

this should be csr.Spec.Username != ic. antreaAgentServiceAccountName

[antoninbas]

this should not be a member function
and ic.antreaAgentServiceAccountName should be populated (by calling getAntreaAgentServiceAccount()) as part of a new "constructor", newIPsecCSRApprover, as I pointed out in my earlier review

[prakrit55]

done

[antoninbas]

this should be:

func newIPsecCSRApprover(client clientset.Interface) *ipsecCSRApprover {
	return &ipsecCSRApprover{
		client: client,
		antreaAgentServiceAccountName: getAntreaAgentServiceAccount(),
	}
}

[antoninbas]

the constructor should not be called here
you need to find all places where ipsecCSRApprover is instantiated directly using &ipsecCSRApprover{...}, and replace them with calls to newIPsecCSRApprover(...).

abasSMD6R:antrea abas$ git grep "&ipsecCSRApprover"
pkg/controller/certificatesigningrequest/approving_controller.go:                       &ipsecCSRApprover{
pkg/controller/certificatesigningrequest/ipsec_csr_approver_test.go:                    ic := &ipsecCSRApprover{
pkg/controller/certificatesigningrequest/ipsec_csr_approver_test.go:                    ic := &ipsecCSRApprover{
pkg/controller/certificatesigningrequest/ipsec_csr_approver_test.go:                    ic := &ipsecCSRApprover{
pkg/controller/certificatesigningrequest/ipsec_csr_approver_test.go:                    ic := &ipsecCSRApprover{

[prakrit55]

thank you

[antoninbas]

you are creating a new instance of `ipsecCSRApprover, this is not right

[prakrit55]

will revert and fix : )

[antoninbas]

one small nit, otherwise LGTM

[antoninbas]

nit: it would be more concise not to define an extra variable. You can just return strings.Join(...)

[prakrit55]

oh I get it

[antoninbas]

/test-all