From fbef9908b833fdb5487afdfba9cf902c075045e3 Mon Sep 17 00:00:00 2001
From: Jay Jijie Chen <1180092+jijiechen@users.noreply.github.com>
Date: Tue, 21 Jan 2025 12:52:54 +0800
Subject: [PATCH] fix(cni): support bound service account token by reloading
 periodically (backport of #12592) (#12623)

Manual backport of #12592 to `release-2.9`

---------

Signed-off-by: Jay Chen <1180092+jijiechen@users.noreply.github.com>
---
 app/cni/pkg/install/installer_config.go |  8 +++++++-
 app/cni/pkg/install/main.go             | 12 +++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/app/cni/pkg/install/installer_config.go b/app/cni/pkg/install/installer_config.go
index d90c9796888d..d40234da6230 100644
--- a/app/cni/pkg/install/installer_config.go
+++ b/app/cni/pkg/install/installer_config.go
@@ -12,6 +12,7 @@ import (
 	"github.com/pkg/errors"
 
 	"github.com/kumahq/kuma/pkg/config"
+	"github.com/kumahq/kuma/pkg/util/files"
 )
 
 const (
@@ -36,6 +37,7 @@ type InstallerConfig struct {
 	KubernetesServiceProtocol string `envconfig:"kubernetes_service_protocol" default:"https"`
 	MountedCniNetDir          string `envconfig:"mounted_cni_net_dir" default:"/host/etc/cni/net.d"`
 	ShouldSleep               bool   `envconfig:"sleep" default:"true"`
+	RefreshSATokenInterval    int    `envconfig:"refresh_sa_token_interval" default:"60"`
 }
 
 func (i InstallerConfig) Validate() error {
@@ -99,7 +101,11 @@ func prepareKubeconfig(ic *InstallerConfig, serviceAccountPath string) error {
 	caData := base64.StdEncoding.EncodeToString(kubeCa)
 
 	kubeconfig := kubeconfigTemplate(ic.KubernetesServiceProtocol, ic.KubernetesServiceHost, ic.KubernetesServicePort, string(serviceAccountToken), caData)
-	log.Info("writing kubernetes config", "path", kubeconfigPath)
+	logLevel := 0
+	if files.FileExists(kubeconfigPath) {
+		logLevel = 1
+	}
+	log.V(logLevel).Info("writing kubernetes config", "path", kubeconfigPath)
 	err = atomic.WriteFile(kubeconfigPath, strings.NewReader(kubeconfig))
 	if err != nil {
 		return err
diff --git a/app/cni/pkg/install/main.go b/app/cni/pkg/install/main.go
index 2295e48fac70..f9bb12115ca1 100644
--- a/app/cni/pkg/install/main.go
+++ b/app/cni/pkg/install/main.go
@@ -250,15 +250,25 @@ func runLoop(ic *InstallerConfig) error {
 		return nil
 	}
 
+	checkInstallTicker := time.NewTicker(time.Duration(ic.CfgCheckInterval) * time.Second)
+	refreshSATokenTicker := time.NewTicker(time.Duration(ic.RefreshSATokenInterval) * time.Second)
+	defer checkInstallTicker.Stop()
+	defer refreshSATokenTicker.Stop()
+
 	for {
 		select {
 		case <-osSignals:
 			return nil
-		case <-time.After(time.Duration(ic.CfgCheckInterval) * time.Second):
+		case <-checkInstallTicker.C:
 			err := checkInstall(ic.MountedCniNetDir+"/"+ic.CniConfName, ic.ChainedCniPlugin)
 			if err != nil {
 				return err
 			}
+		case <-refreshSATokenTicker.C:
+			err := prepareKubeconfig(ic, serviceAccountPath)
+			if err != nil {
+				return err
+			}
 		}
 	}
 }