Fix: whereabouts-token-watcher DaemonSet improvements

pliurh · pliurh · commit 1e4bacbd664a · 2025-11-19T22:33:07.000-05:00
This commit introduces several improvements to the whereabouts-token-watcher DaemonSet:
- Corrects a typo in the description.
- Adds logging helper functions for better script output.
- Ensures the service account token is read dynamically during kubeconfig generation.
- Fixes the logical grouping in the CA file change detection condition.
- Increases the kubeconfig regeneration check interval to 60 seconds.
- Mounts the host's CNI network directory for proper CNI configuration management.

Signed-off-by: Peng Liu &lt;pliu@redhat.com&gt;
diff --git a/bindata/network/multus/multus.yaml b/bindata/network/multus/multus.yaml
@@ -934,7 +934,7 @@ metadata:
   namespace: openshift-multus
   annotations:
     kubernetes.io/description: |
-      This deamon watches over the whereabouts service account token and CA
+      This daemon watches over the whereabouts service account token and CA
       file for changes and will regenerate a kubeconfig if changes are seen
     release.openshift.io/version: "{{.ReleaseVersion}}"
 spec:
@@ -954,6 +954,7 @@ spec:
       labels:
         app: whereabouts-token-watcher
     spec:
+      hostNetwork: true
       nodeSelector:
         kubernetes.io/os: linux
       priorityClassName: "system-node-critical"
@@ -971,11 +972,16 @@ spec:
 
           set -u -e
 
+          # Helper functions for logging
+          function log { echo "$(date -Iseconds) $@"; }
+          function warn { echo "$(date -Iseconds) WARNING: $@" >&2; }
+          function error { echo "$(date -Iseconds) ERROR: $@" >&2; }
+
           SERVICE_ACCOUNT_PATH=/var/run/secrets/kubernetes.io/serviceaccount
           KUBE_CA_FILE=${KUBE_CA_FILE:-$SERVICE_ACCOUNT_PATH/ca.crt}
-          SERVICE_ACCOUNT_TOKEN=$(cat $SERVICE_ACCOUNT_PATH/token)
           SERVICE_ACCOUNT_TOKEN_PATH=$SERVICE_ACCOUNT_PATH/token
           SKIP_TLS_VERIFY=${SKIP_TLS_VERIFY:-false}
+          WHEREABOUTS_KUBECONFIG=${CNI_CONF_DIR:-/host/etc/cni/net.d}/whereabouts.d/whereabouts.kubeconfig
 
           function generateKubeConfig {
           # Check if we're running as a k8s pod.
@@ -1017,7 +1023,7 @@ spec:
           users:
           - name: whereabouts
             user:
-              token: "${SERVICE_ACCOUNT_TOKEN}"
+              token: "$(cat $SERVICE_ACCOUNT_TOKEN_PATH)"
           contexts:
           - name: whereabouts-context
             context:
@@ -1048,20 +1054,20 @@ spec:
           export LAST_SERVICEACCOUNT_MD5SUM="$(get_token_md5sum)"
           export LAST_KUBE_CA_FILE_MD5SUM="$(get_ca_file_md5sum)"
 
-          echo "Sleep and Watching for service account token and CA file changes..."
+          log "Sleep and Watching for service account token and CA file changes..."
           # enter sleep/watch loop
           while true; do
             # Check the md5sum of the service account token and ca.
             svcaccountsum="$(get_token_md5sum)"
             casum="$(get_ca_file_md5sum)"
-            if [ "$svcaccountsum" != "$LAST_SERVICEACCOUNT_MD5SUM" ] || ! [ "$SKIP_TLS_VERIFY" == "true" ] && [ "$casum" != "$LAST_KUBE_CA_FILE_MD5SUM" ]; then
+            if [ "$svcaccountsum" != "$LAST_SERVICEACCOUNT_MD5SUM" ] || ( [ "$SKIP_TLS_VERIFY" != "true" ] && [ "$casum" != "$LAST_KUBE_CA_FILE_MD5SUM" ] ); then
               log "Detected service account or CA file change, regenerating kubeconfig..."
               generateKubeConfig
               LAST_SERVICEACCOUNT_MD5SUM="$svcaccountsum"
               LAST_KUBE_CA_FILE_MD5SUM="$casum"
             fi
 
-            sleep 1s
+            sleep 60s
           done
 
         resources:
@@ -1072,6 +1078,8 @@ spec:
         volumeMounts:
         - name: whereabouts-flatfile-configmap
           mountPath: /etc/whereabouts/config
+        - mountPath: /host/etc/cni/net.d
+          name: cni-net-dir
         env:
         - name: KUBERNETES_SERVICE_PORT
           value: "{{.KUBERNETES_SERVICE_PORT}}"
@@ -1081,13 +1089,15 @@ spec:
           value: "/host/opt/cni/bin/"
         - name: CNI_CONF_DIR
           value: "/host/etc/cni/net.d"
-        - name: SLEEP
-          value: "false"
         - name: WHEREABOUTS_NAMESPACE
           value: "openshift-multus"
       volumes:
         - name: whereabouts-flatfile-configmap
           configMap:
             name: whereabouts-flatfile-config
+        - name: cni-net-dir
+          hostPath:
+            path: {{ .SystemCNIConfDir }}
+            type: Directory
 {{- end}}
 ---
