Handle CNI usage of token refresher as well

projectcalico · Jul 6, 2022 · d07d05d · d07d05d
1 parent 79d7243
commit d07d05d
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 4 deletions.
diff --git a/calico/_includes/charts/calico/templates/calico-node.yaml b/calico/_includes/charts/calico/templates/calico-node.yaml
@@ -97,6 +97,14 @@ spec:
               name: kubernetes-services-endpoint
               optional: true
           env:
+{{- if eq .Values.network "flannel" }}
+            # Set the serviceaccount name to use for the Calico CNI plugin.
+            # We use canal-node instead of calico-node when using flannel networking.
+            - name: CALICO_CNI_SERVICE_ACCOUNT
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.serviceAccountName
+{{- end }}
 {{- if .Values.bpf }}
             # Overrides for kubernetes API server host/port. Needed in BPF mode.
             - name: KUBERNETES_SERVICE_HOST

diff --git a/cni-plugin/pkg/install/install.go b/cni-plugin/pkg/install/install.go
@@ -481,7 +481,7 @@ current-context: calico-context`
 	if err != nil {
 		logrus.WithError(err).Fatal("Unable to create client for generating CNI token")
 	}
-	tr := cni.NewTokenRefresher(clientset, cni.NamespaceOfUsedServiceAccount(), cni.DefaultServiceAccountName)
+	tr := cni.NewTokenRefresher(clientset, cni.NamespaceOfUsedServiceAccount(), cni.CNIServiceAccountName())
 	tu, err := tr.UpdateToken()
 	if err != nil {
 		logrus.WithError(err).Fatal("Unable to create token for CNI kubeconfig")

diff --git a/node/pkg/cni/token_watch.go b/node/pkg/cni/token_watch.go
@@ -217,7 +217,7 @@ func Run() {
 	if err != nil {
 		logrus.WithError(err).Fatal("Failed to create in cluster client set")
 	}
-	tr := NewTokenRefresher(clientset, NamespaceOfUsedServiceAccount(), cniServiceAccountName())
+	tr := NewTokenRefresher(clientset, NamespaceOfUsedServiceAccount(), CNIServiceAccountName())
 	tokenChan := tr.TokenChan()
 	go tr.Run()
 
@@ -237,9 +237,9 @@ func Run() {
 	}
 }
 
-// cniServiceAccountName returns the name of the serviceaccount to use for the CNI plugin token request.
+// CNIServiceAccountName returns the name of the serviceaccount to use for the CNI plugin token request.
 // This can be set via the CALICO_CNI_SERVICE_ACCOUNT environment variable, and defaults to "calico-node" otherwise.
-func cniServiceAccountName() string {
+func CNIServiceAccountName() string {
 	if sa := os.Getenv("CALICO_CNI_SERVICE_ACCOUNT"); sa != "" {
 		logrus.WithField("name", sa).Debug("Using service account from CALICO_CNI_SERVICE_ACCOUNT")
 		return sa