From afbabebfd51c650e743b4217f968ff0fe64ae289 Mon Sep 17 00:00:00 2001
From: emiran-orange <71817149+emiran-orange@users.noreply.github.com>
Date: Tue, 11 May 2021 17:47:36 +0200
Subject: [PATCH] Enables Calico serviceAccount token monitoring and update of
 /etc/cni/net.d/calico-kubeconfig if need be. (#7586)

Since K8S 1.21, BoundServiceAccountTokenVolume feature gate is in beta stage, thus activated by default (anyone who follows CSI guidelines has enabled AllAlpha and faced the issue before 1.21).
With this feature, SA tokens are regenerated every hour.
As a consequence for Calico CNI, token in /etc/cni/net.d/calico-kubeconfig copied from /var/run/secrets/kubernetes.io/serviceaccount in install-cni initContainer expires after one hour and any pod creation fails due to unauthorization.
Calico pods need to be restarted so that /etc/cni/net.d/calico-kubeconfig is updated with the new SA token.
---
 roles/network_plugin/calico/templates/calico-node.yml.j2 | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/roles/network_plugin/calico/templates/calico-node.yml.j2 b/roles/network_plugin/calico/templates/calico-node.yml.j2
index bcf92e46d..4aa342103 100644
--- a/roles/network_plugin/calico/templates/calico-node.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-node.yml.j2
@@ -259,6 +259,8 @@ spec:
               value: "true"
             - name: FELIX_IGNORELOOSERPF
               value: "{{ calico_node_ignorelooserpf }}"
+            - name: CALICO_MANAGE_CNI
+              value: "true"
 {% if calico_node_extra_envs is defined %}
 {% for key in calico_node_extra_envs %}
             - name: {{ key }}
@@ -309,6 +311,8 @@ spec:
             - name: xtables-lock
               mountPath: /run/xtables.lock
               readOnly: false
+            - mountPath: /host/etc/cni/net.d
+              name: cni-net-dir
 {% if typha_secure %}
             - name: typha-client
               mountPath: /etc/typha-client