Simplified change, undo the delete event refactoring and the removal of the linkerd-cni.conf.default file

alpeb · alpeb · commit cbe42999ac7d · 2024-12-06T10:36:34.000-05:00
diff --git a/Dockerfile-cni-plugin b/Dockerfile-cni-plugin
@@ -48,6 +48,7 @@ COPY --from=go /go/bin/linkerd-cni /opt/cni/bin/
 COPY --from=cni-repair-controller /build/linkerd-cni-repair-controller /usr/lib/linkerd/
 COPY LICENSE .
 COPY cni-plugin/deployment/scripts/install-cni.sh .
+COPY cni-plugin/deployment/linkerd-cni.conf.default .
 COPY cni-plugin/deployment/scripts/filter.jq .
 ENV PATH=/linkerd:/opt/cni/bin:$PATH
 CMD ["install-cni.sh"]
diff --git a/cni-plugin/deployment/linkerd-cni.conf.default b/cni-plugin/deployment/linkerd-cni.conf.default
@@ -0,0 +1,24 @@
+{
+    "name": "linkerd-cni",
+    "type": "linkerd-cni",
+    "log_level": "info",
+    "policy": {
+        "type": "k8s",
+        "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
+        "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
+    },
+    "kubernetes": {
+        "kubeconfig": "__KUBECONFIG_FILEPATH__"
+    },
+    "linkerd": {
+        "incoming-proxy-port": 4143,
+        "outgoing-proxy-port": 4140,
+        "proxy-uid": 2102,
+        "proxy-gid": 2102,
+        "ports-to-redirect": [],
+        "inbound-ports-to-ignore": [],
+        "outbound-ports-to-ignore": [],
+        "simulate": false,
+        "use-wait-flag": false
+    }
+}
diff --git a/cni-plugin/deployment/scripts/install-cni.sh b/cni-plugin/deployment/scripts/install-cni.sh
@@ -56,7 +56,7 @@ HOST_CNI_NET="${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}"
 # Location of legacy "interface mode" file, to be automatically deleted
 DEFAULT_CNI_CONF_PATH="${HOST_CNI_NET}/01-linkerd-cni.conf"
 KUBECONFIG_FILE_NAME=${KUBECONFIG_FILE_NAME:-ZZZ-linkerd-cni-kubeconfig}
-SERVICEACCOUNT_PATH=/var/run/secrets/kubernetes.io/serviceaccount
+SERVICE_ACCOUNT_PATH=/var/run/secrets/kubernetes.io/serviceaccount
 
 ############################
 ### Function definitions ###
@@ -121,31 +121,32 @@ install_cni_bin() {
 }
 
 create_kubeconfig() {
-  KUBE_CA_FILE=${KUBE_CA_FILE:-${SERVICEACCOUNT_PATH}/ca.crt}
+  KUBE_CA_FILE=${KUBE_CA_FILE:-${SERVICE_ACCOUNT_PATH}/ca.crt}
   SKIP_TLS_VERIFY=${SKIP_TLS_VERIFY:-false}
-  SERVICEACCOUNT_TOKEN=$(cat ${SERVICEACCOUNT_PATH}/token)
-
-  # Check if we're not running as a k8s pod.
-  if [[ ! -f "${SERVICEACCOUNT_PATH}/token" ]]; then
-    return
-  fi
-
-  if [ -z "${KUBERNETES_SERVICE_HOST}" ]; then
-    log 'KUBERNETES_SERVICE_HOST not set'; exit 1;
-  fi
-  if [ -z "${KUBERNETES_SERVICE_PORT}" ]; then
-    log 'KUBERNETES_SERVICE_PORT not set'; exit 1;
-  fi
+  # Pull out service account token.
+  SERVICEACCOUNT_TOKEN=$(cat ${SERVICE_ACCOUNT_PATH}/token)
+
+  # Check if we're running as a k8s pod.
+  # The check will assert whether token exists and is a regular file
+  if [ -f "${SERVICE_ACCOUNT_PATH}/token" ]; then
+    # We're running as a k8d pod - expect some variables.
+    # If the variables are null, exit
+    if [ -z "${KUBERNETES_SERVICE_HOST}" ]; then
+      log 'KUBERNETES_SERVICE_HOST not set'; exit 1;
+    fi
+    if [ -z "${KUBERNETES_SERVICE_PORT}" ]; then
+      log 'KUBERNETES_SERVICE_PORT not set'; exit 1;
+    fi
 
-  if [ "${SKIP_TLS_VERIFY}" = 'true' ]; then
-    TLS_CFG='insecure-skip-tls-verify: true'
-  elif [ -f "${KUBE_CA_FILE}" ]; then
-    TLS_CFG="certificate-authority-data: $(base64 "${KUBE_CA_FILE}" | tr -d '\n')"
-  fi
+    if [ "${SKIP_TLS_VERIFY}" = 'true' ]; then
+      TLS_CFG='insecure-skip-tls-verify: true'
+    elif [ -f "${KUBE_CA_FILE}" ]; then
+      TLS_CFG="certificate-authority-data: $(base64 "${KUBE_CA_FILE}" | tr -d '\n')"
+    fi
 
-  touch "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}/${KUBECONFIG_FILE_NAME}"
-  chmod "${KUBECONFIG_MODE:-600}" "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}/${KUBECONFIG_FILE_NAME}"
-  cat > "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}/${KUBECONFIG_FILE_NAME}" <<EOF
+    touch "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}/${KUBECONFIG_FILE_NAME}"
+    chmod "${KUBECONFIG_MODE:-600}" "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}/${KUBECONFIG_FILE_NAME}"
+    cat > "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}/${KUBECONFIG_FILE_NAME}" <<EOF
 # Kubeconfig file for linkerd CNI plugin.
 apiVersion: v1
 kind: Config
@@ -165,6 +166,8 @@ contexts:
     user: linkerd-cni
 current-context: linkerd-cni-context
 EOF
+
+  fi
 }
 
 create_cni_conf() {
@@ -239,7 +242,14 @@ sync() {
 
   local config_file_count
   local new_sha
-  if [ "$ev" = 'CREATE' ] || [ "$ev" = 'MOVED_TO' ] || [ "$ev" = 'MODIFY' ]; then
+  if [ "$ev" = 'DELETE' ]; then
+    # When the event type is 'DELETE', we check to see if there are any `*conf` or `*conflist`
+    # files on the host's filesystem.
+    config_file_count=$(find "${HOST_CNI_NET}" -maxdepth 1 -type f \( -iname '*conflist' -o -iname '*conf' \) | sort | wc -l)
+    if [ "$config_file_count" -eq 0 ]; then
+      log "No active CNI configuration file found after $ev event"
+    fi
+  elif [ "$ev" = 'CREATE' ] || [ "$ev" = 'MOVED_TO' ] || [ "$ev" = 'MODIFY' ]; then
     # When the event type is 'CREATE', 'MOVED_TO' or 'MODIFY', we check the
     # previously observed SHA (updated with each file watch) and compare it
     # against the new file's SHA. If they differ, it means something has
@@ -264,13 +274,14 @@ sync() {
 
 # monitor_cni_config starts a watch on the host's CNI config directory
 monitor_cni_config() {
-  inotifywait -m "${HOST_CNI_NET}" -e create,moved_to,modify |
+  inotifywait -m "${HOST_CNI_NET}" -e create,delete,moved_to,modify |
     while read -r directory action filename; do
       if [[ "$filename" =~ .*.(conflist|conf)$ ]]; then 
         log "Detected change in $directory: $action $filename"
         sync "$filename" "$action" "$cni_conf_sha"
-        # calculate file SHA to use in the next iteration
-        if [[ -e "$directory/$filename" ]]; then
+        # When file exists (i.e we didn't deal with a DELETE ev)
+        # then calculate its sha to be used the next turn.
+        if [[ -e "$directory/$filename" && "$action" != 'DELETE' ]]; then
           cni_conf_sha="$(sha256sum "$directory/$filename" | while read -r s _; do echo "$s"; done)"
         fi
       fi
@@ -284,7 +295,7 @@ monitor_cni_config() {
 # only reacting to direct creation of a "token" file, or creation of
 # directories containing a "token" file.
 monitor_service_account_token() {
-    inotifywait -m "${SERVICEACCOUNT_PATH}" -e create |
+    inotifywait -m "${SERVICE_ACCOUNT_PATH}" -e create |
       while read -r directory _ filename; do
         target=$(realpath "$directory/$filename")
         if [[ (-f "$target" && "${target##*/}" == "token") || (-d "$target" && -e "$target/token") ]]; then
