Skip to content

Commit

Permalink
Stop filling in token/CA in the Submariner CR
Browse files Browse the repository at this point in the history
This ensures we rely only on the secret containing the broker access
token.

Fixes: #1869
Signed-off-by: Stephen Kitt <[email protected]>
  • Loading branch information
skitt authored and tpantelis committed Aug 2, 2023
1 parent de5762b commit 3e2c058
Show file tree
Hide file tree
Showing 4 changed files with 0 additions and 9 deletions.
2 changes: 0 additions & 2 deletions controllers/servicediscovery/servicediscovery_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -246,9 +246,7 @@ func newLighthouseAgent(cr *submarinerv1alpha1.ServiceDiscovery, name string) *a
{Name: "SUBMARINER_DEBUG", Value: strconv.FormatBool(cr.Spec.Debug)},
{Name: "SUBMARINER_GLOBALNET_ENABLED", Value: strconv.FormatBool(cr.Spec.GlobalnetEnabled)},
{Name: broker.EnvironmentVariable("ApiServer"), Value: cr.Spec.BrokerK8sApiServer},
{Name: broker.EnvironmentVariable("ApiServerToken"), Value: cr.Spec.BrokerK8sApiServerToken},
{Name: broker.EnvironmentVariable("RemoteNamespace"), Value: cr.Spec.BrokerK8sRemoteNamespace},
{Name: broker.EnvironmentVariable("CA"), Value: cr.Spec.BrokerK8sCA},
{Name: broker.EnvironmentVariable("Insecure"), Value: strconv.FormatBool(cr.Spec.BrokerK8sInsecure)},
{Name: broker.EnvironmentVariable("Secret"), Value: cr.Spec.BrokerK8sSecret},
},
Expand Down
2 changes: 0 additions & 2 deletions controllers/submariner/gateway_resources.go
Original file line number Diff line number Diff line change
Expand Up @@ -190,9 +190,7 @@ func newGatewayPodTemplate(cr *v1alpha1.Submariner, name string, podSelectorLabe
{Name: "SUBMARINER_BROKER", Value: cr.Spec.Broker},
{Name: "SUBMARINER_CABLEDRIVER", Value: cr.Spec.CableDriver},
{Name: broker.EnvironmentVariable("ApiServer"), Value: cr.Spec.BrokerK8sApiServer},
{Name: broker.EnvironmentVariable("ApiServerToken"), Value: cr.Spec.BrokerK8sApiServerToken},
{Name: broker.EnvironmentVariable("RemoteNamespace"), Value: cr.Spec.BrokerK8sRemoteNamespace},
{Name: broker.EnvironmentVariable("CA"), Value: cr.Spec.BrokerK8sCA},
{Name: broker.EnvironmentVariable("Insecure"), Value: strconv.FormatBool(cr.Spec.BrokerK8sInsecure)},
{Name: broker.EnvironmentVariable("Secret"), Value: cr.Spec.BrokerK8sSecret},
{Name: "CE_IPSEC_PSK", Value: cr.Spec.CeIPSecPSK},
Expand Down
2 changes: 0 additions & 2 deletions controllers/submariner/submariner_suite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -171,8 +171,6 @@ func (t *testDriver) assertGatewayDaemonSetEnv(submariner *v1alpha1.Submariner,
Expect(envMap).To(HaveKeyWithValue("CE_IPSEC_NATTPORT", strconv.Itoa(submariner.Spec.CeIPSecNATTPort)))
Expect(envMap).To(HaveKeyWithValue(broker.EnvironmentVariable("RemoteNamespace"), submariner.Spec.BrokerK8sRemoteNamespace))
Expect(envMap).To(HaveKeyWithValue(broker.EnvironmentVariable("ApiServer"), submariner.Spec.BrokerK8sApiServer))
Expect(envMap).To(HaveKeyWithValue(broker.EnvironmentVariable("ApiServerToken"), submariner.Spec.BrokerK8sApiServerToken))
Expect(envMap).To(HaveKeyWithValue(broker.EnvironmentVariable("CA"), submariner.Spec.BrokerK8sCA))
Expect(envMap).To(HaveKeyWithValue(broker.EnvironmentVariable("Insecure"), strconv.FormatBool(submariner.Spec.BrokerK8sInsecure)))
Expect(envMap).To(HaveKeyWithValue(broker.EnvironmentVariable("Secret"), submariner.Spec.BrokerK8sSecret))
Expect(envMap).To(HaveKeyWithValue("SUBMARINER_BROKER", submariner.Spec.Broker))
Expand Down
3 changes: 0 additions & 3 deletions scripts/test/system.sh
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,6 @@ function verify_subm_cr() {
validate_equals '.spec.brokerK8sApiServer' "$SUBMARINER_BROKER_URL"
# TODO: every cluster must have it's own token / SA (not working when using bundle/acm)
# validate_not_equals '.spec.brokerK8sApiServerToken' $SUBMARINER_BROKER_TOKEN
validate_equals '.spec.brokerK8sCA' "$SUBMARINER_BROKER_CA"
validate_equals '.spec.brokerK8sRemoteNamespace' "$SUBMARINER_BROKER_NS"
validate_equals '.spec.ceIPSecDebug' "$ce_ipsec_debug"
validate_equals '.spec.ceIPSecNATTPort' "$ce_ipsec_nattport"
Expand Down Expand Up @@ -272,7 +271,6 @@ function verify_subm_gateway_pod() {
validate_pod_container_env 'SUBMARINER_NATENABLED' "$natEnabled"
validate_pod_container_env 'BROKER_K8S_APISERVER' "$SUBMARINER_BROKER_URL"
validate_pod_container_env 'BROKER_K8S_REMOTENAMESPACE' "$SUBMARINER_BROKER_NS"
validate_pod_container_env 'BROKER_K8S_CA' "$SUBMARINER_BROKER_CA"
validate_pod_container_env 'CE_IPSEC_DEBUG' "$ce_ipsec_debug"
validate_pod_container_env 'CE_IPSEC_NATTPORT' "$ce_ipsec_nattport"

Expand Down Expand Up @@ -352,7 +350,6 @@ function verify_subm_gateway_container() {
# Verify SubM Gateway pod environment variables
grep "BROKER_K8S_APISERVER=$SUBMARINER_BROKER_URL" "$env_file"
grep "SUBMARINER_NAMESPACE=$subm_ns" "$env_file"
grep "BROKER_K8S_CA=$SUBMARINER_BROKER_CA" "$env_file"
grep "CE_IPSEC_DEBUG=$ce_ipsec_debug" "$env_file"
grep "SUBMARINER_DEBUG=$subm_debug" "$env_file"
grep "BROKER_K8S_REMOTENAMESPACE=$SUBMARINER_BROKER_NS" "$env_file"
Expand Down

0 comments on commit 3e2c058

Please sign in to comment.