From e74ac4c941bb45428406509d711f600f3af7bf7b Mon Sep 17 00:00:00 2001 From: Stephen Kitt Date: Thu, 16 Dec 2021 12:37:29 +0100 Subject: [PATCH] Stop filling in token/CA in the Submariner CR This ensures we rely only on the secret containing the broker access token. Fixes: #1869 Signed-off-by: Stephen Kitt --- controllers/servicediscovery/servicediscovery_controller.go | 2 -- controllers/submariner/gateway_resources.go | 2 -- scripts/kind-e2e/lib_operator_verify_subm.sh | 3 --- 3 files changed, 7 deletions(-) diff --git a/controllers/servicediscovery/servicediscovery_controller.go b/controllers/servicediscovery/servicediscovery_controller.go index edfed7aa61..81c25d2eb3 100644 --- a/controllers/servicediscovery/servicediscovery_controller.go +++ b/controllers/servicediscovery/servicediscovery_controller.go @@ -263,9 +263,7 @@ func newLighthouseAgent(cr *submarinerv1alpha1.ServiceDiscovery, name string) *a {Name: "SUBMARINER_DEBUG", Value: strconv.FormatBool(cr.Spec.Debug)}, {Name: "SUBMARINER_GLOBALNET_ENABLED", Value: strconv.FormatBool(cr.Spec.GlobalnetEnabled)}, {Name: broker.EnvironmentVariable("ApiServer"), Value: cr.Spec.BrokerK8sApiServer}, - {Name: broker.EnvironmentVariable("ApiServerToken"), Value: cr.Spec.BrokerK8sApiServerToken}, {Name: broker.EnvironmentVariable("RemoteNamespace"), Value: cr.Spec.BrokerK8sRemoteNamespace}, - {Name: broker.EnvironmentVariable("CA"), Value: cr.Spec.BrokerK8sCA}, {Name: broker.EnvironmentVariable("Insecure"), Value: strconv.FormatBool(cr.Spec.BrokerK8sInsecure)}, {Name: broker.EnvironmentVariable("Secret"), Value: cr.Spec.BrokerK8sSecret}, }, diff --git a/controllers/submariner/gateway_resources.go b/controllers/submariner/gateway_resources.go index b89aea3d33..d716f97d43 100644 --- a/controllers/submariner/gateway_resources.go +++ b/controllers/submariner/gateway_resources.go @@ -189,9 +189,7 @@ func newGatewayPodTemplate(cr *v1alpha1.Submariner, name string, podSelectorLabe {Name: "SUBMARINER_BROKER", Value: cr.Spec.Broker}, {Name: "SUBMARINER_CABLEDRIVER", Value: cr.Spec.CableDriver}, {Name: broker.EnvironmentVariable("ApiServer"), Value: cr.Spec.BrokerK8sApiServer}, - {Name: broker.EnvironmentVariable("ApiServerToken"), Value: cr.Spec.BrokerK8sApiServerToken}, {Name: broker.EnvironmentVariable("RemoteNamespace"), Value: cr.Spec.BrokerK8sRemoteNamespace}, - {Name: broker.EnvironmentVariable("CA"), Value: cr.Spec.BrokerK8sCA}, {Name: broker.EnvironmentVariable("Insecure"), Value: strconv.FormatBool(cr.Spec.BrokerK8sInsecure)}, {Name: broker.EnvironmentVariable("Secret"), Value: cr.Spec.BrokerK8sSecret}, {Name: "CE_IPSEC_PSK", Value: cr.Spec.CeIPSecPSK}, diff --git a/scripts/kind-e2e/lib_operator_verify_subm.sh b/scripts/kind-e2e/lib_operator_verify_subm.sh index 55ff53d6cc..314714c695 100644 --- a/scripts/kind-e2e/lib_operator_verify_subm.sh +++ b/scripts/kind-e2e/lib_operator_verify_subm.sh @@ -197,7 +197,6 @@ function verify_subm_cr() { validate_equals '.spec.brokerK8sApiServer' $SUBMARINER_BROKER_URL # TODO: every cluster must have it's own token / SA (not working when using bundle/acm) # validate_not_equals '.spec.brokerK8sApiServerToken' $SUBMARINER_BROKER_TOKEN - validate_equals '.spec.brokerK8sCA' $SUBMARINER_BROKER_CA validate_equals '.spec.brokerK8sRemoteNamespace' $SUBMARINER_BROKER_NS validate_equals '.spec.ceIPSecDebug' $ce_ipsec_debug validate_equals '.spec.ceIPSecNATTPort' $ce_ipsec_nattport @@ -270,7 +269,6 @@ function verify_subm_gateway_pod() { validate_pod_container_env 'SUBMARINER_BROKER' $subm_broker validate_pod_container_env 'BROKER_K8S_APISERVER' $SUBMARINER_BROKER_URL validate_pod_container_env 'BROKER_K8S_REMOTENAMESPACE' $SUBMARINER_BROKER_NS - validate_pod_container_env 'BROKER_K8S_CA' $SUBMARINER_BROKER_CA validate_pod_container_env 'CE_IPSEC_DEBUG' $ce_ipsec_debug validate_pod_container_env 'CE_IPSEC_NATTPORT' $ce_ipsec_nattport @@ -364,7 +362,6 @@ function verify_subm_gateway_container() { grep "BROKER_K8S_APISERVER=$SUBMARINER_BROKER_URL" $env_file grep "SUBMARINER_NAMESPACE=$subm_ns" $env_file grep "SUBMARINER_BROKER=$subm_broker" $env_file - grep "BROKER_K8S_CA=$SUBMARINER_BROKER_CA" $env_file grep "CE_IPSEC_DEBUG=$ce_ipsec_debug" $env_file grep "SUBMARINER_DEBUG=$subm_debug" $env_file grep "BROKER_K8S_REMOTENAMESPACE=$SUBMARINER_BROKER_NS" $env_file