fix: let Windows Retina use the InClusterConfig (#1118)

# Description As of [AKS 1.30](https://github.com/Azure/AKS/releases/tag/2024-06-09), service account tokens refresh every ~1 hour when OIDC is enabled. They were previously valid for a year. [This setkubeconfigpath.ps1 script](https://github.com/Azure/azure-container-networking/blob/47b243c42fd16119a96ab6d06eb602ac2ce40e7d/npm/examples/windows/setkubeconfigpath.ps1) was at some point necessary on Windows to create a valid kubeconfig for Retina WIndows. It copies the token from the token file to create a custom kubeconfig from a template at startup and then we pass Retina Windows that file via --kubeconfig. The script runs at startup and never re-runs, so the token that exists at Pod start is the token CNS will try to use forever. Yearly token lifespans were long enough that no Retina Windows Pod was ever up long enough to hit token expiration. This becomes an issue with hourly token lifespans. An hour after Pod start, the token becomes invalid and Retina Windows can no longer auth to the API server. For PodSubnet clusters, this permanently prevents Retina Windows from being able to scale the IPAM pool and provide more Pod IPs. Fix for CNS which referenced: Azure/azure-container-networking#3248 ## Related Issue If this pull request is related to any issue, please mention it here. Additionally, make sure that the issue is assigned to you before submitting this pull request. ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/contributing). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Please add any relevant screenshots or GIFs to showcase the changes made. ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project.
microsoft · Dec 12, 2024 · eefcb42 · eefcb42
1 parent 43bb4b6
commit eefcb42
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/deploy/hubble/manifests/controller/helm/retina/templates/agent/daemonset.yaml b/deploy/hubble/manifests/controller/helm/retina/templates/agent/daemonset.yaml
@@ -196,7 +196,11 @@ spec:
           command:
             - powershell.exe
             - -command
+            {{- if semverCompare ">=1.28" .Capabilities.KubeVersion.GitVersion }}
+            - $env:CONTAINER_SANDBOX_MOUNT_POINT/controller.exe --config ./retina/config.yaml
+            {{- else }}
             - .\setkubeconfigpath.ps1; ./controller.exe --config ./retina/config.yaml --kubeconfig ./kubeconfig
+            {{- end }}
           readinessProbe:
             httpGet:
               path: /metrics

diff --git a/windows/manifests/windows.yaml b/windows/manifests/windows.yaml
@@ -41,8 +41,11 @@ spec:
           command:
             - powershell.exe
             - -command
+            {{- if semverCompare ">=1.28" .Capabilities.KubeVersion.GitVersion }}
+            - $env:CONTAINER_SANDBOX_MOUNT_POINT/controller.exe --config ./retina/config.yaml
+            {{- else }}
             - .\setkubeconfigpath.ps1; ./controller.exe --config ./retina/config.yaml --kubeconfig ./kubeconfig
-            # .\setkubeconfigpath.ps1; Start-Sleep -s 1000
+            {{- end }}
           securityContext:
             privileged: true
           volumeMounts: