Update token lifetime and update variable once token rotated

Author: lubronzhan

script/install-cni.sh

@@ -17,6 +17,10 @@ source lib.sh
 
 # -------------------Generate a "kube-config"
 generateKubeConfig
+export LAST_SERVICEACCOUNT_MD5SUM="$(get_token_md5sum)"
+if ! [ "$SKIP_TLS_VERIFY" == "true" ]; then
+    export LAST_KUBE_CA_FILE_MD5SUM="$(get_ca_file_md5sum)"
+fi
 # ------------------ end Generate a "kube-config"
 
 # ----------------- Generate a whereabouts conf

script/lib.sh

@@ -107,3 +107,15 @@ function generateWhereaboutsConf {
 EOF
 
 }
+
+function get_token_md5sum {
+  md5sum "$SERVICE_ACCOUNT_TOKEN_PATH" | awk '{print $1}'
+}
+
+function get_ca_file_md5sum {
+  if [ ! -f "$KUBE_CA_FILE" ]; then
+    echo ""
+    return
+  fi
+  md5sum "$KUBE_CA_FILE" | awk '{print $1}'
+}

script/token-watcher.sh

@@ -9,11 +9,17 @@ echo "Sleep and Watching for service account token and CA file changes..."
 while true; do
   # Check the md5sum of the service account token and ca.
   svcaccountsum=$(md5sum $SERVICE_ACCOUNT_TOKEN_PATH | awk '{print $1}')
-  casum=$(md5sum $KUBE_CA_FILE | awk '{print $1}')
-  if [ "$svcaccountsum" != "$LAST_SERVICEACCOUNT_MD5SUM" ] || [ "$casum" != "$LAST_KUBE_CA_FILE_MD5SUM" ]; then
-    # log "Detected service account or CA file change, regenerating kubeconfig..."
+  if [ -f "$KUBE_CA_FILE" ]; then
+    casum=$(md5sum $KUBE_CA_FILE | awk '{print $1}')
+  fi
+  if [ "$svcaccountsum" != "$LAST_SERVICEACCOUNT_MD5SUM" ] || ! [ "$SKIP_TLS_VERIFY" == "true" ] && [ "$casum" != "$LAST_KUBE_CA_FILE_MD5SUM" ]; then
+    log "Detected service account or CA file change, regenerating kubeconfig..."
     generateKubeConfig
+    LAST_SERVICEACCOUNT_MD5SUM="$(get_token_md5sum)"
+    if [ -f "$KUBE_CA_FILE" ]; then
+      LAST_KUBE_CA_FILE_MD5SUM="$(get_ca_file_md5sum)"
+    fi
   fi
 
-  sleep 1h
+  sleep 1s
 done