OCPBUGS-63443: Fix whereabouts-token-watcher DaemonSet improvements

[pliurh]

This commit introduces several improvements to the whereabouts-token-watcher DaemonSet:

• Corrects a typo in the description.
• Adds logging helper functions for better script output.
• Ensures the service account token is read dynamically during kubeconfig generation.
• Fixes the logical grouping in the CA file change detection condition.
• Increases the kubeconfig regeneration check interval to 60 seconds.
• Mounts the host's CNI network directory for proper CNI configuration management.

[coderabbitai]

Walkthrough

Modifies the whereabouts-token-watcher DaemonSet in the Multus network manifest to add hostNetwork, introduce logging helpers, change token sourcing to read from SERVICE_ACCOUNT_TOKEN_PATH, extend the watch loop sleep interval to 60s, mount the cni-net-dir hostPath at /host/etc/cni/net.d, and update kubeconfig generation and token hash logic accordingly.

Changes

Cohort / File(s)

Summary

Whereabouts Token Watcher Configuration bindata/network/multus/multus.yaml

Adds hostNetwork: true to the DaemonSet; adds logging helper functions (log, warn, error) in the startup script; switches token handling to read from SERVICE_ACCOUNT_TOKEN_PATH and initializes WHEREABOUTS_KUBECONFIG; updates kubeconfig generation to use $(cat $SERVICE_ACCOUNT_TOKEN_PATH); changes get_token_md5sum to compute MD5 from the token path; extends watch loop sleep from 1s to 60s and adjusts TLS/CA conditions; mounts cni-net-dir hostPath (using SystemCNIConfDir) at /host/etc/cni/net.d and injects the corresponding volume; updates environment setup and startup log messages.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Verify token sourcing and refresh handling around SERVICE_ACCOUNT_TOKEN_PATH.
• Check hostPath volume mount (cni-net-dir) path, permissions, and whether it requires SELinux/context adjustments.
• Validate the watch loop change (1s → 60s) against expected token/CA update cadence.
• Review kubeconfig generation and MD5 computation changes for shell quoting and edge cases.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 72667e4 and 1e4bacb.

📒 Files selected for processing (1)

• bindata/network/multus/multus.yaml (7 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• bindata/network/multus/multus.yaml

🔇 Additional comments (5)

bindata/network/multus/multus.yaml (5)

975-979: Logging helper functions are well-structured.

The functions correctly redirect warnings and errors to stderr while keeping informational logs on stdout. They are used consistently throughout the script (lines 991, 994, 1037, 1057, 1064). The date format (-Iseconds) aligns with the whereabouts-cni container (line 592).

---

984-984: Past critical issue resolved: safe default for CNI_CONF_DIR now in place.

Line 984 now uses POSIX parameter expansion ${CNI_CONF_DIR:-/host/etc/cni/net.d} to provide a defensible fallback. Combined with set -u on line 973, this prevents script failure if the environment variable is unset. This directly addresses the prior review's critical finding.

The token sourcing has been correctly shifted to dynamic file reads at lines 1026 and 1043 ($(cat $SERVICE_ACCOUNT_TOKEN_PATH) and md5sum "$SERVICE_ACCOUNT_TOKEN_PATH"). This ensures the kubeconfig is regenerated with current token state rather than a stale embedded value.

Also applies to: 1026-1026, 1043-1043

---

1063-1063: Condition logic correctly groups TLS verification check.

The parentheses now explicitly constrain the CA file change detection to only trigger when SKIP_TLS_VERIFY != "true". The logic is sound: regenerate on service account change (always) or on CA change (only if TLS verification is active). This is an improvement over the implied grouping.

---

984-984: Verify path consistency and template variable usage.

The hardcoded default at line 984 (/host/etc/cni/net.d) matches the environment variable set at line 1091 and the volume mount target at line 1081. However, the volume definition at line 1100 uses the template placeholder {{ .SystemCNIConfDir }}, while the script default hardcodes the path. The whereabouts-cni container (line 570) uses the template variable inside its default expansion for consistency.

Confirm that the hardcoded default remains stable across all deployment scenarios, or align with the template-variable pattern used in other containers.

Also applies to: 1090-1091, 1098-1101

---

957-957: Infrastructure improvements: network access, reduced polling, and volume mount.

• hostNetwork: true (line 957) correctly grants host network access, necessary for CNI operations.
• Sleep interval increased to 60s (line 1070) reduces polling overhead while maintaining reasonable change detection latency.
• Volume mount for cni-net-dir (lines 1081–1082) aligns with the kubeconfig path construction and provides the container proper access to write the kubeconfig file.

Also applies to: 1070-1070, 1081-1082

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pliurh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [pliurh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@pliurh: This pull request references Jira Issue OCPBUGS-63443, which is invalid:

• expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This commit introduces several improvements to the whereabouts-token-watcher DaemonSet:

• Corrects a typo in the description.
• Adds logging helper functions for better script output.
• Ensures the service account token is read dynamically during kubeconfig generation.
• Fixes the logical grouping in the CA file change detection condition.
• Increases the kubeconfig regeneration check interval to 60 seconds.
• Mounts the host's CNI network directory for proper CNI configuration management.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pliurh]

/jira refresh

[openshift-ci-robot]

@pliurh: This pull request references Jira Issue OCPBUGS-63443, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira ([email protected]), skipping review request.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between fda7a9f and 72667e4.

📒 Files selected for processing (1)

• bindata/network/multus/multus.yaml (7 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• bindata/network/multus/multus.yaml

🔇 Additional comments (1)

bindata/network/multus/multus.yaml (1)

1081-1082: Volume mount and hostPath volume are properly configured.

The addition of the cni-net-dir volume and its corresponding mount point allow the whereabouts-token-watcher to write regenerated kubeconfig files to the host's CNI directory. This is consistent with the manifest's patterns and necessary for the token-watcher's role.

Also applies to: 1098-1101

[yingwang-0320]

/verified by pre-merge testing

[openshift-ci-robot]

@yingwang-0320: This PR has been marked as verified by pre-merge testing.

In response to this:

/verified by pre-merge testing

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@pliurh: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-windows	1e4bacb	link	true	/test e2e-aws-ovn-windows
ci/prow/security	1e4bacb	link	false	/test security
ci/prow/4.21-upgrade-from-stable-4.20-e2e-azure-ovn-upgrade	1e4bacb	link	false	/test 4.21-upgrade-from-stable-4.20-e2e-azure-ovn-upgrade
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp	1e4bacb	link	true	/test e2e-metal-ipi-ovn-dualstack-bgp
ci/prow/hypershift-e2e-aks	1e4bacb	link	true	/test hypershift-e2e-aks
ci/prow/4.21-upgrade-from-stable-4.20-e2e-gcp-ovn-upgrade	1e4bacb	link	false	/test 4.21-upgrade-from-stable-4.20-e2e-gcp-ovn-upgrade

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.