Stop filling in token/CA in the Submariner CR

This ensures we rely only on the secret containing the broker access token. Fixes: submariner-io#1869 Signed-off-by: Stephen Kitt <[email protected]>
skitt · Jun 16, 2022 · 0566a31 · 0566a31
1 parent 15ffc39
commit 0566a31
Show file tree

Hide file tree

Showing 3 changed files with 0 additions and 7 deletions.
diff --git a/controllers/servicediscovery/servicediscovery_controller.go b/controllers/servicediscovery/servicediscovery_controller.go
@@ -262,9 +262,7 @@ func newLighthouseAgent(cr *submarinerv1alpha1.ServiceDiscovery, name string) *a
 								{Name: "SUBMARINER_DEBUG", Value: strconv.FormatBool(cr.Spec.Debug)},
 								{Name: "SUBMARINER_GLOBALNET_ENABLED", Value: strconv.FormatBool(cr.Spec.GlobalnetEnabled)},
 								{Name: broker.EnvironmentVariable("ApiServer"), Value: cr.Spec.BrokerK8sApiServer},
-								{Name: broker.EnvironmentVariable("ApiServerToken"), Value: cr.Spec.BrokerK8sApiServerToken},
 								{Name: broker.EnvironmentVariable("RemoteNamespace"), Value: cr.Spec.BrokerK8sRemoteNamespace},
-								{Name: broker.EnvironmentVariable("CA"), Value: cr.Spec.BrokerK8sCA},
 								{Name: broker.EnvironmentVariable("Insecure"), Value: strconv.FormatBool(cr.Spec.BrokerK8sInsecure)},
 								{Name: broker.EnvironmentVariable("Secret"), Value: cr.Spec.BrokerK8sSecret},
 							},

diff --git a/controllers/submariner/gateway_resources.go b/controllers/submariner/gateway_resources.go
@@ -188,9 +188,7 @@ func newGatewayPodTemplate(cr *v1alpha1.Submariner, name string, podSelectorLabe
 						{Name: "SUBMARINER_BROKER", Value: cr.Spec.Broker},
 						{Name: "SUBMARINER_CABLEDRIVER", Value: cr.Spec.CableDriver},
 						{Name: broker.EnvironmentVariable("ApiServer"), Value: cr.Spec.BrokerK8sApiServer},
-						{Name: broker.EnvironmentVariable("ApiServerToken"), Value: cr.Spec.BrokerK8sApiServerToken},
 						{Name: broker.EnvironmentVariable("RemoteNamespace"), Value: cr.Spec.BrokerK8sRemoteNamespace},
-						{Name: broker.EnvironmentVariable("CA"), Value: cr.Spec.BrokerK8sCA},
 						{Name: broker.EnvironmentVariable("Insecure"), Value: strconv.FormatBool(cr.Spec.BrokerK8sInsecure)},
 						{Name: broker.EnvironmentVariable("Secret"), Value: cr.Spec.BrokerK8sSecret},
 						{Name: "CE_IPSEC_PSK", Value: cr.Spec.CeIPSecPSK},

diff --git a/scripts/kind-e2e/lib_operator_verify_subm.sh b/scripts/kind-e2e/lib_operator_verify_subm.sh
@@ -197,7 +197,6 @@ function verify_subm_cr() {
   validate_equals '.spec.brokerK8sApiServer' $SUBMARINER_BROKER_URL
   # TODO: every cluster must have it's own token / SA (not working when using bundle/acm)
   # validate_not_equals '.spec.brokerK8sApiServerToken' $SUBMARINER_BROKER_TOKEN
-  validate_equals '.spec.brokerK8sCA' $SUBMARINER_BROKER_CA
   validate_equals '.spec.brokerK8sRemoteNamespace' $SUBMARINER_BROKER_NS
   validate_equals '.spec.ceIPSecDebug' $ce_ipsec_debug
   validate_equals '.spec.ceIPSecNATTPort' $ce_ipsec_nattport
@@ -270,7 +269,6 @@ function verify_subm_gateway_pod() {
   validate_pod_container_env 'SUBMARINER_BROKER' $subm_broker
   validate_pod_container_env 'BROKER_K8S_APISERVER' $SUBMARINER_BROKER_URL
   validate_pod_container_env 'BROKER_K8S_REMOTENAMESPACE' $SUBMARINER_BROKER_NS
-  validate_pod_container_env 'BROKER_K8S_CA' $SUBMARINER_BROKER_CA
   validate_pod_container_env 'CE_IPSEC_DEBUG' $ce_ipsec_debug
   validate_pod_container_env 'CE_IPSEC_NATTPORT' $ce_ipsec_nattport
 
@@ -364,7 +362,6 @@ function verify_subm_gateway_container() {
   grep "BROKER_K8S_APISERVER=$SUBMARINER_BROKER_URL" $env_file
   grep "SUBMARINER_NAMESPACE=$subm_ns" $env_file
   grep "SUBMARINER_BROKER=$subm_broker" $env_file
-  grep "BROKER_K8S_CA=$SUBMARINER_BROKER_CA" $env_file
   grep "CE_IPSEC_DEBUG=$ce_ipsec_debug" $env_file
   grep "SUBMARINER_DEBUG=$subm_debug" $env_file
   grep "BROKER_K8S_REMOTENAMESPACE=$SUBMARINER_BROKER_NS" $env_file