node: refresh CNI kubeconfig promptly on SA token rotation

[skoryk-oleksandr]

Summary

Fixes a multi-hour blind spot in cni-config-monitor where an externally-invalidated CNI kubeconfig token goes undetected between scheduled refreshes, leading to plugin type="calico" failed (add): error getting ClusterInformation: connection is unauthorized: Unauthorized until a calico-node pod restart.

What this changes

TokenRefresher.Run now installs an fsnotify watcher on the directory containing the pod's projected ServiceAccount token. When kubelet rotates that token, the refresh loop wakes up immediately, mints a fresh token via TokenRequest, and rewrites /etc/cni/net.d/calico-kubeconfig. If watcher setup fails the refresher falls back to the original timer-only behaviour. Both Events and Errors channels are drained per fsnotify's contract.

Why now

The TokenRefresher.Run loop sleeps for (tokenExp - now) / 4 + up to 100% jitter between refreshes. With the default 24h token validity that is 6-12 hours. During that sleep there is no mechanism that notices a token has become invalid externally. The two common triggers in practice are:

• ServiceAccount signing-key rotation (reproduced on kind; the failure is immediate and persistent until calico-node restarts).
• Any event that makes kubelet re-project the SA token before the scheduled refresh — picking it up promptly keeps the CNI kubeconfig as fresh as possible.

End-to-end verification on a kind cluster

Brought up a kind cluster running this branch and ran through the scenario the fix targets.

Fix activation confirmed — on pod startup, calico-node logs show the fsnotify watcher is installed:

[INFO] node-services/token_watch.go: Watching service account token directory for rotation

fsnotify fast-path demonstration — triggered a projected-token change in the watched directory on a healthy cluster:

	Before	After
CNI token jti	59030a44-…	45043310-… (new token)
CNI kubeconfig mtime	20:56:07	21:01:47
Latency trigger → new kubeconfig written		~30 ms

Log line, verbatim:

[INFO] node-services/token_watch.go: Projected service account token changed; refreshing CNI kubeconfig immediately

Same trigger on master (without this branch) produced no response — no log, no kubeconfig rewrite, no token change. That's the blind spot the fix closes.

Underlying bug reproduction — also reproduced the original failure end-to-end on the kind cluster by regenerating the SA signing key and restarting the apiserver. Pod creation fails with the exact error from the original report:

Failed to create pod sandbox: ... plugin type="calico" failed (add):
  error getting ClusterInformation: connection is unauthorized: Unauthorized

Honest scope

This is a necessary-but-not-sufficient fix. On its own it changes worst-case automatic recovery from "up to 6-12 hours (or manual pod restart)" to "at most one kubelet projection cycle". With default Kubernetes settings the projected SA token lifetime is ~1 hour and kubelet refreshes at 80 % of that, so the practical upper bound after this fix is ~48 minutes (average ~24 minutes, best case seconds).

That is still slow for time-sensitive workloads. Operators who need a tighter bound should additionally:

• Shorten the projected SA token's expirationSeconds on the calico-node DaemonSet (e.g. 600s → refresh at ~8 minutes). That change belongs in the operator/Helm chart, not here.
• Optionally add a health check that fails liveness after N minutes of UpdateToken errors so kubelet restarts the pod. Not included in this PR.

What this fix does NOT do:

• Eliminate transient Unauthorized errors when the SA signing key rotates. Every workload holding a projected SA token sees 401s until kubelet re-projects.
• Speed up kubelet's projected-token refresh cadence. That is controlled by the pod spec's expirationSeconds, set by the operator.

Tests

Added node/pkg/cni/token_watch_internal_test.go with:

• TestTokenRefresher_WakesUpOnTokenFileChange — configures a 24h token (normally 6-12h sleep), writes a file in the watched dir, asserts a second UpdateToken fires within 3s. Without the fsnotify fast path this would time out.
• TestTokenRefresher_FallsBackWhenWatcherSetupFails — verifies the graceful timer-only fallback when the watched directory doesn't exist.
• TestTokenRefresher_DegradesGracefullyWhenWatcherChannelCloses — uses an injected watcher factory returning a pre-closed channel, verifies the timer continues to drive refreshes.
• TestTokenRefresher_RecoversAfterTransientUpdateTokenError — first UpdateToken call fails, second succeeds; verifies the existing 5-10s retry path delivers a token after recovery.
• TestDrainEvents_IsNonBlockingAndDrainsBurst — exercises the drainEvents helper on both full and empty channels.

All pass under -race with -count=20 and stable under -count=50.

Release note:

calico/node now refreshes the CNI plugin's kubeconfig immediately when the pod's projected ServiceAccount token is rotated, closing a 6-12h window where an externally-invalidated token could cause CNI ADD to fail with "Unauthorized" until the calico-node pod was restarted.

[Copilot]

Pull request overview

This PR improves the reliability of Calico node’s CNI kubeconfig refresh loop by reacting promptly to projected ServiceAccount token rotations (instead of waiting hours for the next scheduled refresh) and by making kubeconfig updates atomic to avoid partial reads during concurrent CNI executions.

Changes:

• Add an fsnotify watch on the projected ServiceAccount token directory to wake the refresh loop immediately on token rotation.
• Switch kubeconfig writes to an atomic temp-file + fsync + rename flow.
• Add unit tests covering the atomic write behavior and the watcher-driven wake-up / fallback behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
node/pkg/cni/token_watch.go	Adds token-directory watching to accelerate refresh on SA token rotation; introduces atomic kubeconfig write helper.
node/pkg/cni/token_watch_internal_test.go	Adds unit tests for atomic writes and watcher/timer behavior in TokenRefresher.Run().