Use await-node-ready command for init caontainers

...in gateway and route-agent daemonsets. Related to #3274 Signed-off-by: Tom Pantelis <[email protected]>
submariner-io · Dec 5, 2024 · 5bc5ac8 · 5bc5ac8
1 parent edbfda0
commit 5bc5ac8
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 17 deletions.
diff --git a/controllers/submariner/gateway_resources.go b/controllers/submariner/gateway_resources.go
@@ -132,19 +132,6 @@ func newGatewayPodTemplate(cr *v1alpha1.Submariner, name string, podSelectorLabe
 		})
 	}
 
-	securityContext := &corev1.SecurityContext{
-		Capabilities: &corev1.Capabilities{
-			Add:  []corev1.Capability{"net_admin"},
-			Drop: []corev1.Capability{"all"},
-		},
-		// The gateway needs to be privileged so it can write to /proc/sys
-		AllowPrivilegeEscalation: ptr.To(true),
-		Privileged:               ptr.To(true),
-		RunAsNonRoot:             ptr.To(false),
-		// We need to be able to update /var/lib/alternatives (for iptables)
-		ReadOnlyRootFilesystem: ptr.To(false),
-	}
-
 	podTemplate := corev1.PodTemplateSpec{
 		ObjectMeta: metav1.ObjectMeta{
 			Labels: podSelectorLabels,
@@ -167,9 +154,8 @@ func newGatewayPodTemplate(cr *v1alpha1.Submariner, name string, podSelectorLabe
 					Name:            name + "-init",
 					Image:           getImagePath(cr, opnames.GatewayImage, names.GatewayComponent),
 					ImagePullPolicy: images.GetPullPolicy(cr.Spec.Version, cr.Spec.ImageOverrides[names.GatewayComponent]),
-					SecurityContext: securityContext,
+					Command:         []string{"await-node-ready.sh"},
 					Env: httpproxy.AddEnvVars([]corev1.EnvVar{
-						{Name: "SUBMARINER_WAITFORNODE", Value: "true"},
 						{Name: "NODE_NAME", ValueFrom: &corev1.EnvVarSource{
 							FieldRef: &corev1.ObjectFieldSelector{
 								FieldPath: "spec.nodeName",
@@ -183,7 +169,18 @@ func newGatewayPodTemplate(cr *v1alpha1.Submariner, name string, podSelectorLabe
 					Name:            name,
 					Image:           getImagePath(cr, opnames.GatewayImage, names.GatewayComponent),
 					ImagePullPolicy: images.GetPullPolicy(cr.Spec.Version, cr.Spec.ImageOverrides[names.GatewayComponent]),
-					SecurityContext: securityContext,
+					SecurityContext: &corev1.SecurityContext{
+						Capabilities: &corev1.Capabilities{
+							Add:  []corev1.Capability{"net_admin"},
+							Drop: []corev1.Capability{"all"},
+						},
+						// The gateway needs to be privileged so it can write to /proc/sys
+						AllowPrivilegeEscalation: ptr.To(true),
+						Privileged:               ptr.To(true),
+						RunAsNonRoot:             ptr.To(false),
+						// We need to be able to update /var/lib/alternatives (for iptables)
+						ReadOnlyRootFilesystem: ptr.To(false),
+					},
 					Ports: []corev1.ContainerPort{
 						{
 							Name:          encapsPortName,

diff --git a/controllers/submariner/route_agent_resources.go b/controllers/submariner/route_agent_resources.go
@@ -110,8 +110,8 @@ func newRouteAgentDaemonSet(cr *v1alpha1.Submariner, name string) *appsv1.Daemon
 							Name:            name + "-init",
 							Image:           getImagePath(cr, opnames.RouteAgentImage, names.RouteAgentComponent),
 							ImagePullPolicy: images.GetPullPolicy(cr.Spec.Version, cr.Spec.ImageOverrides[names.RouteAgentComponent]),
+							Command:         []string{"await-node-ready.sh"},
 							Env: httpproxy.AddEnvVars([]corev1.EnvVar{
-								{Name: "SUBMARINER_WAITFORNODE", Value: "true"},
 								{Name: "NODE_NAME", ValueFrom: &corev1.EnvVarSource{
 									FieldRef: &corev1.ObjectFieldSelector{
 										FieldPath: "spec.nodeName",