Expired service account projected token

[anasinnyk]

Description:
Envoy bootstrap configuration should automatically re-read the service account token file when the token is renewed.
Currently, once the token expires, Envoy continues using the old one and cannot recover without manual intervention.

Repro steps:

1. Deploy Envoy Gateway in GatewayNamespace mode.
2. Run any gateway instance.
3. Wait ~1 hour until the service account token expires.
4. Delete the Envoy Gateway controller Pod(s).
5. Observe that the Envoy proxy fails to reconnect to the control plane. The logs contain:
   the token is not a service account
   (from tokenreview.go#L49)

At this point, Envoy is still using the expired token.
Instead of surfacing the correct error, the implementation ignores the error section of the response, and the token response contains a nil value in the Groups field.

Note:
A possible solution is to configure Envoy to watch the token file and reload it automatically, e.g. by using:

watched_directory:
  path: /var/run/secrets/token

(as referenced here)

Environment:
v1.5.0

[arkodg]

cc @cnvergence

[anasinnyk]

I found comment on envoy codebase about WatchedDirectory. My solution don't fix this issue :(

[cnvergence]

thanks @anasinnyk, I will check up on this issue

[anasinnyk]

anasinnyk@6fe952c - fix it with those changes. I'm not good at envoy configuration, but changes re-read token file for me.

with projected expiration time 600s