Commit 13af0b1d authored by Vladimir Kochnev's avatar Vladimir Kochnev Committed by Brad Davidson

Save agent token to /var/lib/rancher/k3s/server/agent-token

Having separate tokens for server and agent nodes is a nice feature. However, passing server's plain `K3S_AGENT_TOKEN` value to `k3s agent --token` without CA hash is insecure when CA is self-signed, and k3s warns about it in the logs: ``` Cluster CA certificate is not trusted by the host CA bundle, but the token does not include a CA hash. Use the full token from the server's node-token file to enable Cluster CA validation. ``` Okay so I need CA hash but where should I get it? This commit attempts to fix this issue by saving agent token value to `agent-token` file with CA hash appended. Signed-off-by: 's avatarVladimir Kochnev <hashtable@yandex.ru>
parent 4c0bc8c0
...@@ -314,14 +314,11 @@ func HomeKubeConfig(write, rootless bool) (string, error) { ...@@ -314,14 +314,11 @@ func HomeKubeConfig(write, rootless bool) (string, error) {
} }
func printTokens(config *config.Control) error { func printTokens(config *config.Control) error {
var ( var serverTokenFile string
nodeFile string if config.Runtime.ServerToken != "" {
) serverTokenFile = filepath.Join(config.DataDir, "token")
if len(config.Runtime.ServerToken) > 0 { if err := writeToken(config.Runtime.ServerToken, serverTokenFile, config.Runtime.ServerCA); err != nil {
p := filepath.Join(config.DataDir, "token") return err
if err := writeToken(config.Runtime.ServerToken, p, config.Runtime.ServerCA); err == nil {
logrus.Infof("Node token is available at %s", p)
nodeFile = p
} }
// backwards compatibility // backwards compatibility
...@@ -330,14 +327,43 @@ func printTokens(config *config.Control) error { ...@@ -330,14 +327,43 @@ func printTokens(config *config.Control) error {
if err := os.RemoveAll(np); err != nil { if err := os.RemoveAll(np); err != nil {
return err return err
} }
if err := os.Symlink(p, np); err != nil { if err := os.Symlink(serverTokenFile, np); err != nil {
return err return err
} }
} }
logrus.Infof("Server node token is available at %s", serverTokenFile)
printToken(config.SupervisorPort, config.BindAddressOrLoopback(true, true), "To join server node to cluster:", "server", "SERVER_NODE_TOKEN")
}
var agentTokenFile string
if config.Runtime.AgentToken != "" {
if config.AgentToken != "" {
agentTokenFile = filepath.Join(config.DataDir, "agent-token")
if isSymlink(agentTokenFile) {
if err := os.RemoveAll(agentTokenFile); err != nil {
return err
}
}
if err := writeToken(config.Runtime.AgentToken, agentTokenFile, config.Runtime.ServerCA); err != nil {
return err
}
} else if serverTokenFile != "" {
agentTokenFile = filepath.Join(config.DataDir, "agent-token")
if !isSymlink(agentTokenFile) {
if err := os.RemoveAll(agentTokenFile); err != nil {
return err
}
if err := os.Symlink(serverTokenFile, agentTokenFile); err != nil {
return err
}
}
}
} }
if len(nodeFile) > 0 { if agentTokenFile != "" {
printToken(config.SupervisorPort, config.BindAddressOrLoopback(true, true), "To join node to cluster:", "agent") logrus.Infof("Agent node token is available at %s", agentTokenFile)
printToken(config.SupervisorPort, config.BindAddressOrLoopback(true, true), "To join agent node to cluster:", "agent", "AGENT_NODE_TOKEN")
} }
return nil return nil
...@@ -424,8 +450,8 @@ func setupDataDirAndChdir(config *config.Control) error { ...@@ -424,8 +450,8 @@ func setupDataDirAndChdir(config *config.Control) error {
return nil return nil
} }
func printToken(httpsPort int, advertiseIP, prefix, cmd string) { func printToken(httpsPort int, advertiseIP, prefix, cmd, varName string) {
logrus.Infof("%s %s %s -s https://%s:%d -t ${NODE_TOKEN}", prefix, version.Program, cmd, advertiseIP, httpsPort) logrus.Infof("%s %s %s -s https://%s:%d -t ${%s}", prefix, version.Program, cmd, advertiseIP, httpsPort, varName)
} }
func writeToken(token, file, certs string) error { func writeToken(token, file, certs string) error {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment