🐛 refresh token for provisioning machines

Author: sethp-nr

controllers/kubeadmconfig_controller.go

@@ -100,12 +100,6 @@ func (r *KubeadmConfigReconciler) Reconcile(req ctrl.Request) (_ ctrl.Result, re
 		return ctrl.Result{}, err
 	}
 
-	// bail super early if it's already ready
-	if config.Status.Ready {
-		log.Info("ignoring an already ready config")
-		return ctrl.Result{}, nil
-	}
-
 	// Look up the Machine that owns this KubeConfig if there is one
 	machine, err := util.GetOwnerMachine(ctx, r.Client, config.ObjectMeta)
 	if err != nil {
@@ -118,8 +112,14 @@ func (r *KubeadmConfigReconciler) Reconcile(req ctrl.Request) (_ ctrl.Result, re
 	}
 	log = log.WithValues("machine-name", machine.Name)
 
-	// Ignore machines that already have bootstrap data
-	if machine.Spec.Bootstrap.Data != nil {
+	// bail super early if it's already ready
+	if config.Status.Ready && machine.Status.InfrastructureReady {
+		log.Info("ignoring config for an already ready machine")
+		return ctrl.Result{}, nil
+	}
+
+	// Ignore machines that already have bootstrap data we didn't generate
+	if machine.Spec.Bootstrap.Data != nil && !config.Status.Ready {
 		// TODO: mark the config as ready?
 		return ctrl.Result{}, nil
 	}
@@ -140,6 +140,23 @@ func (r *KubeadmConfigReconciler) Reconcile(req ctrl.Request) (_ ctrl.Result, re
 		return ctrl.Result{}, err
 	}
 
+	// If we've already embedded a time-limited join token into a config, but are still waiting for the token to be used, refresh it
+	if config.Status.Ready {
+		token := config.Spec.JoinConfiguration.Discovery.BootstrapToken.Token
+
+		// gets the remote secret interface client for the current cluster
+		secretsClient, err := r.SecretsClientFactory.NewSecretsClient(r.Client, cluster)
+		if err != nil {
+			return ctrl.Result{}, err
+		}
+
+		err = refreshToken(secretsClient, token)
+		if err != nil {
+			// It would be nice to re-create the bootstrap token if the error was "not found", but we have no way to update the Machine's bootstrap data
+			return ctrl.Result{}, errors.Wrapf(err, "failed to refresh bootstrap token")
+		}
+	}
+
 	// Wait patiently for the infrastructure to be ready
 	if !cluster.Status.InfrastructureReady {
 		log.Info("Infrastructure is not ready, waiting until ready.")

controllers/token.go

@@ -30,8 +30,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-const (
-	defaultTokenTTL = 10 * time.Minute
+var (
+	// DefaultTokenTTL is the amount of time a bootstrap token (and therefore a KubeadmConfig) will be valid
+	DefaultTokenTTL = 10 * time.Minute
 )
 
 // ClusterSecretsClientFactory support creation of secrets client for clusters
@@ -76,7 +77,7 @@ func createToken(client corev1.SecretInterface) (string, error) {
 		Data: map[string][]byte{
 			bootstrapapi.BootstrapTokenIDKey:               []byte(tokenID),
 			bootstrapapi.BootstrapTokenSecretKey:           []byte(tokenSecret),
-			bootstrapapi.BootstrapTokenExpirationKey:       []byte(time.Now().UTC().Add(defaultTokenTTL).Format(time.RFC3339)),
+			bootstrapapi.BootstrapTokenExpirationKey:       []byte(time.Now().UTC().Add(DefaultTokenTTL).Format(time.RFC3339)),
 			bootstrapapi.BootstrapTokenUsageSigningKey:     []byte("true"),
 			bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
 			bootstrapapi.BootstrapTokenExtraGroupsKey:      []byte("system:bootstrappers:kubeadm:default-node-token"),
@@ -89,3 +90,26 @@ func createToken(client corev1.SecretInterface) (string, error) {
 	}
 	return token, nil
 }
+
+// refreshToken extends the TTL for an existing token
+func refreshToken(client corev1.SecretInterface, token string) error {
+	substrs := bootstraputil.BootstrapTokenRegexp.FindStringSubmatch(token)
+	if len(substrs) != 3 {
+		return errors.Errorf("the bootstrap token %q was not of the form %q", token, bootstrapapi.BootstrapTokenPattern)
+	}
+	tokenID := substrs[1]
+
+	secretName := bootstraputil.BootstrapTokenSecretName(tokenID)
+	secret, err := client.Get(secretName, metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+
+	if secret.Data == nil {
+		return errors.Errorf("Invalid bootstrap secret %q, remove the token from the kubadm config to re-create", secretName)
+	}
+	secret.Data[bootstrapapi.BootstrapTokenExpirationKey] = []byte(time.Now().UTC().Add(DefaultTokenTTL).Format(time.RFC3339))
+
+	_, err = client.Update(secret)
+	return err
+}

main.go

@@ -73,8 +73,8 @@ func main() {
 	flag.DurationVar(
 		&syncPeriod,
 		"sync-period",
-		10*time.Minute,
-		"The minimum interval at which watched resources are reconciled (e.g. 10m)",
+		9*time.Minute,
+		"The minimum interval at which watched resources are reconciled (e.g. 9m)",
 	)
 
 	flag.StringVar(
@@ -88,6 +88,10 @@ func main() {
 
 	ctrl.SetLogger(klogr.New())
 
+	if controllers.DefaultTokenTTL-syncPeriod < 1*time.Minute {
+		setupLog.Info("warning: the sync interval is close to the configured token TTL, tokens may expire temporarily before being refreshed")
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:             scheme,
 		MetricsBindAddress: metricsAddr,