Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Server Token Rotation #8265

Merged
merged 13 commits into from
Oct 9, 2023
Merged

Server Token Rotation #8265

merged 13 commits into from
Oct 9, 2023

Conversation

dereknola
Copy link
Member

@dereknola dereknola commented Aug 29, 2023

Proposed Changes

  • Adds a new subcommand k3s token rotate which enables a user to rotate the initial server token.
  • Expands existing E2E token test to include this new command
  • Compact CertCommand functions

Types of Changes

New Feature

Verification

Single node:

  • Start k3s with token 1234
  • if root, with access to /var/lib/rancher/k3s/server/token run: k3s token rotate --new-token=6789
  • if not root, or non access, run: k3s token rotate --token 1234 --new-token=6789
  • Restart k3s with new token 6789

HA:

  • Start k3s servers with token 1234
  • if root, with access to /var/lib/rancher/k3s/server/token run: k3s token rotate --new-token=6789
  • if not root, or non access, run: k3s token rotate --token 1234 --new-token=6789
  • Restart all k3s servers with new token 6789

Testing

New Testlets in E2E test

Linked Issues

#8264

User-Facing Change

Users can now rotate the server token using `k3s token rotate -t <OLD_TOKEN> --new-token <NEW_TOKEN>`. After command succeeds, all server nodes must be restarted with the new token.

Further Comments

@dereknola dereknola requested a review from a team as a code owner August 29, 2023 18:00
@codecov
Copy link

codecov bot commented Aug 29, 2023

Codecov Report

Attention: 139 lines in your changes are missing coverage. Please review.

Comparison is base (ced25af) 44.73% compared to head (a250c6a) 49.31%.

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #8265      +/-   ##
==========================================
+ Coverage   44.73%   49.31%   +4.58%     
==========================================
  Files         140      141       +1     
  Lines       14738    14902     +164     
==========================================
+ Hits         6593     7349     +756     
+ Misses       7031     6333     -698     
- Partials     1114     1220     +106     
Flag Coverage Δ
e2etests 48.61% <32.27%> (?)
inttests 44.45% <27.97%> (-0.28%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Coverage Δ
cmd/server/main.go 100.00% <100.00%> (ø)
pkg/cli/cmds/certs.go 100.00% <100.00%> (ø)
pkg/cli/cmds/token.go 100.00% <100.00%> (ø)
pkg/daemons/control/deps/deps.go 59.07% <ø> (+0.63%) ⬆️
pkg/server/router.go 53.10% <100.00%> (+4.09%) ⬆️
pkg/cli/token/token.go 0.00% <0.00%> (ø)
pkg/cluster/storage.go 36.90% <6.97%> (+1.40%) ⬆️
pkg/server/token.go 1.58% <1.58%> (ø)

... and 40 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@dereknola dereknola changed the title [WIP] Server Token Rotation Server Token Rotation Aug 30, 2023
pkg/cli/token/token.go Outdated Show resolved Hide resolved
pkg/cli/token/token.go Outdated Show resolved Hide resolved
@cwayne18
Copy link
Member

cc @jakefhyde @Oats87 in case you want to look over

pkg/cli/token/token.go Show resolved Hide resolved
pkg/cli/token/token.go Show resolved Hide resolved
pkg/cluster/storage.go Outdated Show resolved Hide resolved
pkg/cluster/storage.go Outdated Show resolved Hide resolved
pkg/server/router.go Show resolved Hide resolved
pkg/server/token.go Outdated Show resolved Hide resolved
Signed-off-by: Derek Nola <[email protected]>
Signed-off-by: Derek Nola <[email protected]>
Signed-off-by: Derek Nola <[email protected]>
Signed-off-by: Derek Nola <[email protected]>
Signed-off-by: Derek Nola <[email protected]>
Signed-off-by: Derek Nola <[email protected]>
Signed-off-by: Derek Nola <[email protected]>
Signed-off-by: Derek Nola <[email protected]>
@dereknola dereknola merged commit dface01 into k3s-io:master Oct 9, 2023
15 checks passed
dereknola added a commit to dereknola/k3s that referenced this pull request Oct 9, 2023
* Consolidate NewCertCommands
* Add support for user defined new token
* Add E2E testlets

Signed-off-by: Derek Nola <[email protected]>

* Ensure agent token also changes

Signed-off-by: Derek Nola <[email protected]>
dereknola added a commit to dereknola/k3s that referenced this pull request Oct 9, 2023
* Consolidate NewCertCommands
* Add support for user defined new token
* Add E2E testlets

Signed-off-by: Derek Nola <[email protected]>

* Ensure agent token also changes

Signed-off-by: Derek Nola <[email protected]>
dereknola added a commit to dereknola/k3s that referenced this pull request Oct 9, 2023
* Consolidate NewCertCommands
* Add support for user defined new token
* Add E2E testlets

Signed-off-by: Derek Nola <[email protected]>

* Ensure agent token also changes

Signed-off-by: Derek Nola <[email protected]>
@DerRockWolf
Copy link

@dereknola is this feature complete and usable?
I'm asking because the docs still say, e.g.,:

This token cannot be changed once the cluster has been created.

All the location I found:

https://docs.k3s.io/cli/token#k3s-token-rotate is the only location that says that rotation is possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants