-
Notifications
You must be signed in to change notification settings - Fork 1.3k
/
token.go
117 lines (99 loc) · 4.14 KB
/
token.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
/*
Copyright 2019 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package controllers
import (
"context"
"time"
"github.com/pkg/errors"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
bootstrapapi "k8s.io/cluster-bootstrap/token/api"
bootstraputil "k8s.io/cluster-bootstrap/token/util"
"sigs.k8s.io/controller-runtime/pkg/client"
)
var (
// DefaultTokenTTL is the amount of time a bootstrap token (and therefore a KubeadmConfig) will be valid.
DefaultTokenTTL = 15 * time.Minute
)
// createToken attempts to create a token with the given ID.
func createToken(ctx context.Context, c client.Client) (string, error) {
token, err := bootstraputil.GenerateBootstrapToken()
if err != nil {
return "", errors.Wrap(err, "unable to generate bootstrap token")
}
substrs := bootstraputil.BootstrapTokenRegexp.FindStringSubmatch(token)
if len(substrs) != 3 {
return "", errors.Errorf("the bootstrap token %q was not of the form %q", token, bootstrapapi.BootstrapTokenPattern)
}
tokenID := substrs[1]
tokenSecret := substrs[2]
secretName := bootstraputil.BootstrapTokenSecretName(tokenID)
secretToken := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: secretName,
Namespace: metav1.NamespaceSystem,
},
Type: bootstrapapi.SecretTypeBootstrapToken,
Data: map[string][]byte{
bootstrapapi.BootstrapTokenIDKey: []byte(tokenID),
bootstrapapi.BootstrapTokenSecretKey: []byte(tokenSecret),
bootstrapapi.BootstrapTokenExpirationKey: []byte(time.Now().UTC().Add(DefaultTokenTTL).Format(time.RFC3339)),
bootstrapapi.BootstrapTokenUsageSigningKey: []byte("true"),
bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
bootstrapapi.BootstrapTokenExtraGroupsKey: []byte("system:bootstrappers:kubeadm:default-node-token"),
bootstrapapi.BootstrapTokenDescriptionKey: []byte("token generated by cluster-api-bootstrap-provider-kubeadm"),
},
}
if err = c.Create(ctx, secretToken); err != nil {
return "", err
}
return token, nil
}
// getToken fetches the token Secret and returns an error if it is invalid.
func getToken(ctx context.Context, c client.Client, token string) (*corev1.Secret, error) {
substrs := bootstraputil.BootstrapTokenRegexp.FindStringSubmatch(token)
if len(substrs) != 3 {
return nil, errors.Errorf("the bootstrap token %q was not of the form %q", token, bootstrapapi.BootstrapTokenPattern)
}
tokenID := substrs[1]
secretName := bootstraputil.BootstrapTokenSecretName(tokenID)
secret := &corev1.Secret{}
if err := c.Get(ctx, client.ObjectKey{Name: secretName, Namespace: metav1.NamespaceSystem}, secret); err != nil {
return secret, err
}
if secret.Data == nil {
return nil, errors.Errorf("Invalid bootstrap secret %q, remove the token from the kubadm config to re-create", secretName)
}
return secret, nil
}
// refreshToken extends the TTL for an existing token.
func refreshToken(ctx context.Context, c client.Client, token string) error {
secret, err := getToken(ctx, c, token)
if err != nil {
return err
}
secret.Data[bootstrapapi.BootstrapTokenExpirationKey] = []byte(time.Now().UTC().Add(DefaultTokenTTL).Format(time.RFC3339))
return c.Update(ctx, secret)
}
// shouldRotate returns true if an existing token is past half of its TTL and should to be rotated.
func shouldRotate(ctx context.Context, c client.Client, token string) (bool, error) {
secret, err := getToken(ctx, c, token)
if err != nil {
return false, err
}
expiration, err := time.Parse(time.RFC3339, string(secret.Data[bootstrapapi.BootstrapTokenExpirationKey]))
if err != nil {
return false, err
}
return expiration.Before(time.Now().UTC().Add(DefaultTokenTTL / 2)), nil
}