Merge pull request #5487 from twz123/controllerworker-without-join-token

Don't use join tokens to bootstrap embedded kubelet

Author: twz123

cmd/controller/controller.go

@@ -32,7 +32,6 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/avast/retry-go"
 	workercmd "github.com/k0sproject/k0s/cmd/worker"
 	"github.com/k0sproject/k0s/internal/pkg/dir"
 	"github.com/k0sproject/k0s/internal/pkg/file"
@@ -62,11 +61,14 @@ import (
 	"github.com/k0sproject/k0s/pkg/performance"
 	"github.com/k0sproject/k0s/pkg/telemetry"
 	"github.com/k0sproject/k0s/pkg/token"
-	"github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
+
 	"k8s.io/apimachinery/pkg/fields"
 	apitypes "k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/rest"
+
+	"github.com/avast/retry-go"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
 )
 
 type command config.CLIOptions
@@ -636,7 +638,7 @@ func (c *command) start(ctx context.Context, flags *config.ControllerOptions) er
 
 	if controllerMode.WorkloadsEnabled() {
 		perfTimer.Checkpoint("starting-worker")
-		if err := c.startWorker(ctx, nodeName, kubeletExtraArgs, flags, nodeConfig); err != nil {
+		if err := c.startWorker(ctx, nodeName, kubeletExtraArgs, flags); err != nil {
 			logrus.WithError(err).Error("Failed to start controller worker")
 		} else {
 			perfTimer.Checkpoint("started-worker")
@@ -655,48 +657,18 @@ func (c *command) start(ctx context.Context, flags *config.ControllerOptions) er
 	return nil
 }
 
-func (c *command) startWorker(ctx context.Context, nodeName apitypes.NodeName, kubeletExtraArgs stringmap.StringMap, opts *config.ControllerOptions, nodeConfig *v1beta1.ClusterConfig) error {
-	var bootstrapConfig string
-	if !file.Exists(c.K0sVars.KubeletAuthConfigPath) {
-		// wait for controller to start up
-		err := retry.Do(func() error {
-			if !file.Exists(c.K0sVars.AdminKubeConfigPath) {
-				return fmt.Errorf("file does not exist: %s", c.K0sVars.AdminKubeConfigPath)
-			}
-			return nil
-		}, retry.Context(ctx))
-		if err != nil {
-			return err
-		}
-
-		err = retry.Do(func() error {
-			// five minutes here are coming from maximum theoretical duration of kubelet bootstrap process
-			// we use retry.Do with 10 attempts, back-off delay and delay duration 500 ms which gives us
-			// 225 seconds here
-			tokenAge := time.Second * 225
-			cfg, err := token.CreateKubeletBootstrapToken(ctx, nodeConfig.Spec.API, c.K0sVars, token.RoleWorker, tokenAge)
-			if err != nil {
-				return err
-			}
-			bootstrapConfig = cfg
-			return nil
-		}, retry.Context(ctx))
-		if err != nil {
-			return err
-		}
-	}
+func (c *command) startWorker(ctx context.Context, nodeName apitypes.NodeName, kubeletExtraArgs stringmap.StringMap, opts *config.ControllerOptions) error {
 	// Cast and make a copy of the controller command so it can use the same
 	// opts to start the worker. Needs to be a copy so the original token and
 	// possibly other args won't get messed up.
 	wc := workercmd.Command(*(*config.CLIOptions)(c))
-	wc.TokenArg = bootstrapConfig
 	wc.Labels = append(wc.Labels, fields.OneTermEqualSelector(constant.K0SNodeRoleLabel, "control-plane").String())
 	if opts.Mode() == config.ControllerPlusWorkerMode && !opts.NoTaints {
 		key := path.Join(constant.NodeRoleLabelNamespace, "master")
 		taint := fields.OneTermEqualSelector(key, ":NoSchedule")
 		wc.Taints = append(wc.Taints, taint.String())
 	}
-	return wc.Start(ctx, nodeName, kubeletExtraArgs, (*embeddingController)(opts))
+	return wc.Start(ctx, nodeName, kubeletExtraArgs, kubernetes.KubeconfigFromFile(c.K0sVars.AdminKubeConfigPath), (*embeddingController)(opts))
 }
 
 type embeddingController config.ControllerOptions
@@ -748,10 +720,6 @@ func joinController(ctx context.Context, tokenArg string, certRootDir string) (*
 		return nil, fmt.Errorf("failed to create join client: %w", err)
 	}
 
-	if joinClient.JoinTokenType() != "controller-bootstrap" {
-		return nil, fmt.Errorf("wrong token type %s, expected type: controller-bootstrap", joinClient.JoinTokenType())
-	}
-
 	logrus.Info("Joining existing cluster via ", joinClient.Address())
 
 	var caData v1beta1.CaResponse

cmd/token/preshared.go

@@ -120,10 +120,10 @@ func createKubeConfig(tok *bootstraptokenv1.BootstrapTokenString, role, joinURL,
 
 	var userName string
 	switch role {
-	case "worker":
-		userName = "kubelet-bootstrap"
-	case "controller":
-		userName = "controller-bootstrap"
+	case token.RoleWorker:
+		userName = token.WorkerTokenAuthName
+	case token.RoleController:
+		userName = token.ControllerTokenAuthName
 	default:
 		return fmt.Errorf("unknown role: %s", role)
 	}

cmd/worker/worker.go

@@ -22,9 +22,11 @@ import (
 	"fmt"
 	"os"
 	"os/signal"
+	"path/filepath"
 	"runtime"
 	"syscall"
 
+	"github.com/k0sproject/k0s/internal/pkg/file"
 	"github.com/k0sproject/k0s/internal/pkg/flags"
 	internallog "github.com/k0sproject/k0s/internal/pkg/log"
 	"github.com/k0sproject/k0s/internal/pkg/stringmap"
@@ -39,8 +41,11 @@ import (
 	"github.com/k0sproject/k0s/pkg/config"
 	"github.com/k0sproject/k0s/pkg/kubernetes"
 	"github.com/k0sproject/k0s/pkg/node"
+	"github.com/k0sproject/k0s/pkg/token"
 
 	apitypes "k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/clientcmd"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -83,8 +88,9 @@ func NewWorkerCmd() *cobra.Command {
 				c.TokenArg = args[0]
 			}
 
-			if c.TokenArg != "" && c.TokenFile != "" {
-				return errors.New("you can only pass one token argument either as a CLI argument 'k0s worker [token]' or as a flag 'k0s worker --token-file [path]'")
+			getBootstrapKubeconfig, err := kubeconfigGetterFromJoinToken(c.TokenFile, c.TokenArg)
+			if err != nil {
+				return err
 			}
 
 			nodeName, kubeletExtraArgs, err := GetNodeName(&c.WorkerOptions)
@@ -104,7 +110,14 @@ func NewWorkerCmd() *cobra.Command {
 			ctx, cancel := signal.NotifyContext(cmd.Context(), os.Interrupt, syscall.SIGINT, syscall.SIGTERM)
 			defer cancel()
 
-			return c.Start(ctx, nodeName, kubeletExtraArgs, nil)
+			// Check for legacy CA file (unused on worker-only nodes since 1.33)
+			if legacyCAFile := filepath.Join(c.K0sVars.CertRootDir, "ca.crt"); file.Exists(legacyCAFile) {
+				// Keep the file to allow interop between 1.32 and 1.33.
+				// TODO automatically delete this file in future releases.
+				logrus.Infof("The file %s is no longer used and can safely be deleted", legacyCAFile)
+			}
+
+			return c.Start(ctx, nodeName, kubeletExtraArgs, getBootstrapKubeconfig, nil)
 		},
 	}
 
@@ -136,10 +149,73 @@ func GetNodeName(opts *config.WorkerOptions) (apitypes.NodeName, stringmap.Strin
 	return nodeName, kubeletExtraArgs, nil
 }
 
+func kubeconfigGetterFromJoinToken(tokenFile, tokenArg string) (clientcmd.KubeconfigGetter, error) {
+	if tokenArg != "" {
+		if tokenFile != "" {
+			return nil, errors.New("you can only pass one token argument either as a CLI argument 'k0s worker [token]' or as a flag 'k0s worker --token-file [path]'")
+		}
+
+		kubeconfig, err := loadKubeconfigFromJoinToken(tokenArg)
+		if err != nil {
+			return nil, err
+		}
+
+		return func() (*clientcmdapi.Config, error) {
+			return kubeconfig, nil
+		}, nil
+	}
+
+	if tokenFile == "" {
+		return nil, nil
+	}
+
+	return func() (*clientcmdapi.Config, error) {
+		return loadKubeconfigFromTokenFile(tokenFile)
+	}, nil
+}
+
+func loadKubeconfigFromJoinToken(tokenData string) (*clientcmdapi.Config, error) {
+	decoded, err := token.DecodeJoinToken(tokenData)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode join token: %w", err)
+	}
+
+	kubeconfig, err := clientcmd.Load(decoded)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load kubeconfig from join token: %w", err)
+	}
+
+	if tokenType := token.GetTokenType(kubeconfig); tokenType != "kubelet-bootstrap" {
+		return nil, fmt.Errorf("wrong token type %s, expected type: kubelet-bootstrap", tokenType)
+	}
+
+	return kubeconfig, nil
+}
+
+func loadKubeconfigFromTokenFile(path string) (*clientcmdapi.Config, error) {
+	var problem string
+	tokenBytes, err := os.ReadFile(path)
+	if errors.Is(err, os.ErrNotExist) {
+		problem = "not found"
+	} else if err != nil {
+		return nil, fmt.Errorf("failed to read token file: %w", err)
+	} else if len(tokenBytes) == 0 {
+		problem = "is empty"
+	}
+	if problem != "" {
+		return nil, fmt.Errorf("token file %q %s"+
+			`: obtain a new token via "k0s token create ..." and store it in the file`+
+			` or reinstall this node via "k0s install --force ..." or "k0sctl apply --force ..."`,
+			path, problem)
+	}
+
+	return loadKubeconfigFromJoinToken(string(tokenBytes))
+}
+
 // Start starts the worker components based on the given [config.CLIOptions].
-func (c *Command) Start(ctx context.Context, nodeName apitypes.NodeName, kubeletExtraArgs stringmap.StringMap, controller EmbeddingController) error {
-	if err := worker.BootstrapKubeletKubeconfig(ctx, c.K0sVars, nodeName, &c.WorkerOptions); err != nil {
-		return err
+func (c *Command) Start(ctx context.Context, nodeName apitypes.NodeName, kubeletExtraArgs stringmap.StringMap, getBootstrapKubeconfig clientcmd.KubeconfigGetter, controller EmbeddingController) error {
+	if err := worker.BootstrapKubeletClientConfig(ctx, c.K0sVars, nodeName, &c.WorkerOptions, getBootstrapKubeconfig); err != nil {
+		return fmt.Errorf("failed to bootstrap kubelet client configuration: %w", err)
 	}
 
 	kubeletKubeconfigPath := c.K0sVars.KubeletAuthConfigPath

pkg/component/worker/kubelet.go

@@ -35,6 +35,7 @@ import (
 	"github.com/k0sproject/k0s/pkg/component/manager"
 	"github.com/k0sproject/k0s/pkg/config"
 	"github.com/k0sproject/k0s/pkg/constant"
+	"github.com/k0sproject/k0s/pkg/kubernetes"
 	"github.com/k0sproject/k0s/pkg/supervisor"
 
 	corev1 "k8s.io/api/core/v1"
@@ -219,8 +220,13 @@ func (k *Kubelet) writeKubeletConfig() error {
 		return err
 	}
 
+	caPath, err := k.getKubeletCAPath()
+	if err != nil {
+		return err
+	}
+
 	config := k.Configuration.DeepCopy()
-	config.Authentication.X509.ClientCAFile = filepath.Join(k.K0sVars.CertRootDir, "ca.crt")
+	config.Authentication.X509.ClientCAFile = caPath
 	config.VolumePluginDir = k.K0sVars.KubeletVolumePluginDir
 	config.ResolverConfig = determineKubeletResolvConfPath()
 	config.StaticPodURL = staticPodURL
@@ -251,6 +257,27 @@ func (k *Kubelet) writeKubeletConfig() error {
 	return nil
 }
 
+func (k *Kubelet) getKubeletCAPath() (string, error) {
+	restConfig, err := kubernetes.ClientConfig(kubernetes.KubeconfigFromFile(k.Kubeconfig))
+	if err != nil {
+		return "", fmt.Errorf("failed to load kubelet kubeconfig: %w", err)
+	}
+
+	if len(restConfig.CAData) > 0 {
+		caPath := filepath.Join(k.K0sVars.RunDir, "kubelet", "ca.crt")
+		if err := file.WriteContentAtomically(caPath, restConfig.CAData, constant.CertMode); err != nil {
+			return "", fmt.Errorf("failed to write kubelet CA file: %w", err)
+		}
+		return caPath, nil
+	}
+
+	if !file.Exists(restConfig.CAFile) {
+		return "", fmt.Errorf("kubelet CA file doesn't exist: %s", restConfig.CAFile)
+	}
+
+	return restConfig.CAFile, nil
+}
+
 func parseTaint(st string) (corev1.Taint, error) {
 	var taint corev1.Taint