Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Save agent token to /var/lib/rancher/k3s/server/agent-token #5906

Merged
merged 1 commit into from
Aug 1, 2022
Merged

Save agent token to /var/lib/rancher/k3s/server/agent-token #5906

merged 1 commit into from
Aug 1, 2022

Conversation

marshall-lee
Copy link
Contributor

@marshall-lee marshall-lee commented Jul 26, 2022
edited by brandond
Loading

Proposed Changes

Having separate tokens for server and agent nodes is a nice feature.

However, passing server's plain K3S_AGENT_TOKEN value to k3s agent --token without CA hash is insecure when CA is self-signed, and k3s warns about it in the logs:

Cluster CA certificate is not trusted by the host CA bundle, but the token does not include a CA hash.
Use the full token from the server's node-token file to enable Cluster CA validation.

Okay so I need CA hash but where should I get it?

This commit attempts to fix this issue by saving agent token value to agent-token file with CA hash appended.

Types of Changes

New feature

Verification

Testing

Linked Issues

User-Facing Change

When set, the agent-token value is now written to `$datadir/server/agent-token`, in the same manner as the default (server) token is written to `$datadir/server/token`

Further Comments

@marshall-lee marshall-lee requested a review from a team as a code owner July 26, 2022 20:59
@marshall-lee
Save agent token to /var/lib/rancher/k3s/server/agent-token
f1144c7 
Having separate tokens for server and agent nodes is a nice feature.

However, passing server's plain `K3S_AGENT_TOKEN` value
to `k3s agent --token` without CA hash is insecure when CA is
self-signed, and k3s warns about it in the logs:

```
Cluster CA certificate is not trusted by the host CA bundle, but the token does not include a CA hash.
Use the full token from the server's node-token file to enable Cluster CA validation.
```

Okay so I need CA hash but where should I get it?

This commit attempts to fix this issue by saving agent token value to
`agent-token` file with CA hash appended.

Signed-off-by: Vladimir Kochnev <[email protected]>
@marshall-lee marshall-lee force-pushed the write-agent-token-file branch from bf97c12 to f1144c7 Compare July 26, 2022 20:59
@brandond brandond merged commit 13af0b1 into k3s-io:master Aug 1, 2022
@marshall-lee marshall-lee deleted the write-agent-token-file branch August 2, 2022 10:57
This was referenced Aug 3, 2022
Merged
Merged
@cguertin14 cguertin14 mentioned this pull request Aug 26, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brandond brandond brandond approved these changes

@briandowns briandowns briandowns approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@marshall-lee @brandond @briandowns