Save agent token to /var/lib/rancher/k3s/server/agent-token

Having separate tokens for server and agent nodes is a nice feature. However, passing server's plain `K3S_AGENT_TOKEN` value to `k3s agent --token` without CA hash is insecure when CA is self-signed, and k3s warns about it in the logs: ``` Cluster CA certificate is not trusted by the host CA bundle, but the token does not include a CA hash. Use the full token from the server's node-token file to enable Cluster CA validation. ``` Okay so I need CA hash but where should I get it? This commit attempts to fix this issue by saving agent token value to `agent-token` file with CA hash appended. Signed-off-by: Vladimir Kochnev <[email protected]> (cherry picked from commit 13af0b1) Signed-off-by: Brad Davidson <[email protected]>
k3s-io · Aug 3, 2022 · 52c977e · 52c977e
1 parent 9125d70
commit 52c977e
Showing 1 changed file with 39 additions and 13 deletions.
diff --git a/pkg/server/server.go b/pkg/server/server.go
@@ -313,14 +313,11 @@ func HomeKubeConfig(write, rootless bool) (string, error) {
 }
 
 func printTokens(config *config.Control) error {
-	var (
-		nodeFile string
-	)
-	if len(config.Runtime.ServerToken) > 0 {
-		p := filepath.Join(config.DataDir, "token")
-		if err := writeToken(config.Runtime.ServerToken, p, config.Runtime.ServerCA); err == nil {
-			logrus.Infof("Node token is available at %s", p)
-			nodeFile = p
+	var serverTokenFile string
+	if config.Runtime.ServerToken != "" {
+		serverTokenFile = filepath.Join(config.DataDir, "token")
+		if err := writeToken(config.Runtime.ServerToken, serverTokenFile, config.Runtime.ServerCA); err != nil {
+			return err
 		}
 
 		// backwards compatibility
@@ -329,14 +326,43 @@ func printTokens(config *config.Control) error {
 			if err := os.RemoveAll(np); err != nil {
 				return err
 			}
-			if err := os.Symlink(p, np); err != nil {
+			if err := os.Symlink(serverTokenFile, np); err != nil {
 				return err
 			}
 		}
+
+		logrus.Infof("Server node token is available at %s", serverTokenFile)
+		printToken(config.SupervisorPort, config.BindAddressOrLoopback(true, true), "To join server node to cluster:", "server", "SERVER_NODE_TOKEN")
+	}
+
+	var agentTokenFile string
+	if config.Runtime.AgentToken != "" {
+		if config.AgentToken != "" {
+			agentTokenFile = filepath.Join(config.DataDir, "agent-token")
+			if isSymlink(agentTokenFile) {
+				if err := os.RemoveAll(agentTokenFile); err != nil {
+					return err
+				}
+			}
+			if err := writeToken(config.Runtime.AgentToken, agentTokenFile, config.Runtime.ServerCA); err != nil {
+				return err
+			}
+		} else if serverTokenFile != "" {
+			agentTokenFile = filepath.Join(config.DataDir, "agent-token")
+			if !isSymlink(agentTokenFile) {
+				if err := os.RemoveAll(agentTokenFile); err != nil {
+					return err
+				}
+				if err := os.Symlink(serverTokenFile, agentTokenFile); err != nil {
+					return err
+				}
+			}
+		}
 	}
 
-	if len(nodeFile) > 0 {
-		printToken(config.SupervisorPort, config.BindAddressOrLoopback(true, true), "To join node to cluster:", "agent")
+	if agentTokenFile != "" {
+		logrus.Infof("Agent node token is available at %s", agentTokenFile)
+		printToken(config.SupervisorPort, config.BindAddressOrLoopback(true, true), "To join agent node to cluster:", "agent", "AGENT_NODE_TOKEN")
 	}
 
 	return nil
@@ -423,8 +449,8 @@ func setupDataDirAndChdir(config *config.Control) error {
 	return nil
 }
 
-func printToken(httpsPort int, advertiseIP, prefix, cmd string) {
-	logrus.Infof("%s %s %s -s https://%s:%d -t ${NODE_TOKEN}", prefix, version.Program, cmd, advertiseIP, httpsPort)
+func printToken(httpsPort int, advertiseIP, prefix, cmd, varName string) {
+	logrus.Infof("%s %s %s -s https://%s:%d -t ${%s}", prefix, version.Program, cmd, advertiseIP, httpsPort, varName)
 }
 
 func writeToken(token, file, certs string) error {