Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Split bootstrap join token from machine provisioning data #9631

Closed
AndiDog opened this issue Oct 30, 2023 · 5 comments
Closed

Split bootstrap join token from machine provisioning data #9631

AndiDog opened this issue Oct 30, 2023 · 5 comments
Labels
area/bootstrap Issues or PRs related to bootstrap providers kind/feature Categorizes issue or PR as related to a new feature. kind/proposal Issues or PRs related to proposals. priority/backlog Higher priority than priority/awaiting-more-evidence. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@AndiDog
Copy link
Contributor

AndiDog commented Oct 30, 2023

What would you like to be added (User Story)?

As developers, we want clear separation between bootstrapping (join token) and provisioning (machine startup script) in order to not mix these concerns into what is currently called "bootstrap data secret".

Detailed Description

In #8858, we found that having the bootstrap token, needed to join new nodes, is part of the bootstrap data secret and therefore directly used for spinning up machines such as EC2 instances. For machine pools, the token must be regularly rotated (for security) or refreshed since the cloud provider could start a new machine at any time (example: AWS auto-scaling group creating a new instance) and it should be able to join the cluster. Since the token is rotated regularly, the bootstrap secret also changes at certain intervals (related to, but normally earlier than DefaultTokenTTL = 15 minutes). If we can split off retrieval of the bootstrap token from the machine's provisioning data, such as the cloud-init/ignition script, it would help infra providers like CAPA to recognize when something other than the token has changed.

Anything else you would like to add?

cc @vincepri

Label(s) to be applied

/kind feature
/area bootstrap

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. area/bootstrap Issues or PRs related to bootstrap providers needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Oct 30, 2023
@killianmuldoon
Copy link
Contributor

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Oct 30, 2023
@fabriziopandini
Copy link
Member

/remove kind/feature
/kind proposal

This is a sort of duplicate of #5294, which has a lot of historical context, not sure if we want to dedup tough

Also, some related issue that might benefit from this work:

@fabriziopandini
Copy link
Member

/priority backlog

@k8s-ci-robot k8s-ci-robot added the priority/backlog Higher priority than priority/awaiting-more-evidence. label Apr 11, 2024
@fabriziopandini
Copy link
Member

/close

in favour of #5294

@k8s-ci-robot
Copy link
Contributor

@fabriziopandini: Closing this issue.

In response to this:

/close

in favour of #5294

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/bootstrap Issues or PRs related to bootstrap providers kind/feature Categorizes issue or PR as related to a new feature. kind/proposal Issues or PRs related to proposals. priority/backlog Higher priority than priority/awaiting-more-evidence. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Development

No branches or pull requests

4 participants