[release-1.24] New features from K3s: user-provided CA certs and kubeadm bootstrap token support

[brandond]

RKE2 tracking issue for new K3s features:

• Add support for user-provided CA certificates k3s-io/k3s#6615
• Add kubeadm style bootstrap token secret support  k3s-io/k3s#6663

See K3s PRs for functionality to test

User-Facing Change

RKE2 now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before RKE2 starts in the K3s repo at [contrib/util/certs.sh](https://github.com/k3s-io/k3s/blob/master/contrib/util/certs.sh).
RKE2 now supports `kubeadm` style join tokens. `rke2 token create` now creates join token secrets, optionally with a limited TTL.
RKE2 agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster.

[bguzman-3pillar]

Validated on 1a346e6

$ rke2 -v
rke2 version v1.24.10-dev+1a346e63 (1a346e6318ea0317f482f3447e5d11aad26db80a)
go version go1.19.5 X:boringcrypto

Environment Details

Infrastructure

• Cloud
• Hosted

Node(s) CPU architecture, OS, and Version:

$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.1 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

Cluster Configuration:

1 server, 1 agent

Config.yaml:

#agent
$ sudo cat /etc/rancher/rke2/config.yaml 
token: <token generated from server>::ylyy0r.9s253awfzjpja7ez
server: https://<IP server>:9345

Testing Steps

1. Copy config.yaml

$ sudo mkdir -p /etc/rancher/rke2 && sudo cp config.yaml /etc/rancher/rke2

2. Install RKE2
3. Create token
4. Try to join server node using that generated token

Validation Results:

$ kubectl get nodes
NAME               STATUS   ROLES                       AGE    VERSION
ip-172-31-40-239   Ready    control-plane,etcd,master   115s   v1.24.10+rke2r1

$ sudo rke2 token create 
<redacted>::ylyy0r.9s253awfzjpja7ez

$ sudo rke2 token list
TOKEN     TTL       EXPIRES                USAGES                   DESCRIPTION   EXTRA GROUPS
ylyy0r    23h       2023-02-23T16:03:54Z   authentication,signing   <none>        system:bootstrappers:rke2:default-node-token

Agent joined correctly

$ kubectl get node,pod -A
NAME                    STATUS   ROLES                       AGE     VERSION
node/ip-172-31-32-26    Ready    <none>                      5m1s    v1.24.10+rke2r1
node/ip-172-31-40-239   Ready    control-plane,etcd,master   9m26s   v1.24.10+rke2r1

NAMESPACE     NAME                                                        READY   STATUS      RESTARTS   AGE
kube-system   pod/cloud-controller-manager-ip-172-31-40-239               1/1     Running     0          9m22s
kube-system   pod/etcd-ip-172-31-40-239                                   1/1     Running     0          9m12s
kube-system   pod/helm-install-rke2-canal-t8vm4                           0/1     Completed   0          9m7s
kube-system   pod/helm-install-rke2-coredns-99knk                         0/1     Completed   0          9m7s
kube-system   pod/helm-install-rke2-ingress-nginx-hxsqj                   0/1     Completed   0          9m7s
kube-system   pod/helm-install-rke2-metrics-server-fppps                  0/1     Completed   0          9m7s
kube-system   pod/kube-apiserver-ip-172-31-40-239                         1/1     Running     0          9m17s
kube-system   pod/kube-controller-manager-ip-172-31-40-239                1/1     Running     0          9m22s
kube-system   pod/kube-proxy-ip-172-31-32-26                              1/1     Running     0          5m
kube-system   pod/kube-proxy-ip-172-31-40-239                             1/1     Running     0          9m19s
kube-system   pod/kube-scheduler-ip-172-31-40-239                         1/1     Running     0          9m22s
kube-system   pod/rke2-canal-5lp7r                                        2/2     Running     0          5m1s
kube-system   pod/rke2-canal-ncwpn                                        2/2     Running     0          9m
kube-system   pod/rke2-coredns-rke2-coredns-58fd75f64b-8z4dl              1/1     Running     0          5m
kube-system   pod/rke2-coredns-rke2-coredns-58fd75f64b-gr89n              1/1     Running     0          9m
kube-system   pod/rke2-coredns-rke2-coredns-autoscaler-768bfc5985-thtrw   1/1     Running     0          9m
kube-system   pod/rke2-ingress-nginx-controller-n7lr2                     1/1     Running     0          4m30s
kube-system   pod/rke2-ingress-nginx-controller-xmwtl                     1/1     Running     0          8m22s
kube-system   pod/rke2-metrics-server-74f878b999-wkhlc                    1/1     Running     0          8m31s