kube-bootstrap-token-manager

command module
v0.0.0-...-e4d5ede Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 1, 2025 License: MIT Imports: 13 Imported by: 0

README

Kubernetes node bootstrap token manager

license DockerHub Quay.io Artifact Hub

Manager for Node bootstrap tokens for Kubernetes.

Supports currently Azure cloud provider (more cloud provider support -> please submit PR).

Azure:

  • Stores token in Keyvault as secret
  • (re)creates token inside Kubernetes and ensures it existence
  • Manages renewal if token is going to be expired

Configuration

Usage:
  kube-bootstrap-token-manager [OPTIONS]

Application Options:
      --log.debug                                      debug mode [$LOG_DEBUG]
      --log.devel                                      development mode [$LOG_DEVEL]
      --log.json                                       Switch log output to json format [$LOG_JSON]
      --bootstraptoken.id-template=                    Template for token ID for bootstrap tokens (default: {{.Date}}) [$BOOTSTRAPTOKEN_ID_TEMPLATE]
      --bootstraptoken.name=                           Name for bootstrap tokens (default: bootstrap-token-%s) [$BOOTSTRAPTOKEN_NAME]
      --bootstraptoken.label=                          Label for bootstrap tokens (default: webdevops.kubernetes.io/bootstraptoken-managed) [$BOOTSTRAPTOKEN_LABEL]
      --bootstraptoken.namespace=                      Namespace for bootstrap tokens (default: kube-system) [$BOOTSTRAPTOKEN_NAMESPACE]
      --bootstraptoken.type=                           Type for bootstrap tokens (default: bootstrap.kubernetes.io/token) [$BOOTSTRAPTOKEN_TYPE]
      --bootstraptoken.usage-bootstrap-authentication= Usage bootstrap authentication for bootstrap tokens (default: true) [$BOOTSTRAPTOKEN_USAGE_BOOTSTRAP_AUTHENTICATION]
      --bootstraptoken.usage-bootstrap-signing=        usage bootstrap signing for bootstrap tokens (default: true) [$BOOTSTRAPTOKEN_USAGE_BOOTSTRAP_SIGNING]
      --bootstraptoken.auth-extra-groups=              Auth extra groups for bootstrap tokens (default: system:bootstrappers:worker,system:bootstrappers:ingress) [$BOOTSTRAPTOKEN_AUTH_EXTRA_GROUPS]
      --bootstraptoken.expiration=                     Expiration (time.Duration) for bootstrap tokens (default: 8760h) [$BOOTSTRAPTOKEN_EXPIRATION]
      --bootstraptoken.token-length=                   Length of the random token string for bootstrap tokens (default: 16) [$BOOTSTRAPTOKEN_TOKEN_LENGTH]
      --bootstraptoken.token-runes=                    Runes which should be used for the random token string for bootstrap tokens (default: abcdefghijklmnopqrstuvwxyz0123456789)
                                                       [$BOOTSTRAPTOKEN_TOKEN_RUNES]
      --sync.time=                                     Sync time (time.Duration) (default: 1h) [$SYNC_TIME]
      --sync.recreate-before=                          Time duration (time.Duration) when token should be recreated (default: 2190h) [$SYNC_RECREATE_BEFORE]
      --sync.full                                      Sync also previous tokens (full sync) [$SYNC_FULL]
      --cloud-provider=[azure]                         Cloud provider [$CLOUD_PROVIDER]
      --azure.keyvault.url=                            URL of Keyvault to sync token [$AZURE_KEYVAULT_URL]
      --azure.keyvault.secret=                         Name of Keyvault secret to sync token (default: kube-bootstrap-token) [$AZURE_KEYVAULT_SECRET]
      --dry-run                                        Dry run (do not apply to nodes) [$DRY_RUN]
      --server.bind=                                   Server address (default: :8080) [$SERVER_BIND]
      --server.timeout.read=                           Server read timeout (default: 5s) [$SERVER_TIMEOUT_READ]
      --server.timeout.write=                          Server write timeout (default: 10s) [$SERVER_TIMEOUT_WRITE]

Help Options:
  -h, --help                                           Show this help message

for Azure API authentication (using ENV vars) see following documentations:

Metrics

(see :8080/metrics)

Metric Description
bootstraptoken_token_info Info about current token
bootstraptoken_token_expiration Expiration time (unix timestamp) of token
bootstraptoken_sync_status Status if sync was successfull
bootstraptoken_sync_time Timestamp of last sync
bootstraptoken_sync_count Counter of sync
AzureTracing metrics

see armclient tracing documentation

Settings
Environment variable Example Description
METRIC_AZURERM_API_REQUEST_BUCKETS 1, 2.5, 5, 10, 30, 60, 90, 120 Sets buckets for azurerm_api_request histogram metric
METRIC_AZURERM_API_REQUEST_ENABLE false Enables/disables azurerm_api_request_* metric
METRIC_AZURERM_API_REQUEST_LABELS apiEndpoint, method, statusCode Controls labels of azurerm_api_request_* metric
METRIC_AZURERM_API_RATELIMIT_ENABLE false Enables/disables azurerm_api_ratelimit metric
METRIC_AZURERM_API_RATELIMIT_AUTORESET false Enables/disables azurerm_api_ratelimit autoreset after fetch
azurerm_api_request label Status Description
apiEndpoint enabled by default hostname of endpoint (max 3 parts)
routingRegion enabled by default detected region for API call, either routing region from Azure Management API or Azure resource location
subscriptionID enabled by default detected subscriptionID
tenantID enabled by default detected tenantID (extracted from jwt auth token)
resourceProvider enabled by default detected Azure Management API provider
method enabled by default HTTP method
statusCode enabled by default HTTP status code

Kubernetes deployment

see deployment

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.