search

k3s-io / k3s-ansible

Apache License 2.0
2.01k stars 802 forks source link

Support using an auto-generated token #294

Closed laszlojau closed 7 months ago

laszlojau commented 8 months ago

The role used to auto-generate a token which was working fine for single-node clusters. Currently, this is not possible, a value for token must be set. Was this functionality removed on purpose or is there a plan to reintroduce support for it?

MainRo commented 8 months ago

I struggle to find how to create a HA cluster due to this: The k3s_server role requires a token value to be present but I am not able to bootstrap it: the "k3s token generate" command creates a short form token that is not accepted when instantiating the first server node. How are we supposed to provide this token?

dereknola commented 8 months ago

You should read the docs on how to use the token subcommand. You can't join servers with the tokens generated using it, only agents. Admittedly, this information should probably be more apparent in Bold or something.

Supporting auto-generated tokens for HA and single simultaneously introduced a bunch of overhead in the provisioning that I didn't want to deal with. Additionally, the use of user designated tokens have become the default assumption/suggestion in running K3s for security reasons.

If you don't want the token sitting as plaintext in the playbook you should pass it as a ENV when running the playbook

ansible-playbook playbook/site.yml -i inventory.yml --extra-vars token=<MY_SECURE_TOKEN>

If you want a random token you could also achieve something similar with


ansible-playbook playbook/site.yml -i inventory.yml --extra-vars token=$(rand or gpw or pwgen command)
BMeach commented 7 months ago

@dereknola I may be missing something, but how would you go about generating a token using the "secure token format" as specified in the docs you linked?

MainRo commented 7 months ago

Thanks @dereknola, I provided the secret/token with a variable environment.

I think that the parameter name "token" made me confused: It can be either a token generated with "k3s token", or just a shared secret (basically any string).

dereknola commented 7 months ago

@BMeach You could hand generate one using the formula, but that's somewhat of a pain.

When you start a K3s server with k3s server --token=mytoken, the full "secure token" is automatically generated for you, with the mytoken being placed in the <credentials> section. 

#/var/lib/rancher/k3s/server/token
K1029468f656c3c584fb3e4bce1fd31957d1412d1537f59c5335f84531b16872383::server:mytoken
BMeach commented 7 months ago

@BMeach You could hand generate one using the formula, but that's somewhat of a pain.

When you start a K3s server with k3s server --token=mytoken, the full "secure token" is automatically generated for you, with the mytoken being placed in the <credentials> section.

#/var/lib/rancher/k3s/server/token
K1029468f656c3c584fb3e4bce1fd31957d1412d1537f59c5335f84531b16872383::server:mytoken

That makes sense, thank you for clearing it up. Are there any length recommendations or requirements for the initial token? I have not been able to find any so far.

dereknola commented 7 months ago

There are no hard length requirements. Its just going to depend on your security posture (i.e. do you want special characters, numbers, letters). As an org, K3s makes no official recommendations on length/complexity.