Skip to content

webdevops/kube-bootstrap-token-manager

BranchesTags

Repository files navigation

Kubernetes node bootstrap token manager

license DockerHub Quay.io Artifact Hub

Manager for Node bootstrap tokens for Kubernetes.

Supports currently Azure cloud provider (more cloud provider support -> please submit PR).

Azure:

  • Stores token in Keyvault as secret
  • (re)creates token inside Kubernetes and ensures it existence
  • Manages renewal if token is going to be expired

Configuration

Usage:
  kube-bootstrap-token-manager [OPTIONS]

Application Options:
      --log.debug                                      debug mode [$LOG_DEBUG]
      --log.devel                                      development mode [$LOG_DEVEL]
      --log.json                                       Switch log output to json format [$LOG_JSON]
      --bootstraptoken.id-template=                    Template for token ID for bootstrap tokens (default: {{.Date}}) [$BOOTSTRAPTOKEN_ID_TEMPLATE]
      --bootstraptoken.name=                           Name for bootstrap tokens (default: bootstrap-token-%s) [$BOOTSTRAPTOKEN_NAME]
      --bootstraptoken.label=                          Label for bootstrap tokens (default: webdevops.kubernetes.io/bootstraptoken-managed) [$BOOTSTRAPTOKEN_LABEL]
      --bootstraptoken.namespace=                      Namespace for bootstrap tokens (default: kube-system) [$BOOTSTRAPTOKEN_NAMESPACE]
      --bootstraptoken.type=                           Type for bootstrap tokens (default: bootstrap.kubernetes.io/token) [$BOOTSTRAPTOKEN_TYPE]
      --bootstraptoken.usage-bootstrap-authentication= Usage bootstrap authentication for bootstrap tokens (default: true) [$BOOTSTRAPTOKEN_USAGE_BOOTSTRAP_AUTHENTICATION]
      --bootstraptoken.usage-bootstrap-signing=        usage bootstrap signing for bootstrap tokens (default: true) [$BOOTSTRAPTOKEN_USAGE_BOOTSTRAP_SIGNING]
      --bootstraptoken.auth-extra-groups=              Auth extra groups for bootstrap tokens (default: system:bootstrappers:worker,system:bootstrappers:ingress) [$BOOTSTRAPTOKEN_AUTH_EXTRA_GROUPS]
      --bootstraptoken.expiration=                     Expiration (time.Duration) for bootstrap tokens (default: 8760h) [$BOOTSTRAPTOKEN_EXPIRATION]
      --bootstraptoken.token-length=                   Length of the random token string for bootstrap tokens (default: 16) [$BOOTSTRAPTOKEN_TOKEN_LENGTH]
      --bootstraptoken.token-runes=                    Runes which should be used for the random token string for bootstrap tokens (default: abcdefghijklmnopqrstuvwxyz0123456789)
                                                       [$BOOTSTRAPTOKEN_TOKEN_RUNES]
      --sync.time=                                     Sync time (time.Duration) (default: 1h) [$SYNC_TIME]
      --sync.recreate-before=                          Time duration (time.Duration) when token should be recreated (default: 2190h) [$SYNC_RECREATE_BEFORE]
      --sync.full                                      Sync also previous tokens (full sync) [$SYNC_FULL]
      --cloud-provider=[azure]                         Cloud provider [$CLOUD_PROVIDER]
      --azure.keyvault.url=                            URL of Keyvault to sync token [$AZURE_KEYVAULT_URL]
      --azure.keyvault.secret=                         Name of Keyvault secret to sync token (default: kube-bootstrap-token) [$AZURE_KEYVAULT_SECRET]
      --dry-run                                        Dry run (do not apply to nodes) [$DRY_RUN]
      --server.bind=                                   Server address (default: :8080) [$SERVER_BIND]
      --server.timeout.read=                           Server read timeout (default: 5s) [$SERVER_TIMEOUT_READ]
      --server.timeout.write=                          Server write timeout (default: 10s) [$SERVER_TIMEOUT_WRITE]

Help Options:
  -h, --help                                           Show this help message

for Azure API authentication (using ENV vars) see following documentations:

Metrics

(see :8080/metrics)

Metric Description
bootstraptoken_token_info Info about current token
bootstraptoken_token_expiration Expiration time (unix timestamp) of token
bootstraptoken_sync_status Status if sync was successfull
bootstraptoken_sync_time Timestamp of last sync
bootstraptoken_sync_count Counter of sync

AzureTracing metrics

see armclient tracing documentation

Settings

Environment variable Example Description
METRIC_AZURERM_API_REQUEST_BUCKETS 1, 2.5, 5, 10, 30, 60, 90, 120 Sets buckets for azurerm_api_request histogram metric
METRIC_AZURERM_API_REQUEST_ENABLE false Enables/disables azurerm_api_request_* metric
METRIC_AZURERM_API_REQUEST_LABELS apiEndpoint, method, statusCode Controls labels of azurerm_api_request_* metric
METRIC_AZURERM_API_RATELIMIT_ENABLE false Enables/disables azurerm_api_ratelimit metric
METRIC_AZURERM_API_RATELIMIT_AUTORESET false Enables/disables azurerm_api_ratelimit autoreset after fetch
azurerm_api_request label Status Description
apiEndpoint enabled by default hostname of endpoint (max 3 parts)
routingRegion enabled by default detected region for API call, either routing region from Azure Management API or Azure resource location
subscriptionID enabled by default detected subscriptionID
tenantID enabled by default detected tenantID (extracted from jwt auth token)
resourceProvider enabled by default detected Azure Management API provider
method enabled by default HTTP method
statusCode enabled by default HTTP status code

Kubernetes deployment

see deployment

About

Manager for Kubernetes bootstrap tokens with cloud support

Topics

kubernetes azure kubernetes-secrets kubernetes-bootstrap

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases 11

25.5.0 Latest
May 1, 2025
+ 10 releases

Packages

No packages published

Languages