Initial revision

Signed-off-by: Markus Blaschke <mblaschke82@gmail.com>

Author: mblaschke

.dockerignore

@@ -0,0 +1,3 @@
+/test
+/vendor
+/kube-bootstrap-token-manager

.editorconfig

@@ -0,0 +1,28 @@
+# EditorConfig is awesome: http://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+charset = utf-8
+trim_trailing_whitespace = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+indent_style = space
+indent_size = 4
+
+[Makefile]
+indent_style = tab
+
+[*.yml]
+indent_size = 2
+
+[*.yaml]
+indent_size = 2
+
+[*.conf]
+indent_size = 2
+
+[*.go]
+indent_style = tab
+indent_size = 4

.gitignore

@@ -0,0 +1,3 @@
+/vendor
+/kube-bootstrap-token-manager
+*.exe

Dockerfile

@@ -0,0 +1,24 @@
+FROM golang:1.14 as build
+
+WORKDIR /go/src/github.com/webdevops/kube-bootstrap-token-manager
+
+# Get deps (cached)
+COPY ./go.mod /go/src/github.com/webdevops/kube-bootstrap-token-manager
+COPY ./go.sum /go/src/github.com/webdevops/kube-bootstrap-token-manager
+RUN go mod download
+
+# Compile
+COPY ./ /go/src/github.com/webdevops/kube-bootstrap-token-manager
+RUN make test
+RUN make lint
+RUN make build
+RUN ./kube-bootstrap-token-manager --help
+
+#############################################
+# FINAL IMAGE
+#############################################
+FROM gcr.io/distroless/base
+ENV LOG_JSON=1
+COPY --from=build /go/src/github.com/webdevops/kube-bootstrap-token-manager/kube-bootstrap-token-manager /
+USER 1000
+ENTRYPOINT ["/kube-bootstrap-token-manager"]

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2020 WebDevOps
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -0,0 +1,42 @@
+.PHONY: all build clean image check vendor dependencies
+
+NAME				:= kube-bootstrap-token-manager
+GIT_TAG				:= $(shell git describe --dirty --tags --always)
+GIT_COMMIT			:= $(shell git rev-parse --short HEAD)
+LDFLAGS             := -X "main.gitTag=$(GIT_TAG)" -X "main.gitCommit=$(GIT_COMMIT)" -extldflags "-static"
+
+PKGS				:= $(shell go list ./... | grep -v -E '/vendor/|/test')
+FIRST_GOPATH		:= $(firstword $(subst :, ,$(shell go env GOPATH)))
+GOLANGCI_LINT_BIN	:= $(FIRST_GOPATH)/bin/golangci-lint
+
+
+all: build
+
+clean:
+	git clean -Xfd .
+
+build:
+	CGO_ENABLED=0 go build -a -ldflags '$(LDFLAGS)' -o $(NAME) .
+
+vendor:
+	go mod tidy
+	go mod vendor
+	go mod verify
+
+image: build
+	docker build -t $(NAME):$(TAG) .
+
+test:
+	go test ./...
+
+.PHONY: lint
+lint: $(GOLANGCI_LINT_BIN)
+	# megacheck fails to respect build flags, causing compilation failure during linting.
+	# instead, use the unused, gosimple, and staticcheck linters directly
+	$(GOLANGCI_LINT_BIN) run -D megacheck -E unused,gosimple,staticcheck --timeout=10m
+
+dependencies: $(GOLANGCI_LINT_BIN)
+
+$(GOLANGCI_LINT_BIN):
+	curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(FIRST_GOPATH)/bin v1.23.8
+

README.md

@@ -0,0 +1,71 @@
+Kubernetes node bootstrap token manager
+========================================
+
+[![license](https://img.shields.io/github/license/webdevops/kube-bootstrap-token-manager.svg)](https://github.com/webdevops/kube-bootstrap-token-manager/blob/master/LICENSE)
+[![Docker](https://img.shields.io/docker/cloud/automated/webdevops/kube-bootstrap-token-manager)](https://hub.docker.com/r/webdevops/kube-bootstrap-token-manager/)
+[![Docker Build Status](https://img.shields.io/docker/cloud/build/webdevops/kube-bootstrap-token-manager)](https://hub.docker.com/r/webdevops/kube-bootstrap-token-manager/)
+
+Manager for Node bootstrap tokens for Kubernetes.
+
+Supports currently Azure cloud provider (more cloud provider support -> please submit PR).
+
+Azure:
+- Stores token in Keyvault as secret
+- (re)creates token inside Kubernetes and ensures it existence
+- Manages renewal if token is going to be expired
+
+Configuration
+-------------
+
+```
+Usage:
+  kube-bootstrap-token-manager [OPTIONS]
+
+Application Options:
+      --debug                                          debug mode [$DEBUG]
+  -v, --verbose                                        verbose mode [$VERBOSE]
+      --log.json                                       Switch log output to json format [$LOG_JSON]
+      --bootstraptoken.name=                           Name for bootstrap tokens (default: bootstrap-token-%s) [$BOOTSTRAPTOKEN_NAME]
+      --bootstraptoken.label=                          Label for bootstrap tokens (default: webdevops.kubernetes.io/bootstraptoken-managed) [$BOOTSTRAPTOKEN_LABEL]
+      --bootstraptoken.namespace=                      Namespace for bootstrap tokens (default: kube-system) [$BOOTSTRAPTOKEN_NAMESPACE]
+      --bootstraptoken.type=                           Type for bootstrap tokens (default: bootstrap.kubernetes.io/token) [$BOOTSTRAPTOKEN_TYPE]
+      --bootstraptoken.usage-bootstrap-authentication= Usage bootstrap authentication for bootstrap tokens (default: true) [$BOOTSTRAPTOKEN_USAGE_BOOTSTRAP_AUTHENTICATION]
+      --bootstraptoken.usage-bootstrap-signing=        usage bootstrap signing for bootstrap tokens (default: true) [$BOOTSTRAPTOKEN_USAGE_BOOTSTRAP_SIGNING]
+      --bootstraptoken.auth-extra-groups=              Auth extra groups for bootstrap tokens (default: system:bootstrappers:worker,system:bootstrappers:ingress) [$BOOTSTRAPTOKEN_AUTH_EXTRA_GROUPS]
+      --bootstraptoken.expiration=                     Expiration (time.Duration) for bootstrap tokens (default: 8760h) [$BOOTSTRAPTOKEN_EXPIRATION]
+      --bootstraptoken.token-length=                   Length of the random token string for bootstrap tokens (default: 16) [$BOOTSTRAPTOKEN_TOKEN_LENGTH]
+      --bootstraptoken.token-runes=                    Runes which should be used for the random token string for bootstrap tokens (default:
+                                                       abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789) [$BOOTSTRAPTOKEN_TOKEN_RUNES]
+      --sync.time=                                     Sync time (time.Duration) (default: 1h) [$SYNC_TIME]
+      --sync.recreate-before=                          Time duration (time.Duration) when token should be recreated (default: 2190h) [$SYNC_RECREATE_BEFORE]
+      --cloud-provider=[azure]                         Cloud provider [$CLOUD_PROVIDER]
+      --cloud-config=                                  Cloud provider configuration path [$CLOUD_CONFIG]
+      --azure-environment=                             Azure environment name [$AZURE_ENVIRONMENT]
+      --azure.keyvault-name=                           Name of Keyvault to sync token [$AZURE_KEYVAULT_NAME]
+      --azure.keyvault-secret-name=                    Name of Keyvault secret to sync token [$AZURE_KEYVAULT_SECRET_NAME]
+      --dry-run                                        Dry run (do not apply to nodes) [$DRY_RUN]
+      --bind=                                          Server address (default: :8080) [$SERVER_BIND]
+
+Help Options:
+  -h, --help                                           Show this help message
+```
+
+for Azure API authentication (using ENV vars) see https://github.com/Azure/azure-sdk-for-go#authentication
+
+Metrics
+-------
+
+ (see `:8080/metrics`)
+
+| Metric                             | Description                                     |
+|:-----------------------------------|:------------------------------------------------|
+| `bootstraptoken_token_info`        | Info about current token                        |
+| `bootstraptoken_token_expiration`  | Expiration time (unix timestamp) of token       |
+| `bootstraptoken_sync_status`       | Status if sync was successfull                  |
+| `bootstraptoken_sync_time`         | Timestamp of last sync                          |
+| `bootstraptoken_sync_count`        | Counter of sync                                 |
+
+Kubernetes deployment
+---------------------
+
+see [deployment](/deployment)

config/opts.go

@@ -0,0 +1,59 @@
+package config
+
+import (
+	"encoding/json"
+	log "github.com/sirupsen/logrus"
+	"time"
+)
+
+type (
+	Opts struct {
+		// logger
+		Logger struct {
+			Debug   bool `           long:"debug"        env:"DEBUG"    description:"debug mode"`
+			Verbose bool `short:"v"  long:"verbose"      env:"VERBOSE"  description:"verbose mode"`
+			LogJson bool `           long:"log.json"     env:"LOG_JSON" description:"Switch log output to json format"`
+		}
+
+		BootstrapToken struct {
+			Name                         string         `long:"bootstraptoken.name"                            env:"BOOTSTRAPTOKEN_NAME"                               description:"Name for bootstrap tokens" default:"bootstrap-token-%s"`
+			Label                        string         `long:"bootstraptoken.label"                           env:"BOOTSTRAPTOKEN_LABEL"                              description:"Label for bootstrap tokens" default:"webdevops.kubernetes.io/bootstraptoken-managed"`
+			Namespace                    string         `long:"bootstraptoken.namespace"                       env:"BOOTSTRAPTOKEN_NAMESPACE"                          description:"Namespace for bootstrap tokens" default:"kube-system"`
+			Type                         string         `long:"bootstraptoken.type"                            env:"BOOTSTRAPTOKEN_TYPE"                               description:"Type for bootstrap tokens" default:"bootstrap.kubernetes.io/token"`
+			UsageBootstrapAuthentication string         `long:"bootstraptoken.usage-bootstrap-authentication"  env:"BOOTSTRAPTOKEN_USAGE_BOOTSTRAP_AUTHENTICATION"     description:"Usage bootstrap authentication for bootstrap tokens" default:"true"`
+			UsageBootstrapSigning        string         `long:"bootstraptoken.usage-bootstrap-signing"         env:"BOOTSTRAPTOKEN_USAGE_BOOTSTRAP_SIGNING"            description:"usage bootstrap signing for bootstrap tokens" default:"true"`
+			AuthExtraGroups              string         `long:"bootstraptoken.auth-extra-groups"               env:"BOOTSTRAPTOKEN_AUTH_EXTRA_GROUPS"                  description:"Auth extra groups for bootstrap tokens" default:"system:bootstrappers:worker,system:bootstrappers:ingress"`
+			Expiration                   *time.Duration `long:"bootstraptoken.expiration"                      env:"BOOTSTRAPTOKEN_EXPIRATION"                         description:"Expiration (time.Duration) for bootstrap tokens" default:"8760h"`
+			TokenLength                  uint           `long:"bootstraptoken.token-length"                    env:"BOOTSTRAPTOKEN_TOKEN_LENGTH"                       description:"Length of the random token string for bootstrap tokens" default:"16"`
+			TokenRunes                   string         `long:"bootstraptoken.token-runes"                     env:"BOOTSTRAPTOKEN_TOKEN_RUNES"                        description:"Runes which should be used for the random token string for bootstrap tokens" default:"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"`
+		}
+
+		Sync struct {
+			Time           time.Duration `long:"sync.time"               env:"SYNC_TIME"                 description:"Sync time (time.Duration)" default:"1h"`
+			RecreateBefore time.Duration `long:"sync.recreate-before"    env:"SYNC_RECREATE_BEFORE"      description:"Time duration (time.Duration) when token should be recreated" default:"2190h"`
+		}
+
+		CloudProvider struct {
+			Provider *string `long:"cloud-provider"  env:"CLOUD_PROVIDER"       description:"Cloud provider" choice:"azure" required:"true"`
+			Config   *string `long:"cloud-config"    env:"CLOUD_CONFIG"         description:"Cloud provider configuration path"`
+
+			Azure struct {
+				Environment        *string `long:"azure-environment"            env:"AZURE_ENVIRONMENT"                description:"Azure environment name"`
+				KeyVaultName       *string `long:"azure.keyvault-name"          env:"AZURE_KEYVAULT_NAME"              description:"Name of Keyvault to sync token"`
+				KeyVaultSecretName *string `long:"azure.keyvault-secret-name"   env:"AZURE_KEYVAULT_SECRET_NAME"       description:"Name of Keyvault secret to sync token"`
+			}
+		}
+
+		// general options
+		DryRun     bool   `long:"dry-run"  env:"DRY_RUN"       description:"Dry run (do not apply to nodes)"`
+		ServerBind string `long:"bind"     env:"SERVER_BIND"   description:"Server address"     default:":8080"`
+	}
+)
+
+func (o *Opts) GetJson() []byte {
+	jsonBytes, err := json.Marshal(o)
+	if err != nil {
+		log.Panic(err)
+	}
+	return jsonBytes
+}

deployment/config.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kube-pool-manager
+  namespace: kube-system
+data:
+  pools.yaml: |
+    pools:
+      - pool: agents
+        selector:
+          - path: "{.spec.providerID}"
+            regexp: "^.+virtualMachineScaleSets\\/aks-agents-35471996-vmss\\/.+$"
+        node:
+          roles: [agents]
+          #configSource:
+          #  configMap:
+          #    name: kubelet-config
+          #    namespace: kube-system
+          #    kubeletConfigKey: kubelet
+          labels:
+            webdevops.io/testing: true
+          annotations:
+            webdevops.io/testing: 2

deployment/deployment.yaml

@@ -0,0 +1,55 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kube-pool-manager
+  namespace: kube-system
+  labels:
+    app: kube-pool-manager
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kube-pool-manager
+  template:
+    metadata:
+      labels:
+        app: kube-pool-manager
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/path: /metrics
+        prometheus.io/port: "8080"
+    spec:
+      serviceAccountName: kube-pool-manager
+      containers:
+        - name: kube-pool-manager
+          image: webdevops/kube-pool-manager:development
+          imagePullPolicy: Always
+          env:
+            - name: CONFIG
+              value: "/config/pools.yaml"
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop: ['ALL']
+          ports:
+            - containerPort: 8080
+              name: http-metrics
+              protocol: TCP
+          resources:
+            limits:
+              cpu: 100m
+              memory: 100Mi
+            requests:
+              cpu: 1m
+              memory: 100Mi
+          volumeMounts:
+            - name: config
+              mountPath: /config
+      volumes:
+        - name: config
+          configMap:
+            name: kube-pool-manager
+
+