🐛 Only refresh bootstrap token if needed, requeue in all cases where node hasn't joined yet

[AndiDog]

What this PR does / why we need it:

Right now, the bootstrap token is refreshed every time until nodes have joined. This creates unnecessary etcd writes. Only extend the expiry timestamp (called "refresh" in code) if we're getting a bit closer to reaching it. Particularly if KubeadmConfig reconciliation is triggered from other sources than CAPA's RequeueAfter interval, this can pile up to quite noisy logs and API accesses.

Along the way, I did some other improvements and will add inline comments to explain.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):

This was a drive-by along the way of fixing giantswarm/roadmap#2217, but isn't really related.

/area provider/bootstrap-kubeadm
/area testing

[k8s-ci-robot]

Hi @AndiDog. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sbueringer]

/ok-to-test

[AndiDog]

Refresh if 1/6-th of the TTL has passed. We can still change this, but since RequeueAfter is now consistently r.TokenTTL / 3 (which I consider a sane value even for intermittent errors), the next regular reconciliation would refresh.

[CecileRobertMichon]

Let's add a code comment here that explains this

Since this value needs to be tightly coupled with tokenCheckRefreshOrRotationInterval, we might want to either define them in the same place in the code or make them depend on each other so we don't inadvertently change one but not the other in the future.

[AndiDog]

Added a helper function so this is found next to func tokenCheckRefreshOrRotationInterval, and added comments how both are related

[AndiDog]

Consistency. Also, if we only reconcile twice within the TTL, the first reconciliation at halftime (TTL / 2) must not fail. Better give more chances if there are intermittent errors.

[AndiDog]

This and the below code line change were IMO missing cases where the reconciler returned that no requeueing is needed, but we need that while nodes haven't joined since the token may expire. It's covered in a changed test, so please double-check if that makes sense.

[fabriziopandini]

I don't think this change is necessary.
reconcileDiscovery takes care of creating the token, it is not linked to the refresh token process

[AndiDog]

It creates the bootstrap token (via the function createToken) and sets expiry like this:

bootstrapapi.BootstrapTokenExpirationKey:       []byte(time.Now().UTC().Add(ttl).Format(time.RFC3339)),

So as soon as that happened, we need to periodically refresh. But since we check for !res.IsZero() (= "does the result requeue?"), I also think this change doesn't really make sense at this location. Removing it.

[fabriziopandini]

if we are changing this here, please add a comment explaining why we are requeing, eg.
// joinWorker completed, ensuring to reconcile this object again so we keep refreshing the bootstrap token until it is consumed

Also the same change should be applied to joinControlPlane

[AndiDog]

Both done 👌

[enxebre]

nit: given this is using r.TokenTTL / 3 in multiple places I'd put it in a var e.g tokenRequeueAfter that is invoked everywhere so there's no chance to skew in future changes.

[AndiDog]

done

[AndiDog]

This API diff was detected as test error:

NewTestClusterCacheTracker: changed from func(github.com/go-logr/logr.Logger, sigs.k8s.io/controller-runtime/pkg/client.Client, *k8s.io/apimachinery/pkg/runtime.Scheme, k8s.io/apimachinery/pkg/types.NamespacedName, ...string) *ClusterCacheTracker to func(github.com/go-logr/logr.Logger, sigs.k8s.io/controller-runtime/pkg/client.Client, sigs.k8s.io/controller-runtime/pkg/client.Client, *k8s.io/apimachinery/pkg/runtime.Scheme, k8s.io/apimachinery/pkg/types.NamespacedName, ...string) *ClusterCacheTracker

What do I need to do here? I changed the function signature on purpose.

[AndiDog]

@enxebre @fabriziopandini The requested changes are included. We found in chat that the apidiff test error is not mandatory, so I think we should go ahead since only a test function signature was changed. If that change makes sense, please have a look since I think this PR is ready now.

[fabriziopandini]

changes looks good to me, but it would be great if someone else give a look at this

/test pull-cluster-api-e2e-full-main

[AndiDog]

changes looks good to me, but it would be great if someone else give a look at this

@enxebre Would you like to have a closer look?

[AndiDog]

@enxebre @JoelSpeed could you review this one? Thank you.

[neolit123]

security people might not agree with keeping bootstrap tokens for longer periods of time
kubernetes/kubernetes#119639

if CAPI is keeping them as a maximum of 24h, sgtm.

[CecileRobertMichon]

lgtm overall, a few minor comments

[CecileRobertMichon]

would it make sense to log how much time is left before expiration, maybe as a higher verbosity for debugging purposes?

[AndiDog]

Changed to V(2) and added tokenExpiresInSeconds log field

[CecileRobertMichon]

Let's add a code comment here that explains this

Since this value needs to be tightly coupled with tokenCheckRefreshOrRotationInterval, we might want to either define them in the same place in the code or make them depend on each other so we don't inadvertently change one but not the other in the future.

[AndiDog]

security people might not agree with keeping bootstrap tokens for longer periods of time kubernetes/kubernetes#119639

if CAPI is keeping them as a maximum of 24h, sgtm.

We have refresh (token does not expire while the node didn't join) vs. rotation (machine pools only – keep creating a new token so that new nodes can start up at any time). There's no time limit for the refresh case, though. If we think this is problematic, we should tackle it in a separate issue. My PR only fixes the constant refreshing (= changing expiration value on the Secret) on every reconciliation, which is really just a minor bug and not changing the security stance, I think.

[AndiDog]

I addressed the review comments and also tested the change manually.

[AndiDog]

Added a helper function so this is found next to func tokenCheckRefreshOrRotationInterval, and added comments how both are related

[AndiDog]

Changed to V(2) and added tokenExpiresInSeconds log field

[CecileRobertMichon]

/lgtm
/assign @fabriziopandini @enxebre

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: b8685357062becbf5762a0b9443cf49999eb7c98

[vincepri]

In which case would the expiration be empty?

[AndiDog]

It shouldn't be, as of CAPA code. However external operators and humans interact with Kubernetes as well, so this is regular error handling code for the mere theoretical possibility of this happening.

[vincepri]

This comment says we have "lots of time", although the check above only checks that the expiration is within the window

[AndiDog]

"lots" seems misleading indeed. It's rather "enough time as of call to skipTokenRefreshIfExpiringAfter()". The log message provides enough code explanation here, so I removed the comment.

[vincepri]

Was the name/comment a leftover? The function just returns a duration, rather than a duration from now

[AndiDog]

Fixed

[AndiDog]

@vincepri Please have a look. I've pushed merge+changes so you can still see in GitHub what exactly has changed (hopefully). I can squash to a single commit once all looks okay.

[vincepri]

ok good to squash for me!

[vincepri]

LGTM
@sbueringer do you want to give it a pass?

[sbueringer]

Yup would be good. I hope I get around to it in the next few days

[sbueringer]

Looks good to me.

But not exactly an expert on this part of our code

/assign @fabriziopandini

[AndiDog]

@sbueringer I applied both suggestions.

[k8s-ci-robot]

@AndiDog: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cluster-api-apidiff-main	9529aea	link	false	/test pull-cluster-api-apidiff-main

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[sbueringer]

Thx!

/lgtm

/assign @fabriziopandini

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 814237ec9de63ed8a38fa634944394d546e63898

[sbueringer]

/test pull-cluster-api-e2e-main

[vincepri]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vincepri

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [vincepri]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment