Merge pull request #28 from itdove/revoke_token

Revoke token

Author: openshift-merge-robot

CHANGELOG.md

@@ -1,6 +1,10 @@
 [comment]: # ( Copyright Contributors to the Open Cluster Management project )
 # Release Content
+## Additions
+- Add `clusteradm delete token` [Create cmd to revoke the bootstrap token](https://github.com/open-cluster-management-io/clusteradm/issues/23)
 
-- Add support for non-bootstrap token enabled environment [issue 16](https://github.com/open-cluster-management-io/clusteradm/issues/16)
-- Avoid to run the `clusteradm init` twice on the hub [issue 21](https://github.com/open-cluster-management-io/clusteradm/issues/21)
-- Add command `clusteradm get token` [issue 22](https://github.com/open-cluster-management-io/clusteradm/issues/22)
+## Breaking Changes
+
+## Changes
+
+## Bug Fixes

VERSION.txt

@@ -1 +1 @@
-0.1.0-alpha.3
+0.1.0-alpha.4

build/run-functional-tests.sh

@@ -69,7 +69,7 @@ function joinscenario() {
    CMDJOINRESULT=$(join_hub "${CMDINITRESULT}" $1)
    echo "join command result: "$CMDJOINRESULT >&2
 
-   echo "Wait 4 min to stabilize" >&2
+   echo "Wait 4 min maximum to stabilize" >&2
 
    kubectl config use-context kind-${CLUSTER_NAME}-hub
    CMDACCEPTRESULT=$(accept_cluster "${CMDJOINRESULT}")
@@ -85,17 +85,18 @@ function joinscenario() {
 
 function gettokenscenario() {
    echo "gettokenscenario 1st parameter: "$1 >&2
+   echo "gettokenscenario 2nd parameter: "$2 >&2
    echo "get token from hub" >&2
    kubectl config use-context kind-${CLUSTER_NAME}-hub 
-   CMGETTOKENRESULT=$(gettoken)
+   CMGETTOKENRESULT=$(gettoken $2)
    echo "get token command result: "$CMGETTOKENRESULT >&2
 
    echo "join hub" >&2
    kubectl config use-context kind-${CLUSTER_NAME}-$1
    CMDJOINRESULT=$(join_hub "${CMGETTOKENRESULT}" $1)
    echo "join command result: "$CMDJOINRESULT >&1
 
-   echo "Wait 4 min to stabilize" >&2
+   echo "Wait 4 min maximum to stabilize" >&2
 
    kubectl config use-context kind-${CLUSTER_NAME}-hub
    CMDACCEPTRESULT=$(accept_cluster "${CMDJOINRESULT}")
@@ -107,6 +108,22 @@ function gettokenscenario() {
    else
       echo "accept command result: "$CMDACCEPTRESULT >&2
    fi
+
+   echo "delete token" >&2
+   clusteradm delete token
+      if [ $? != 0 ]
+   then
+      echo "accept command result: "$CMDACCEPTRESULT >&2
+      ERROR_REPORT=$ERROR_REPORT+"no CSR get approved\n"
+   fi
+
+   echo "get token from hub" >&2
+   kubectl config use-context kind-${CLUSTER_NAME}-hub 
+   CMGETTOKENRESULT2=$(gettoken $2)
+   if [ "$CMGETTOKENRESULT" == "$CMGETTOKENRESULT2" ]
+   then
+     ERROR_REPORT=$ERROR_REPORT+"new token identical as previous token after delete"
+   fi
 }
 
 echo "With bootstrap token"
@@ -132,7 +149,7 @@ kind delete cluster --name ${CLUSTER_NAME}-c1
 kind create cluster --name ${CLUSTER_NAME}-c2
 echo "Joining with get token and bootstrap token"
 echo "------------------------------------------"
-gettokenscenario c2
+gettokenscenario c2 --use-bootstrap-token 
 
 kind delete cluster --name ${CLUSTER_NAME}-hub
 kind delete cluster --name ${CLUSTER_NAME}-c2

cmd/clusteradm.go

@@ -18,6 +18,7 @@ import (
 	"open-cluster-management.io/clusteradm/pkg/cmd/version"
 
 	acceptclusters "open-cluster-management.io/clusteradm/pkg/cmd/accept"
+	deletecmd "open-cluster-management.io/clusteradm/pkg/cmd/delete"
 	"open-cluster-management.io/clusteradm/pkg/cmd/get"
 	inithub "open-cluster-management.io/clusteradm/pkg/cmd/init"
 	joinhub "open-cluster-management.io/clusteradm/pkg/cmd/join"
@@ -65,6 +66,7 @@ func main() {
 			Message: "Registration commands:",
 			Commands: []*cobra.Command{
 				get.NewCmd(clusteradmFlags, streams),
+				deletecmd.NewCmd(clusteradmFlags, streams),
 				inithub.NewCmd(clusteradmFlags, streams),
 				joinhub.NewCmd(clusteradmFlags, streams),
 				acceptclusters.NewCmd(clusteradmFlags, streams),

pkg/cmd/delete/cmd.go

@@ -0,0 +1,21 @@
+// Copyright Contributors to the Open Cluster Management project
+package get
+
+import (
+	"github.com/spf13/cobra"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"open-cluster-management.io/clusteradm/pkg/cmd/delete/token"
+	genericclioptionsclusteradm "open-cluster-management.io/clusteradm/pkg/genericclioptions"
+)
+
+// NewCmd provides a cobra command wrapping NewCmdImportCluster
+func NewCmd(clusteradmFlags *genericclioptionsclusteradm.ClusteradmFlags, streams genericclioptions.IOStreams) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "delete",
+		Short: "delete a resource",
+	}
+
+	cmd.AddCommand(token.NewCmd(clusteradmFlags, streams))
+
+	return cmd
+}

pkg/cmd/delete/token/cmd.go

@@ -0,0 +1,47 @@
+// Copyright Contributors to the Open Cluster Management project
+package token
+
+import (
+	"fmt"
+
+	"open-cluster-management.io/clusteradm/pkg/helpers"
+
+	"github.com/spf13/cobra"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	genericclioptionsclusteradm "open-cluster-management.io/clusteradm/pkg/genericclioptions"
+)
+
+var example = `
+# Get the bootstrap token
+%[1]s get token
+`
+
+// NewCmd ...
+func NewCmd(clusteradmFlags *genericclioptionsclusteradm.ClusteradmFlags, streams genericclioptions.IOStreams) *cobra.Command {
+	o := newOptions(clusteradmFlags, streams)
+
+	cmd := &cobra.Command{
+		Use:          "token",
+		Short:        "get the bootsrap token",
+		Example:      fmt.Sprintf(example, helpers.GetExampleHeader()),
+		SilenceUsage: true,
+		PreRun: func(c *cobra.Command, args []string) {
+			helpers.DryRunMessage(o.ClusteradmFlags.DryRun)
+		},
+		RunE: func(c *cobra.Command, args []string) error {
+			if err := o.complete(c, args); err != nil {
+				return err
+			}
+			if err := o.validate(); err != nil {
+				return err
+			}
+			if err := o.run(); err != nil {
+				return err
+			}
+
+			return nil
+		},
+	}
+
+	return cmd
+}

pkg/cmd/delete/token/exec.go

@@ -0,0 +1,94 @@
+// Copyright Contributors to the Open Cluster Management project
+package token
+
+import (
+	"context"
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"open-cluster-management.io/clusteradm/pkg/config"
+	"open-cluster-management.io/clusteradm/pkg/helpers"
+
+	"github.com/spf13/cobra"
+
+	apiextensionsclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
+	"k8s.io/client-go/kubernetes"
+)
+
+func (o *Options) complete(cmd *cobra.Command, args []string) (err error) {
+	return nil
+}
+
+func (o *Options) validate() error {
+	restConfig, err := o.ClusteradmFlags.KubectlFactory.ToRESTConfig()
+	if err != nil {
+		return err
+	}
+
+	apiExtensionsClient, err := apiextensionsclient.NewForConfig(restConfig)
+	if err != nil {
+		return err
+	}
+	installed, err := helpers.IsClusterManagerInstalled(apiExtensionsClient)
+	if err != nil {
+		return err
+	}
+	if !installed {
+		return fmt.Errorf("this is not a hub")
+	}
+	return err
+}
+
+func (o *Options) run() error {
+
+	kubeClient, err := o.ClusteradmFlags.KubectlFactory.KubernetesClientSet()
+	if err != nil {
+		return err
+	}
+
+	if o.ClusteradmFlags.DryRun {
+		return nil
+	}
+
+	return o.deleteToken(kubeClient)
+}
+
+func (o *Options) deleteToken(kubeClient *kubernetes.Clientset) error {
+	//Delete bootstrap token bindings
+	err := kubeClient.RbacV1().ClusterRoleBindings().Delete(context.TODO(), config.BootstrapClusterRoleBindingName, metav1.DeleteOptions{})
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+	err = kubeClient.RbacV1().ClusterRoleBindings().Delete(context.TODO(), config.BootstrapClusterRoleBindingSAName, metav1.DeleteOptions{})
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+
+	//Delete Roles
+	err = kubeClient.RbacV1().ClusterRoles().Delete(context.TODO(), config.BootstrapClusterRoleName, metav1.DeleteOptions{})
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+
+	//Detele bootstrap token secret
+	secret, err := helpers.GetBootstrapSecret(kubeClient)
+	if err == nil {
+		err = kubeClient.CoreV1().Secrets(secret.Namespace).Delete(context.TODO(), secret.Name, metav1.DeleteOptions{})
+		if err != nil && !errors.IsNotFound(err) {
+			return err
+		}
+	}
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+	//Delete service account
+	err = kubeClient.CoreV1().ServiceAccounts(config.OpenClusterManagementNamespace).Delete(context.TODO(), config.BootstrapSAName, metav1.DeleteOptions{})
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+	//No need to delete the secret containing the token
+	//as it will be automatically deleted because the SA is deleted
+	return nil
+}

pkg/cmd/delete/token/options.go

@@ -0,0 +1,19 @@
+// Copyright Contributors to the Open Cluster Management project
+package token
+
+import (
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	genericclioptionsclusteradm "open-cluster-management.io/clusteradm/pkg/genericclioptions"
+)
+
+//Options: The structure holding all the command-line options
+type Options struct {
+	//ClusteradmFlags: The generic optiosn from the clusteradm cli-runtime.
+	ClusteradmFlags *genericclioptionsclusteradm.ClusteradmFlags
+}
+
+func newOptions(clusteradmFlags *genericclioptionsclusteradm.ClusteradmFlags, streams genericclioptions.IOStreams) *Options {
+	return &Options{
+		ClusteradmFlags: clusteradmFlags,
+	}
+}

pkg/cmd/init/scenario/init/bootstrap_sa_cluster_role_binding.yaml

@@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cluster-bootstrap
+  name: cluster-bootstrap-sa
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

pkg/config/env.go

@@ -3,9 +3,12 @@
 package config
 
 const (
-	OpenClusterManagementNamespace = "open-cluster-management"
-	BootstrapSAName                = "cluster-bootstrap"
-	ClusterManagerName             = "cluster-manager"
-	LabelApp                       = "app"
-	BootstrapSecretPrefix          = "bootstrap-token-"
+	OpenClusterManagementNamespace    = "open-cluster-management"
+	BootstrapSAName                   = "cluster-bootstrap"
+	BootstrapClusterRoleBindingName   = "cluster-bootstrap"
+	BootstrapClusterRoleBindingSAName = "cluster-bootstrap-sa"
+	BootstrapClusterRoleName          = "system:open-cluster-management:bootstrap"
+	ClusterManagerName                = "cluster-manager"
+	LabelApp                          = "app"
+	BootstrapSecretPrefix             = "bootstrap-token-"
 )