Skip to content

Allow using K0S_TOKEN environ as source of Join token #6766

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
s3rj1k wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Allow using K0S_TOKEN environ as source of Join token #6766

s3rj1k wants to merge 3 commits into from
+265 −52

Conversation

@s3rj1k
Copy link
Contributor

@s3rj1k s3rj1k commented Dec 3, 2025
edited
Loading

Implements ability to pass Join token via K0S_TOKEN environ.

How to test (Needs 3 test nodes):

CP Node 1
    k0s install controller \
        --enable-dynamic-config \
        --disable-components=konnectivity-server \
        --enable-worker \
        --no-taints \
        --kubelet-root-dir=/var/lib/kubelet \
        --verbose
    systemctl enable --now k0scontroller

    k0s token create
    k0s token create --role controller

Worker Node 1
    k0s install worker --env K0S_TOKEN="***" --kubelet-root-dir=/var/lib/kubelet --verbose
    systemctl enable --now k0sworker

CP Node 2
    k0s install controller \
        --enable-dynamic-config \
        --disable-components=konnectivity-server \
        --enable-worker \
        --no-taints \
        --kubelet-root-dir=/var/lib/kubelet \
        --env K0S_TOKEN="***" \
        --verbose
    systemctl enable --now k0scontroller

This is alternative to #6755

@s3rj1k s3rj1k force-pushed the token-from-env branch 8 times, most recently from 09f0c7d to b8a7fd6 Compare December 3, 2025 15:23
@s3rj1k s3rj1k marked this pull request as ready for review December 3, 2025 15:24
@s3rj1k s3rj1k requested review from a team as code owners December 3, 2025 15:24
@s3rj1k s3rj1k requested review from jnummelin and makhov December 3, 2025 15:24
@s3rj1k s3rj1k mentioned this pull request Dec 3, 2025
Draft
twz123
twz123 reviewed Dec 4, 2025
View reviewed changes
Copy link
Member

@twz123 twz123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add some sentences / an example about the environment variable to the documentation, e.g. to k0s-multi-node.md?

pkg/token/tokendata.go Outdated
}

if tokenSources > 1 {
return "", fmt.Errorf("you can only pass one token source: either as a CLI argument, via '--token-file [path]', or via the %s environment variable", constant.EnvVarToken)
Copy link
Member

@twz123 twz123 Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wouldn't make the presence of the environment variable a hard error. It should rather be a fallback if the token hasn't been passed as an arg or via the file flag.

Copy link
Contributor Author

@s3rj1k s3rj1k Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be unclear in that case what token was used, do you want to add ambiguous behavior and solve that by extending documentation and telling people why passing token via env won't take precedence over a flag?

Copy link
Member

@twz123 twz123 Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess it's standard behavior, isn't it? We have a flag (although it's an optional arg in this case), and a related environment variable as a fallback. If the flag (arg) is present, it'll use that, if the flag is missing, it'll fall back to the env.

Copy link
Contributor Author

@s3rj1k s3rj1k Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, it is not standard, what you are describing is optional reconfiguration with environ, PR is after having a clear way of setting token only with one option and if that fails report error instead of trying to run k0s cluster and fail expectation

cmd/controller/controller.go
if len(args) > 0 {
c.TokenArg = args[0]
}
if c.TokenArg != "" && c.TokenFile != "" {
Copy link
Member

@twz123 twz123 Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer to leave this check in place (or refactor it out and reuse it here via a function, whichever makes more sense.) We should verify the command line's correctness before attempting to do anything.

Copy link
Contributor Author

@s3rj1k s3rj1k Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hopefully handled by internal.CheckSingleTokenSource

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@twz123 twz123 twz123 left review comments

@makhov makhov Awaiting requested review from makhov makhov is a code owner automatically assigned from k0sproject/k0s-maintainers

@jnummelin jnummelin Awaiting requested review from jnummelin jnummelin is a code owner automatically assigned from k0sproject/k0s-maintainers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@s3rj1k @twz123