Server Token Rotation

[dereknola]

Proposed Changes

• Adds a new subcommand k3s token rotate which enables a user to rotate the initial server token.
• Expands existing E2E token test to include this new command
• Compact CertCommand functions

Types of Changes

New Feature

Verification

Single node:

• Start k3s with token 1234
• if root, with access to /var/lib/rancher/k3s/server/token run: k3s token rotate --new-token=6789
• if not root, or non access, run: k3s token rotate --token 1234 --new-token=6789
• Restart k3s with new token 6789

HA:

• Start k3s servers with token 1234
• if root, with access to /var/lib/rancher/k3s/server/token run: k3s token rotate --new-token=6789
• if not root, or non access, run: k3s token rotate --token 1234 --new-token=6789
• Restart all k3s servers with new token 6789

Testing

New Testlets in E2E test

Linked Issues

#8264

User-Facing Change

Users can now rotate the server token using `k3s token rotate -t <OLD_TOKEN> --new-token <NEW_TOKEN>`. After command succeeds, all server nodes must be restarted with the new token.

Further Comments

[codecov]

Codecov Report

Attention: 139 lines in your changes are missing coverage. Please review.

Comparison is base (ced25af) 44.73% compared to head (a250c6a) 49.31%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #8265      +/-   ##
==========================================
+ Coverage   44.73%   49.31%   +4.58%     
==========================================
  Files         140      141       +1     
  Lines       14738    14902     +164     
==========================================
+ Hits         6593     7349     +756     
+ Misses       7031     6333     -698     
- Partials     1114     1220     +106     

Flag	Coverage Δ
e2etests	48.61% <32.27%> (?)
inttests	44.45% <27.97%> (-0.28%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
cmd/server/main.go	100.00% <100.00%> (ø)
pkg/cli/cmds/certs.go	100.00% <100.00%> (ø)
pkg/cli/cmds/token.go	100.00% <100.00%> (ø)
pkg/daemons/control/deps/deps.go	59.07% <ø> (+0.63%)	⬆️
pkg/server/router.go	53.10% <100.00%> (+4.09%)	⬆️
pkg/cli/token/token.go	0.00% <0.00%> (ø)
pkg/cluster/storage.go	36.90% <6.97%> (+1.40%)	⬆️
pkg/server/token.go	1.58% <1.58%> (ø)

... and 40 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[cwayne18]

cc @jakefhyde @Oats87 in case you want to look over

[DerRockWolf]

@dereknola is this feature complete and usable?
I'm asking because the docs still say, e.g.,:

This token cannot be changed once the cluster has been created.

All the location I found:

• https://docs.k3s.io/advanced#token-management
• https://docs.k3s.io/cli/token#server

https://docs.k3s.io/cli/token#k3s-token-rotate is the only location that says that rotation is possible.