Skip to content

Commit

Permalink
kb for ttl-workaround
Browse files Browse the repository at this point in the history
  • Loading branch information
@ibrokethecloud
ibrokethecloud committed May 17, 2024
1 parent ffa0c66 commit 84f3669
Show file tree
Hide file tree
Showing 2 changed files with 78 additions and 0 deletions.
Binary file added kb/2024-05-17/imgs/cloud-credentials.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
78 changes: 78 additions & 0 deletions kb/2024-05-17/modify_cloud_credential_ttl.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
---
title: Modifying TTL for Harvester Cloud Credential
description: How to modify TTL for newly imported Harvester cloud credentials in Rancher 2.8.x.
slug: modify_harvester_cloud_credential_ttl
authors:
- name: Gaurav Mehta
title: Staff Software Engineer
url: https://github.com/ibrokethecloud
image_url: https://github.com/ibrokethecloud.png
tags: [harvester, cloud credentials, rancher]
hide_table_of_contents: false
---

## Kubeconfig token expiry in Rancher 2.8.x

Rancher 2.8.x has introduced a new [kubeconfig-default-token-ttl-minutes](https://ranchermanager.docs.rancher.com/api/api-tokens#kubeconfig-default-token-ttl-minutes) setting. As highlighted in the document the default value for this setting is 30 days.

A side effect of this issue, has been the expiry of kubeconfig tokens used by rancher in provisioning downstream clusters on Harvester.

When the cloud credential token expires, the end users cannot perform any further cluster management operations on downstream clusters on Harvester. An issue tracking the same is available [here.](https://github.com/rancher/rancher/issues/44912)

**NOTE:** This only impacts Harvester cloud credentials created after installing or upgrading to Rancher 2.8.x

## Workaround

Users can manually patch the token CRD associated with cloud credentials to avoid them from expiring by following these steps:

1. Identify harvester cloud credentials from the Rancher Cluster Management > Cloud Credentials page
![cloud_credentials](./imgs/cloud-credentials.png)

2. Using the kubeconfig of your local rancher cluster, identify the token associated with this credential by running the following command:
```shell
kubectl get secret cc-hcrbz -n cattle-global-data -o yaml | yq .data.harvestercredentialConfig-kubeconfigContent | base64 -d | yq '.users[].user.token' | awk -F ":" '{print $1}'
kubeconfig-user-db8f54wftw
```

3. Edit the token CRD on local cluster, and set the following two fields `expiresAt` to "" and `ttl` to 0.
```shell
kubectl edit token kubeconfig-user-db8f54wftw
```

End result would be a token CRD that looks something as follows:
```yaml
apiVersion: management.cattle.io/v3
authProvider: local
current: false
description: Kubeconfig token
expired: false
expiresAt: """
isDerived: true
kind: Token
lastUpdateTime: ""
metadata:
creationTimestamp: "2024-05-16T23:43:23Z"
generateName: kubeconfig-user-db8f5
generation: 2
labels:
authn.management.cattle.io/kind: kubeconfig
authn.management.cattle.io/token-userId: user-db8f5
cattle.io/creator: norman
name: kubeconfig-user-db8f54wftw
resourceVersion: "5423"
uid: 9ac06c43-bef1-49be-8653-590424a93d58
token: -----------------
ttl: 0
userId: user-db8f5
userPrincipal:
displayName: Default Admin
loginName: admin
me: true
metadata:
creationTimestamp: null
name: local://user-db8f5
principalType: user
provider: local
```
Post this change the kubeconfig token will be set to never expire and users should be able to continue managing downstream clusters on Harvester with Rancher 2.8.x

0 comments on commit 84f3669

Please sign in to comment.