Kubeadm: Better usability for the join token

+1 on something like this.

Some riffs on this idea:

• A new kubeadm ca-cert-hash command (name TBD) that just prints out the current CA hash. This would basically be the same thing as the openssl command we give in the kubeadm join docs.

• Add a --print-join-command flag for kubeadm token create that prints out the whole join command just like kubeadm init does. This would hopefully make it easy to automate around by running something like kubeadm token create --print-join-command >> worker_init.sh during provisioning.

• A new command kubeadm token get <token id> that gets the full token given the ID, with a --print-join-command flag to optionally print the full join command instead of just the token.

Thanks for tagging me in this. Take a note from the UX of Docker Swarm - at any point you can type in docker swarm join-token worker and have a command to paste into a worker or to send over SSH. With Kubeadm it's so hard I literally tear down the cluster to add add a new node - I'm pretty confident with CLIs so I'm sure I'm not the only one.

Also the init output is so heavy you can't really get just the join command and stash it somewhere... currently I'm resorting to kubeadm init ... | grep 'kubeadm join --token' > /some_file.
Would be cool to have a quiet mode where the only thing on stdout is the join command.

Anyway, what is the way to get that ca-cert-hash right now? Of course, the kubeadm init output is long gone at this point... and I didn't save it expecting it would be easy to extract that info later, on demand.

I managed to get join token with kubeadm token list and joined another node with kubeadm join --token, but it is saying:

[validation] WARNING: using token-based discovery without DiscoveryTokenCACertHashes can be unsafe (see https://kubernetes.io/docs/admin/kubeadm/#kubeadm-join).
[validation] WARNING: Pass --discovery-token-unsafe-skip-ca-verification to disable this warning. This warning will become an error in Kubernetes 1.9.

So, before it becomes error, how do I pass that parameter? Thanks for any help!

@zcalusic the current way is to calculate the hash with OpenSSL like this (run on the master or wherever you have a copy of /etc/kubernetes/pki/ca.crt):

openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'

Thank you @mattmoyer for the hint. Your oneliner worked perfectly.

Of course, I must agree that --print-join-command would be much better user experience.

Agree with --print-join-command

We concluded in the SIG meeting that we're gonna proceed with both https://github.com/kubernetes/kubernetes/pull/55468 _and_ this feature addition.
We'll see in what form exactly in a bit

This was discussed on the November 21, 2017 zoom call; minutes for that call are at https://docs.google.com/document/d/1deJYPIF4LmhGjDVaqrswErIrV7mtwJgovtLnPCDxP7U/edit#

I just had a quick look on this yesterday but haven't worked on it yet :)

Add a --print-join-command flag for kubeadm token create that prints out the whole join command just like kubeadm init does. This would hopefully make it easy to automate around by running something like kubeadm token create --print-join-command >> worker_init.sh during provisioning.

If we prefer this one, I think there is already the same logic in bootstrap token create. We can use that here.

A new command kubeadm token get that gets the full token given the ID, with a --print-join-command flag to optionally print the full join command instead of just the token.

I prefer this one personally. But seems like both the two ideas need more context when implementing, e.g., we need MasterConfiguration to get apiserver advertise address. Currently the token create don't have the config.

UPDATE: maybe we can implement both of the ideas? @luxas @mattmoyer

I implemented just the first idea in https://github.com/kubernetes/kubernetes/pull/56185. I'm not opposed to implementing the kubeadm get idea also, but we're short on time.

Instead of creating a new kubeadm get, IMO we should print the hash/the kubeadm join statement at the end of the already existing kubeadm token list.

I think kubeadm token list --print-join-command would be great!

I like that idea @luxas. I think we could make it less verbose, I find I'm typing very long flags kubeadm compared to the docker CLI.

kubeadm token list --verbose

kubeadm token list --tokens

kubeadm token list --join-token

kubeadm token list --verbose|-v works for me as well

Hey, is this done?
How can I get the token to join new nodes in my cluster?

@tzurE it's merged but not released yet, it will be part of Kubernetes 1.9 which is scheduled to be released later this week.

The new functionality allows you to run this command to join nodes:

# on a master node (or any node with admin access to your cluster)
$ kubeadm token create --print-join-command
kubeadm join --token 447067.20b55955bd6abe6c 192.168.99.100:8443 --discovery-token-ca-cert-hash sha256:17023a5c90b996e50c514e63e161e46f78be216fd48c0c3df3be67e008b28889

# on the new node (copy-pasted from the output above)
$ kubeadm join --token 447067.20b55955bd6abe6c 192.168.99.100:8443 --discovery-token-ca-cert-hash sha256:17023a5c90b996e50c514e63e161e46f78be216fd48c0c3df3be67e008b28889

nice, thank you.
is there a solution in the meantime? A way to extract it not using the regular commands?

@tzurE see this comment: https://github.com/kubernetes/kubeadm/issues/519#issuecomment-343192126

Hi @mattmoyer

The command "kubeadm token create --print-join-command" works great in 1.9. But i am getting NotReady status on my node. I am Using ubuntu 16.04 with k8s 1.9.0. Any suggestions?

@siddharthjoshi745 Deploy a Pod Network like Weave Net (as can be seen in our docs).
Please don't comment on old issues though, instead open a new one if you've found something wrong, or ask for help on Slack
Have a great day!

How can we output just one value ? Say the token or the discovery token sha, etc..