openyurtio · rambohe-ch · Jun 5, 2022 · Jun 1, 2022
@@ -0,0 +1,58 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// BootstrapToken describes one bootstrap token, stored as a Secret in the cluster
+// +k8s:deepcopy-gen=true
+type BootstrapToken struct {
+	// Token is used for establishing bidirectional trust between nodes and control-planes.
+	// Used for joining nodes in the cluster.
+	Token *BootstrapTokenString `json:"token" datapolicy:"token"`
+	// Description sets a human-friendly message why this token exists and what it's used
+	// for, so other administrators can know its purpose.
+	// +optional
+	Description string `json:"description,omitempty"`
+	// TTL defines the time to live for this token. Defaults to 24h.
+	// Expires and TTL are mutually exclusive.
+	// +optional
+	TTL *metav1.Duration `json:"ttl,omitempty"`
+	// Expires specifies the timestamp when this token expires. Defaults to being set
+	// dynamically at runtime based on the TTL. Expires and TTL are mutually exclusive.
+	// +optional
+	Expires *metav1.Time `json:"expires,omitempty"`
+	// Usages describes the ways in which this token can be used. Can by default be used
+	// for establishing bidirectional trust, but that can be changed here.
+	// +optional
+	Usages []string `json:"usages,omitempty"`
+	// Groups specifies the extra groups that this token will authenticate as when/if
+	// used for authentication
+	// +optional
+	Groups []string `json:"groups,omitempty"`
+}
+
+// BootstrapTokenString is a token of the format abcdef.abcdef0123456789 that is used
+// for both validation of the practically of the API server from a joining node's point
+// of view and as an authentication method for the node in the bootstrap phase of
+// "kubeadm join". This token is and should be short-lived
+type BootstrapTokenString struct {
+	ID     string `json:"-"`
+	Secret string `json:"-" datapolicy:"token"`
+}
@@ -1,5 +1,5 @@
 /*
-Copyright 2018 The Kubernetes Authors.
+Copyright 2021 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,9 +14,10 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package kubeadm
+package v1
 
 import (
+	"fmt"
 	"sort"
 	"strings"
 	"time"
@@ -29,9 +30,61 @@ import (
 	bootstrapsecretutil "k8s.io/cluster-bootstrap/util/secrets"
 )
 
-// ToSecret converts the given BootstrapToken object to its Secret representation that
+// MarshalJSON implements the json.Marshaler interface.
+func (bts BootstrapTokenString) MarshalJSON() ([]byte, error) {
+	return []byte(fmt.Sprintf(`"%s"`, bts.String())), nil
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface.
+func (bts *BootstrapTokenString) UnmarshalJSON(b []byte) error {
+	// If the token is represented as "", just return quickly without an error
+	if len(b) == 0 {
+		return nil
+	}
+
+	// Remove unnecessary " characters coming from the JSON parser
+	token := strings.Replace(string(b), `"`, ``, -1)
+	// Convert the string Token to a BootstrapTokenString object
+	newbts, err := NewBootstrapTokenString(token)
+	if err != nil {
+		return err
+	}
+	bts.ID = newbts.ID
+	bts.Secret = newbts.Secret
+	return nil
+}
+
+// String returns the string representation of the BootstrapTokenString
+func (bts BootstrapTokenString) String() string {
+	if len(bts.ID) > 0 && len(bts.Secret) > 0 {
+		return bootstraputil.TokenFromIDAndSecret(bts.ID, bts.Secret)
+	}
+	return ""
+}
+
+// NewBootstrapTokenString converts the given Bootstrap Token as a string
+// to the BootstrapTokenString object used for serialization/deserialization
+// and internal usage. It also automatically validates that the given token
+// is of the right format
+func NewBootstrapTokenString(token string) (*BootstrapTokenString, error) {
+	substrs := bootstraputil.BootstrapTokenRegexp.FindStringSubmatch(token)
+	// TODO: Add a constant for the 3 value here, and explain better why it's needed (other than because how the regexp parsin works)
+	if len(substrs) != 3 {
+		return nil, errors.Errorf("the bootstrap token %q was not of the form %q", token, bootstrapapi.BootstrapTokenPattern)
+	}
+
+	return &BootstrapTokenString{ID: substrs[1], Secret: substrs[2]}, nil
+}
+
+// NewBootstrapTokenStringFromIDAndSecret is a wrapper around NewBootstrapTokenString
+// that allows the caller to specify the ID and Secret separately
+func NewBootstrapTokenStringFromIDAndSecret(id, secret string) (*BootstrapTokenString, error) {
+	return NewBootstrapTokenString(bootstraputil.TokenFromIDAndSecret(id, secret))
+}
+
+// BootstrapTokenToSecret converts the given BootstrapToken object to its Secret representation that
 // may be submitted to the API Server in order to be stored.
-func (bt *BootstrapToken) ToSecret() *v1.Secret {
+func BootstrapTokenToSecret(bt *BootstrapToken) *v1.Secret {
 	return &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      bootstraputil.BootstrapTokenSecretName(bt.Token.ID),
@@ -60,13 +113,13 @@ func encodeTokenSecretData(token *BootstrapToken, now time.Time) map[string][]by
 	if token.Expires != nil {
 		// Format the expiration date accordingly
 		// TODO: This maybe should be a helper function in bootstraputil?
-		expirationString := token.Expires.Time.Format(time.RFC3339)
+		expirationString := token.Expires.Time.UTC().Format(time.RFC3339)
 		data[bootstrapapi.BootstrapTokenExpirationKey] = []byte(expirationString)
 
 	} else if token.TTL != nil && token.TTL.Duration > 0 {
 		// Only if .Expires is unset, TTL might have an effect
 		// Get the current time, add the specified duration, and format it accordingly
-		expirationString := now.Add(token.TTL.Duration).Format(time.RFC3339)
+		expirationString := now.Add(token.TTL.Duration).UTC().Format(time.RFC3339)
 		data[bootstrapapi.BootstrapTokenExpirationKey] = []byte(expirationString)
 	}