The cluster bootstrap token and install URL

What are the bootstrap token and install URL

When a new cluster is created, Lieutenant generates a bootstrap token and an install URL for that cluster. The install URL can be used to install Steward on the cluster to synthesize. The bootstrap token is embedded into the install URL by Lieutenant.

The bootstrap token and therefore the install URL are only valid once and are only valid for 24 hours after creating the cluster in Lieutenant.

Checking the validity of the bootstrap token

You can check the expiration date of the install URL by inspecting the cluster object on the Lieutenant cluster. If you don’t see a field .status.bootstrapToken.tokenValid the token has either been used or has expired.

export CLUSTER_ID=<cluster id of cluster to synthesize>
export KUBECONFIG=/path/to/lieutenant.kubeconfig (1)

kubectl -n lieutenant describe cluster ${CLUSTER_ID}

1	See Lieutenant cluster

Fetching the install URL from the Lieutenant API

If you need to, you can fetch the install URL from the Lieutenant API using the following commands:

export LIEUTENANT_URL=api.syn.vshn.net
export LIEUTENANT_AUTH="Authorization:Bearer $(commodore fetch-token)"

export INSTALL_URL=$(curl -H "${LIEUTENANT_AUTH}" "https://${LIEUTENANT_URL}/clusters/${CLUSTER_ID}" | jq -r ".installURL")

Resetting the bootstrap token

You can use the following command to reset the cluster’s bootstrap token This can be helpful if you mistakenly fetched the install URL or if registration and initial configuration of the cluster took more than 30 minutes.

export CLUSTER_ID=<cluster id of cluster to synthesize>

export KUBECONFIG=<lieutenant vcluster kubeconfig> (1)
export LIEUTENANT_INSTANCE=lieutenant-prod (2)
export COMMODORE_API_URL=api.syn.vshn.net (3)

export LIEUTENANT_AUTH="Authorization: Bearer $(commodore fetch-token)"
export KUBE_API=$(yq ".clusters[] | select(.name == \"$LIEUTENANT_INSTANCE\")| .cluster.server" $KUBECONFIG)

curl -H "${LIEUTENANT_AUTH}" -H "Content-Type: application/json-patch+json" -X PATCH \
  -d '[{ "op": "remove", "path": "/status/bootstrapToken" }]' \
  "${KUBE_API}/apis/syn.tools/v1alpha1/namespaces/lieutenant/clusters/${CLUSTER_ID}/status"

1	Select the Kubeconfig file for the Lieutenant instance on which the cluster is registered.
2	The value of this variable must match the value of the field `name` for the cluster’s entry in `clusters` in the Kubeconfig file. The provided value assumes that you’re using the Kubeconfig file provided in the connect to Lieutenant clusters how-to.
3	Adjust this to point to the correct Lieutenant API. This is required for `commodore fetch-token`.