Auto-discover kubelet bootstrap token from kube-system secrets#1622
Draft
Auto-discover kubelet bootstrap token from kube-system secrets#1622
Conversation
…crets - Create new singleton controller that reads bootstrap token secrets from kube-system namespace and updates options with the token value - Make kubelet-bootstrap-token no longer a required option; auto-discovered from kube-system secrets if not provided via options - Controller no-ops (not started) when bootstrap token is passed via options - Uses kubernetes.Interface directly (not manager cache) for tightly scoped secret access, only reading from kube-system namespace - Add RBAC Role and RoleBinding in Helm chart for reading secrets in kube-system namespace - Add comprehensive unit tests for the controller - Update options validation tests for the now-optional field Agent-Logs-Url: https://github.com/Azure/karpenter-provider-azure/sessions/9fac1246-8422-4943-93b9-cf3e8805b9d7 Co-authored-by: matthchr <8798850+matthchr@users.noreply.github.com>
…t-only - Use test context instead of context.Background() in test helper - Reduce RBAC permissions to only 'list' verb (minimum needed for discovery) - Add comment explaining why resourceNames cannot be used with list Agent-Logs-Url: https://github.com/Azure/karpenter-provider-azure/sessions/9fac1246-8422-4943-93b9-cf3e8805b9d7 Co-authored-by: matthchr <8798850+matthchr@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Add Kubelet Bootstrap Token parameter in Helm chart
Auto-discover kubelet bootstrap token from kube-system secrets
Apr 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
KUBELET_BOOTSTRAP_TOKENis currently a required Helm chart value that users must manually extract and pass. This adds a controller that auto-discovers it from kube-system, matching the logic inconfigure-values.sh.New controller:
pkg/controllers/bootstraptoken/Singleton controller that periodically (1h) lists secrets in kube-system with
type=bootstrap.kubernetes.io/token, extractstoken-idandtoken-secretfields, and writes the composed token toOptions.KubeletClientTLSBootstrapToken.kubernetes.Interfacedirectly — no manager cache, no broad secret watchingOptions change
kubelet-bootstrap-tokenis no longer required. If omitted, the controller handles it.RBAC
New Role/RoleBinding scoped to
kube-systemnamespace withliston secrets only.resourceNamescannot restrictlist, so namespace scoping is the tightest bound available.Tests
6 unit tests covering: happy path, missing secrets, malformed secrets, and token rotation across reconciles.