There may be a time when you'll want to refresh the "clusterregistrationtoken" or CRT for short. You can't do this in Rancher, as far as I know.
First, let's see where this token is saved.
Only the local cluster token is available right now.
Let's add another cluster. Once we complete the custom cluster creation wizard in Rancher's cluster management, we can see a new namespace created with a unique cluster-ID.
Here we're checking out the CRT's after cluster creation.
We can get the join command from crt-zztbw. Why it's creating a separate token is unknown to me.
Let Rancher provision the cluster for a while.
After the cluster is provisioned, you can check the secrets for cattle credentials in the new cluster.
Now let's look at the part where I posted my credentials online, on a blog, for example, and want to invalidate that token.
I can remove the current CRT, which Fleet will regenerate. In this case, I remove all of them from the local (old) cluster.
After which, Fleet adds a new one when we open up the registration page in Rancher.
The new token is visible in the local cluster.
To efficiently show the tokens, we can use custom columns.
kubectl get clusterregistrationtoken.management.cattle.io -n c-75snr -o custom-columns=NAME:.metadata.name,TOKEN:.status.token
While the old CRT is invalidated, the "testcrt" cluster is still connected. When we reboot the cluster, the following happens.
In the cattle-agent pod, the following logs appear.
We now need to patch the credentials secret. Be sure to encode the token with base64, and the encoded string is not ending in Cg==, which means "newline".
After the secret is patched, we need to redeploy the cattle agent to reload the token.
root@cp2:~# kubectl --cluster='testcrt-cp2' rollout restart deployment -n cattle-system cattle-cluster-agent
Once cattle agent is restarted, we'll see it's available in Rancher dashboard again.