get token: Print only the token in ouptut

[adambkaplan]

Feature Request

Allow clusteradm get token to only print the token, and/or write just the token to file.
This will help developers/admin script the remote cluster registration as follows (for KinD):

kubectl config use-context ${CTX_HUB_CULSTER}
clusteradm init --wait --context ${CTX_HUB_CLUSTER}
hubAPIServer=$(kubectl config view --minify --output jsonpath="{.clusters[*].cluster.server}")
hubToken=$(clusteradm get token --context ${CTX_HUB_CLUSTER})
clusteradm join \
    --hub-token ${hubToken} \
    --hub-apiserver ${hubAPIServer} \
    --wait \
    --cluster-name ${MANAGED_CLUSTER} \    
    --force-internal-endpoint-lookup \
    --context ${CTX_MANAGED_CLUSTER}

[mikeshng]

I completely agree with you.

It's unfortunate we have the current implementation but we cannot break the current usage for existing scripts/automation compatibility.

For now, please see https://github.com/open-cluster-management-io/OCM/blob/main/solutions/setup-dev-environment/local-up.sh#L19-L27 on how to automate the join command in a script.

For this issue, I think instead of changing the current output of clusteradm get token, I think we should add a flag that is something like --token-only or something similar.

[mikeshng]

another not so elegant workaround is clusteradm get token | grep token= | cut -d'=' -f2

[ycyaoxdu]

Hi @adambkaplan , we've already have a flag --json to print output in json format, don't know whether the json format fulfilled your request?

$ clusteradm get token --json
{
"hub-token": "****",
"hub-apiserver": "****"
}

@mikeshng WDYT?

[adambkaplan]

json helps, but to get "just the token" requires a pipe to another command (jq).

For this issue, I think instead of changing the current output of clusteradm get token, I think we should add a flag that is something like --token-only or something similar.

Bikeshedding here - if someone feels adventurous, they can try adopting an -o/--output flag that accepts json, yaml, text (current behavior/default), and maybe minimal to get just the token. jsonpath if someone really wants to go the extra mile.

[nirs]

@adambkaplan To use the token you need also the hub-api-server, so it does not seems
useful to return only the token. What is the issue with parsing the json and taking
what you need? Why using jq is a problem for your use case?

[adambkaplan]

Why using jq is a problem for your use case?

jq is not available on all distributions out of the box. On RHEL, for example, admins need to enable EPEL repository to install jq.

[adambkaplan]

It's unfortunate we have the current implementation but we cannot break the current usage for existing scripts/automation compatibility.

@mikeshng this project is not v1 yet - what prevents the project from making breaking changes? Is there a release cadence which would let you issue a deprecation notice, followed by the behavior change?

[mikeshng]

It's unfortunate we have the current implementation but we cannot break the current usage for existing scripts/automation compatibility.

@mikeshng this project is not v1 yet - what prevents the project from making breaking changes? Is there a release cadence which would let you issue a deprecation notice, followed by the behavior change?

That's a good point. I prefer if we don't break usage because there might be projects out there already using clusteradm get token in e2e testing. How about adding the --token-only and it will only print the token content out? CC @qiujian16

PS: I've also seen usage such as that might help your e2e testing case:

$CLUSTERADM init --output-join-command-file join.sh --wait
sh -c "$(cat join.sh) $_managed_cluster_name"

/assign @mikeshng