Skip to main content

Rotate Service Token Cache Bearer Token

The Service Token Cache uses a bearer token in order to access Kubernetes config maps which hold public keys for all the different services. This bearer token is called KUBECTL_BEARER_TOKEN and is kept in the service-token-cache-deploy encrypted repository. This token relates to a service account in the cloud-platforms-environment repo. Each Form Builder namespaces has a 01-rbac.yaml file which configures which service accounts can access that given namespace.

You can see the service accounts for a given namespace by running:

kubectl get secrets -n formbuilder-platform-test-dev

The service accounts have the type kubernetes.io/service-account-token. The last 5 digits of each service account name is generated by Kubernetes when the account is created. If you delete the account Kubernetes will recreate it for you immediately complete with a different certificate and a different token that the secret holds.

Because the KUBECTL_BEARER_TOKEN is set to the specific name of the service token cache service account within a given if we delete the service account to allow it to recreate itself there will be a period of downtime while the service token cache is redeployed and can pick up the new service account name.

To get round this, the formbuilder-platform-live-production namespace has two service accounts. The service token cache makes a request to retrieve public keys for the services which live in the formbuilder-services-live-production namespace so the account needs to be given permission to do that as well.

Running kubectl get secrets -n formbuilder-platform-live-production will show you both of the service account tokens that Kubernetes created. If we ever need to rotate the token you can KUBECTL_BEARER_TOKEN to be the name of the service account token you want to move to using. Once that is deployed you can then delete the old one:

kubectl delete secrets -n formbuilder-platform-live-production name-of-service-token-cache-service-account

Kubernetes will just recreate it ready to be used again at some point in the future if required.

This page was last reviewed on 15 October 2020. It needs to be reviewed again on 15 January 2021 .
This page was set to be reviewed before 15 January 2021. This might mean the content is out of date.