How to properly set a predefined token with CA hash on server initialization?

[bglgwyng]

I'm trying to set up a K3s server with a predefined token, including the CA hash, during the initialization process. I understand that the token format should be K10<random-string>::<ca-hash>, but I'm unsure how to generate this correctly before the server starts.

Specifically:

1. Is it possible to set a complete token (including the CA hash) when starting a K3s server for the first time?

2. If not, what's the recommended way to set a predefined random part of the token (<prefix><cluster CA hash>::<credentials>) and have K3s append the correct CA hash on initialization? It doesn't seem that we can configure CA certificates k3s to use. So it seems impossible to set CA hash on initialization, is it correct?

I'm working with a NixOS configuration, but I'm interested in the general approach that would work for any system.

Thank you for your help and for maintaining this great project!

[brandond]

You'd need to start K3s using custom certificates as documented at https://docs.k3s.io/cli/certificate#using-custom-ca-certificates, so that the CA hash is known. If you are using the CA certificates generated by K3s, there is no way to know what the CA hash will be until K3s is started the first time and the certificate is generated.

If you don't want to generate custom certificates, then just specify the passphrase when starting the server. If you care, you can update the token to include the CA hash later, after it's started up the first time.

[bglgwyng]

Thanks! I missed the custom ca certificates part.