From 1f6bccde979b9953653e7975922c731ae50ef900 Mon Sep 17 00:00:00 2001
From: Carlos Salas <carlos.salas@suse.com>
Date: Fri, 12 Jan 2024 17:19:22 +0100
Subject: [PATCH] fix: rke2 registration token generated twice

Signed-off-by: Carlos Salas <carlos.salas@suse.com>
---
 .../controllers/rke2config_controller.go      | 24 +++++++++++++++----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/bootstrap/internal/controllers/rke2config_controller.go b/bootstrap/internal/controllers/rke2config_controller.go
index d8ed9465..36fd98ff 100644
--- a/bootstrap/internal/controllers/rke2config_controller.go
+++ b/bootstrap/internal/controllers/rke2config_controller.go
@@ -334,14 +334,28 @@ func (r *RKE2ConfigReconciler) handleClusterNotInitialized(ctx context.Context,
 
 	conditions.MarkTrue(scope.Config, bootstrapv1.CertificatesAvailableCondition)
 
-	token, err := r.generateAndStoreToken(ctx, scope)
-	if err != nil {
-		scope.Logger.Error(err, "unable to generate and store an RKE2 server token")
+	// RKE2 server token must only be generated once, so all nodes join the cluster with the same registration token.
+	var token string
 
-		return ctrl.Result{}, err
+	tokenSecret := &corev1.Secret{}
+	secretKey := types.NamespacedName{
+		Namespace: scope.Config.Namespace,
+		Name:      bsutil.TokenName(scope.Cluster.Name),
 	}
+	err := r.Client.Get(ctx, secretKey, tokenSecret)
+
+	if err != nil {
+		token, err = r.generateAndStoreToken(ctx, scope)
+		if err != nil {
+			scope.Logger.Error(err, "unable to generate and store an RKE2 server token")
 
-	scope.Logger.Info("RKE2 server token generated and stored in Secret!")
+			return ctrl.Result{}, err
+		}
+
+		scope.Logger.Info("RKE2 server token generated and stored in Secret!")
+	} else {
+		token = string(tokenSecret.Data["value"])
+	}
 
 	configStruct, configFiles, err := rke2.GenerateInitControlPlaneConfig(
 		rke2.ServerConfigOpts{