Add "auth-extra-groups" field to bootstrap token

cmd/machine-controller-manager/app/controllermanager.go

@@ -272,6 +272,7 @@ func StartControllers(s *options.MCMServer,
 			recorder,
 			s.SafetyOptions,
 			s.NodeConditions,
+			s.BootstrapTokenAuthExtraGroups,
 		)
 		if err != nil {
 			return err

cmd/machine-controller-manager/app/options/options.go

@@ -112,6 +112,7 @@ func (s *MCMServer) AddFlags(fs *pflag.FlagSet) {
 	fs.DurationVar(&s.SafetyOptions.MachineSafetyOvershootingPeriod.Duration, "machine-safety-overshooting-period", s.SafetyOptions.MachineSafetyOvershootingPeriod.Duration, "Time period (in durartion) used to poll for overshooting of machine objects backing a machineSet by safety controller.")
 	fs.DurationVar(&s.SafetyOptions.MachineSafetyAPIServerStatusCheckPeriod.Duration, "machine-safety-apiserver-statuscheck-period", s.SafetyOptions.MachineSafetyAPIServerStatusCheckPeriod.Duration, "Time period (in duration) used to poll for APIServer's health by safety controller")
 	fs.StringVar(&s.NodeConditions, "node-conditions", s.NodeConditions, "List of comma-separated/case-sensitive node-conditions which when set to True will change machine to a failed state after MachineHealthTimeout duration. It may further be replaced with a new machine if the machine is backed by a machine-set object.")
+	fs.StringVar(&s.BootstrapTokenAuthExtraGroups, "bootstrap-token-auth-extra-groups", s.BootstrapTokenAuthExtraGroups, "Comma-separated list of groups to set bootstrap token's \"auth-extra-groups\" field to")
 
 	leaderelectionconfig.BindFlags(&s.LeaderElection, fs)
 	// TODO: DefaultFeatureGate is global and it adds all k8s flags

pkg/controller/controller.go

@@ -82,6 +82,7 @@ func NewController(
 	recorder record.EventRecorder,
 	safetyOptions options.SafetyOptions,
 	nodeConditions string,
+	bootstrapTokenAuthExtraGroups string,
 ) (Controller, error) {
 	controller := &controller{
 		namespace:                      namespace,
@@ -106,6 +107,7 @@ func NewController(
 		machineSafetyAPIServerQueue:    workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "machinesafetyapiserver"),
 		safetyOptions:                  safetyOptions,
 		nodeConditions:                 nodeConditions,
+		bootstrapTokenAuthExtraGroups:  bootstrapTokenAuthExtraGroups,
 	}
 
 	controller.internalExternalScheme = runtime.NewScheme()
@@ -397,8 +399,9 @@ type Controller interface {
 
 // controller is a concrete Controller.
 type controller struct {
-	namespace      string
-	nodeConditions string
+	namespace                     string
+	nodeConditions                string
+	bootstrapTokenAuthExtraGroups string
 
 	controlMachineClient machineapi.MachineV1alpha1Interface
 	controlCoreClient    kubernetes.Interface

pkg/controller/machine_bootstrap_token.go

@@ -73,6 +73,7 @@ func (c *controller) getBootstrapTokenOrCreateIfNotExist(machineName string) (se
 				bootstraptokenapi.BootstrapTokenExpirationKey:       []byte(metav1.Now().Add(c.safetyOptions.MachineCreationTimeout.Duration).Format(time.RFC3339)),
 				bootstraptokenapi.BootstrapTokenUsageAuthentication: []byte("true"),
 				bootstraptokenapi.BootstrapTokenUsageSigningKey:     []byte("true"),
+				bootstraptokenapi.BootstrapTokenExtraGroupsKey:      []byte(c.bootstrapTokenAuthExtraGroups),
 			}
 
 			secret = &v1.Secret{

pkg/options/types.go

@@ -81,6 +81,9 @@ type MachineControllerManagerConfiguration struct {
 
 	//NodeCondition is the string of known NodeConditions. If any of these NodeCondition is set for a timeout period, the machine  will be declared failed and will replaced.
 	NodeConditions string
+
+	//BootstrapTokenAuthExtraGroups is a comma-separated string of groups to set bootstrap token's "auth-extra-groups" field to.
+	BootstrapTokenAuthExtraGroups string
 }
 
 // SafetyOptions are used to configure the upper-limit and lower-limit