-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[fix] [rke2] - set node-ip, use internal-only-ips for rke2 registration, set the ip type properly for the machine addresses #156
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tested this, works fine. LGTM
Seeing issues with other control plane nodes joining the cluster:
Feb 29 19:13:21 rah1-control-plane-wrg4n rke2[3412]: time="2024-02-29T19:13:21Z" level=fatal msg="starting kubernetes: preparing server: CA cert validation failed: Get \"https://172.234.204.152:9345/cacerts\": tls: failed to verify certificate: x509: certificate is valid for 10.43.0.1, 127.0.0.1, 172.234.208.182, 192.168.144.181, ::1, not 172.234.204.152"
Feb 29 19:13:21 rah1-control-plane-wrg4n systemd[1]: rke2-server.service: Main process exited, code=exited, status=1/FAILURE
Feb 29 19:13:21 rah1-control-plane-wrg4n systemd[1]: rke2-server.service: Failed with result 'exit-code'.
Feb 29 19:13:21 rah1-control-plane-wrg4n systemd[1]: Failed to start Rancher Kubernetes Engine v2 (server).
We might need node-external-ip flag or something similar which adds node's public ip as well.
Unfortunately we can't set that for cloud-provider=external, rke2 fails to start in that case:
|
c71165c
to
fc96291
Compare
This might actually be something that can be fixed if we set the IP type correctly on the machine controller, I just noticed we always set it to |
Unfortunately even addressing the external vs internal IP type in our controller for the machine addresses, we still need the change to set the node-ip and add the public ip to the tls-san. |
09d8e27
to
848ff2b
Compare
Tested this, LGTM |
…king without controlPlaneEndpoint registration support on rke2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
…on, set the ip type properly for the machine addresses (#156) * add workaround to get both container logs working and server join working without controlPlaneEndpoint registration support on rke2 * fix ip type setting for addresses on machine controller
What type of PR is this?
/kind bug
What this PR does / why we need it:
Adds the private IP to the
node-ip
and the public IP to thetls-san
config for RKE2 like we had to do for K3s so the TLS certs are valid. Withoutnode-ip
, the container logs can't be retrieved and without thetls-san
addition on top of that, server joining stops working. Ideally we need to have registration done via controlPlaneEndpoint registration though that's still in progress.I'm aware
hostname -I
is brittle with the ordering per the manpage, but I don't have a much better solution at this time for this workaround.Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
TODOs: