Comments (7)
MainRo
commented on June 29, 2024
I struggle to find how to create a HA cluster due to this: The k3s_server role requires a token value to be present but I am not able to bootstrap it: the "k3s token generate" command creates a short form token that is not accepted when instantiating the first server node. How are we supposed to provide this token?
from k3s-ansible.
dereknola
commented on June 29, 2024
You should read the docs on how to use the token subcommand. You can't join servers with the tokens generated using it, only agents. Admittedly, this information should probably be more apparent in Bold or something.
Supporting auto-generated tokens for HA and single simultaneously introduced a bunch of overhead in the provisioning that I didn't want to deal with. Additionally, the use of user designated tokens have become the default assumption/suggestion in running K3s for security reasons.
If you don't want the token sitting as plaintext in the playbook you should pass it as a ENV when running the playbook
ansible-playbook playbook/site.yml -i inventory.yml --extra-vars token=<MY_SECURE_TOKEN>
If you want a random token you could also achieve something similar with
ansible-playbook playbook/site.yml -i inventory.yml --extra-vars token=$(rand or gpw or pwgen command)
from k3s-ansible.
BMeach
commented on June 29, 2024
@dereknola I may be missing something, but how would you go about generating a token using the "secure token format" as specified in the docs you linked?
from k3s-ansible.
MainRo
commented on June 29, 2024
Thanks @dereknola, I provided the secret/token with a variable environment.
I think that the parameter name "token" made me confused: It can be either a token generated with "k3s token", or just a shared secret (basically any string).
from k3s-ansible.
dereknola
commented on June 29, 2024
@BMeach You could hand generate one using the formula, but that's somewhat of a pain.
When you start a K3s server with k3s server --token=mytoken, the full "secure token" is automatically generated for you, with the mytoken being placed in the <credentials> section.
#/var/lib/rancher/k3s/server/token
K1029468f656c3c584fb3e4bce1fd31957d1412d1537f59c5335f84531b16872383::server:mytoken
from k3s-ansible.
BMeach
commented on June 29, 2024
@BMeach You could hand generate one using the formula, but that's somewhat of a pain.
When you start a K3s server with
k3s server --token=mytoken, the full "secure token" is automatically generated for you, with themytokenbeing placed in the<credentials>section.#/var/lib/rancher/k3s/server/token K1029468f656c3c584fb3e4bce1fd31957d1412d1537f59c5335f84531b16872383::server:mytoken
That makes sense, thank you for clearing it up. Are there any length recommendations or requirements for the initial token? I have not been able to find any so far.
from k3s-ansible.
dereknola
commented on June 29, 2024
There are no hard length requirements. Its just going to depend on your security posture (i.e. do you want special characters, numbers, letters). As an org, K3s makes no official recommendations on length/complexity.
from k3s-ansible.
Related Issues (20)
- [bug] k3s-server: 'control node' tasks don't change server address
- [feature request] Add K3s autocomplete to user bashrc on any server node, not only on first
- Adding new worker node to an existing cluster failed HOT 1
- Add the ability to set firewall rules for custom CIDR ranges
- k3s-server: overwrites user's `~/.kube/config` even when a different `kubeconfig` value is provided
- k3s-agents fail to start due to being unable to grab the CA certs HOT 1
- The k3s_upgrade role is broken when SELinux is enabled HOT 1
- CoreDNS, local-path-provisioner, metrics-server not deployed HA in HA mode HOT 4
- prereq fails at ufw step HOT 3
- Make passing a token optional HOT 1
- Error in 'ansible.posix.sysctl' due to Ansible migrations? HOT 3
- airgap install bug
- Installation fails when on Rpi when booting from network
- Add ability to define custom cluster context name in kubeconfig instead of 'k3s-ansible'
- Is these roles available through ansible-galaxy? HOT 2
- add feature Setup optional private registry configuration
- ansible lint, playbooks folder, and firewalld HOT 2
- Airgap no file was found when using first_found HOT 5
- Hard Coded Group name for k3s servers HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from k3s-ansible.