Page MenuHomePhabricator

Sort out and test deploying the worker nodes in a sane fashion
Closed, ResolvedPublic


Whether this is accomplished via the newer cert services, some buried part of kubeadm, puppet + packages, etc. Ensure that we are ideally not manually slinging around a join token. If we actually are doing that, find a way to distribute that or run it via puppet or similar.

Event Timeline

Bstorm triaged this task as High priority.Feb 8 2019, 11:44 PM
Bstorm created this task.
bd808 removed a project: Goal.Feb 10 2019, 8:47 PM
GTirloni removed a subscriber: GTirloni.Mar 21 2019, 9:06 PM

According to the last status updates on T215531: Deploy upgraded Kubernetes to toolsbeta, we are bootstrapping worker nodes by using kubeadm with a pre-shared token. This token is stored in hiera (private repo).

When a new cluster is being built, kubeadm generates a cmdline that we should copy-paste into the joining worker node.
Or alternatively, we can just use our pre-configured config file which contains also the required bits to join the cluster.

root@newworker:~# kubeadm join --config /etc/kubernetes/kubeadm-join.cfg`  <--- this file is maintained by puppet
root@newworker:~# kubeadm join <FQDN>:6443 --token <token> --discovery-token-ca-cert-hash sha256:<hash> <--- this is generated by kubeadm init