Closed laszlojau closed 7 months ago
I struggle to find how to create a HA cluster due to this: The k3s_server role requires a token value to be present but I am not able to bootstrap it: the "k3s token generate" command creates a short form token that is not accepted when instantiating the first server node. How are we supposed to provide this token?
You should read the docs on how to use the token subcommand. You can't join servers with the tokens generated using it, only agents. Admittedly, this information should probably be more apparent in Bold or something.
Supporting auto-generated tokens for HA and single simultaneously introduced a bunch of overhead in the provisioning that I didn't want to deal with. Additionally, the use of user designated tokens have become the default assumption/suggestion in running K3s for security reasons.
If you don't want the token sitting as plaintext in the playbook you should pass it as a ENV when running the playbook
ansible-playbook playbook/site.yml -i inventory.yml --extra-vars token=<MY_SECURE_TOKEN>
If you want a random token you could also achieve something similar with
ansible-playbook playbook/site.yml -i inventory.yml --extra-vars token=$(rand or gpw or pwgen command)
@dereknola I may be missing something, but how would you go about generating a token using the "secure token format" as specified in the docs you linked?
Thanks @dereknola, I provided the secret/token with a variable environment.
I think that the parameter name "token" made me confused: It can be either a token generated with "k3s token", or just a shared secret (basically any string).
@BMeach You could hand generate one using the formula, but that's somewhat of a pain.
When you start a K3s server with k3s server --token=mytoken
, the full "secure token" is automatically generated for you, with the mytoken
being placed in the <credentials>
section.
#/var/lib/rancher/k3s/server/token
K1029468f656c3c584fb3e4bce1fd31957d1412d1537f59c5335f84531b16872383::server:mytoken
@BMeach You could hand generate one using the formula, but that's somewhat of a pain.
When you start a K3s server with
k3s server --token=mytoken
, the full "secure token" is automatically generated for you, with themytoken
being placed in the<credentials>
section.#/var/lib/rancher/k3s/server/token K1029468f656c3c584fb3e4bce1fd31957d1412d1537f59c5335f84531b16872383::server:mytoken
That makes sense, thank you for clearing it up. Are there any length recommendations or requirements for the initial token? I have not been able to find any so far.
There are no hard length requirements. Its just going to depend on your security posture (i.e. do you want special characters, numbers, letters). As an org, K3s makes no official recommendations on length/complexity.
The role used to auto-generate a token which was working fine for single-node clusters. Currently, this is not possible, a value for
token
must be set. Was this functionality removed on purpose or is there a plan to reintroduce support for it?