search

techno-tim / k3s-ansible

The easiest way to bootstrap a self-hosted High Availability Kubernetes cluster. A fully automated HA k3s etcd install with kube-vip, MetalLB, and more. Build. Destroy. Repeat.
https://technotim.live/posts/k3s-etcd-ansible/
Apache License 2.0
2.41k stars 1.05k forks source link

tls-san problem #131

Closed badsmoke closed 1 year ago

badsmoke commented 2 years ago

new install ends with an error:

fatal: [k3s-master-3]: FAILED! => {"changed": true, "cmd": ["k3s", "kubectl", "config", "set-cluster", "default", "--server=https://{{", "apiserver_endpoint", "|", "ansible.utils.ipwrap", "}}:6443", "--kubeconfig", "~root/.kube/config"], "delta": "0:00:00.286011", "end":
 "2022-10-28 07:47:02.626092", "msg": "non-zero return code", "rc": 1, "start": "2022-10-28 07:47:02.340081", "stderr": "error: Unexpected args: [default apiserver_endpoint | ansible.utils.ipwrap }}:6443]", "stderr_lines": ["error: Unexpected args: [default apiserver_endpo
int | ansible.utils.ipwrap }}:6443]"], "stdout": "Set a cluster entry in kubeconfig.\n\n Specifying a name that already exists will merge new fields on top of existing values for those fields.\n\nExamples:\n  # Set only the server field on the e2e cluster entry without tou
ching other values\n  kubectl config set-cluster e2e --server=https://1.2.3.4\n  \n  # Embed certificate authority data for the e2e cluster entry\n  kubectl config set-cluster e2e --embed-certs --certificate-authority=~/.kube/e2e/kubernetes.ca.crt\n  \n  # Disable cert che
cking for the e2e cluster entry\n  kubectl config set-cluster e2e --insecure-skip-tls-verify=true\n  \n  # Set custom TLS server name to use for validation for the e2e cluster entry\n  kubectl config set-cluster e2e --tls-server-name=my-cluster-name\n  \n  # Set proxy url 
for the e2e cluster entry\n  kubectl config set-cluster e2e --proxy-url=https://1.2.3.4\n\nOptions:\n    --embed-certs=false:\n\tembed-certs for the cluster entry in kubeconfig\n\n    --proxy-url='':\n\tproxy-url for the cluster entry in kubeconfig\n\nUsage:\n  kubectl con
fig set-cluster NAME [--server=server] [--certificate-authority=path/to/certificate/authority] [--insecure-skip-tls-verify=true] [--tls-server-name=example.com] [options]\n\nUse \"kubectl options\" for a list of global command-line options (applies to all commands).", "std
out_lines": ["Set a cluster entry in kubeconfig.", "", " Specifying a name that already exists will merge new fields on top of existing values for those fields.", "", "Examples:", "  # Set only the server field on the e2e cluster entry without touching other values", "  ku
bectl config set-cluster e2e --server=https://1.2.3.4", "  ", "  # Embed certificate authority data for the e2e cluster entry", "  kubectl config set-cluster e2e --embed-certs --certificate-authority=~/.kube/e2e/kubernetes.ca.crt", "  ", "  # Disable cert checking for the 
e2e cluster entry", "  kubectl config set-cluster e2e --insecure-skip-tls-verify=true", "  ", "  # Set custom TLS server name to use for validation for the e2e cluster entry", "  kubectl config set-cluster e2e --tls-server-name=my-cluster-name", "  ", "  # Set proxy url fo
r the e2e cluster entry", "  kubectl config set-cluster e2e --proxy-url=https://1.2.3.4", "", "Options:", "    --embed-certs=false:", "\tembed-certs for the cluster entry in kubeconfig", "", "    --proxy-url='':", "\tproxy-url for the cluster entry in kubeconfig", "", "Usa
ge:", "  kubectl config set-cluster NAME [--server=server] [--certificate-authority=path/to/certificate/authority] [--insecure-skip-tls-verify=true] [--tls-server-name=example.com] [options]", "", "Use \"kubectl options\" for a list of global command-line options (applies 
to all commands)."]}

Context (variables)

Operating system: ubuntu 20.04

Hardware: proxmox QEMU VM

Variables Used

all.yml

---
k3s_version: v1.24.6+k3s1
# this is the user that has ssh access to these machines
ansible_user: root
systemd_dir: /etc/systemd/system

# Set your timezone
system_timezone: "Europe/Berlin"

# interface which will be used for flannel
flannel_iface: "ens18"

# apiserver_endpoint is virtual ip-address which will be configured on each master
apiserver_endpoint: "10.1.0.200"

# k3s_token is required  masters can talk together securely
# this token should be alpha numeric only
k3s_token: "secret"

# The IP on which the node is reachable in the cluster.
# Here, a sensible default is provided, you can still override
# it for each of your hosts, though.
k3s_node_ip: '{{ ansible_facts[flannel_iface]["ipv4"]["address"] }}'

# Disable the taint manually by setting: k3s_master_taint = false
k3s_master_taint: "{{ true if groups['node'] | default([]) | length >= 1 else false }}"

# these arguments are recommended for servers as well as agents:
extra_args: >-
  --flannel-iface={{ flannel_iface }}
  --node-ip={{ k3s_node_ip }}

# change these to your liking, the only required are: --disable servicelb, --tls-san {{ apiserver_endpoint }}
extra_server_args: >-
  {{ extra_args }}
  {{ '--node-taint node-role.kubernetes.io/master=true:NoSchedule' if k3s_master_taint else '' }}
  --tls-san {{ apiserver_endpoint }}
  --disable servicelb
#  --disable traefik
extra_agent_args: >-
  {{ extra_args }}

# image tag for kube-vip
kube_vip_tag_version: "v0.5.5"

# image tag for metal lb
metal_lb_speaker_tag_version: "v0.13.6"
metal_lb_controller_tag_version: "v0.13.6"

# metallb ip range for load balancer
metal_lb_ip_range: "10.1.0.230-10.1.0.250"

what is this new tls-sna variable?

what does it do and why has it recently become necessary

8270647 commented 1 year ago

Same issue.

8270647 commented 1 year ago

[resolved] Ensure you run 'ansible-galaxy collection install -r ./collections/requirements.yml prior to running.'