Skip to content

Fail if node cannot join the cluster because a <host>.node-password.rke2 secret already exists in cluster #335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Fail if node cannot join the cluster because a <host>.node-password.rke2 secret already exists in cluster #335

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
3dc105b
add the fail condition
simonfelding Jul 10, 2025
8917178
remove first_server_restore.yml from main.yml
simonfelding Jul 10, 2025
41bb39b
better variables
simonfelding Jul 10, 2025
ae322a7
set -o pipefail
simonfelding Jul 10, 2025
f519b6d
Revert "remove first_server_restore.yml from main.yml"
michalg91 Jul 10, 2025
e061595
allow some dangerous parts to be executed
michalg91 Jul 10, 2025
b619d09
add changed_when:false to get current nodes secrets
michalg91 Jul 15, 2025
294190d
Merge pull request #1 from michalg91/simonfelding-remove-dangerous-et…
simonfelding Aug 11, 2025
e15630f
Merge branch 'lablabs:main' into remove-dangerous-etcd-restoring-code
simonfelding Aug 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 0 additions & 38 deletions tasks/first_server.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,44 +152,6 @@
- not ansible_check_mode
- rke2_cni != 'none'

- name: Restore etcd
when: do_etcd_restore is defined or do_etcd_restore_from_s3 is defined
block:
- name: Get registered nodes
ansible.builtin.shell:
cmd: |
set -o pipefail
{{ rke2_data_path }}/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml \
get nodes --no-headers | awk '{print $1}'
args:
executable: /bin/bash
changed_when: false
register: registered_node_names

- name: Get all node names
ansible.builtin.set_fact:
node_names: "{{ hostvars | dict2items | map(attribute='value.rke2_node_name') }}"
run_once: true
register: node_names

- name: Remove old <node>.node-password.rke2 secrets
ansible.builtin.shell: |
{{ rke2_data_path }}/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml \
delete secret {{ item }}.node-password.rke2 -n kube-system 2>&1 || true
args:
executable: /bin/bash
with_items: "{{ registered_node_names.stdout_lines | difference(node_names) }}"
changed_when: false

- name: Remove old nodes
ansible.builtin.shell: |
{{ rke2_data_path }}/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml \
delete node {{ item }} 2>&1 || true
args:
executable: /bin/bash
with_items: "{{ registered_node_names.stdout_lines | difference(node_names) }}"
changed_when: false

- name: Set an Active Server variable
ansible.builtin.set_fact:
active_server: "{{ inventory_hostname }}"
Expand Down
17 changes: 0 additions & 17 deletions tasks/first_server_restore.yml
View file
Open in desktop
Copy link

@michalg91 michalg91 Jul 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should not delete this file and put here logic with deleting secrets and diffed nodes like in previous deleted parts, and execute it if specific variables are set. This will cover all the cases like before in 1.37.0 Restoring cluster with same node names, restoring cluster with efemeral node names etc.

This file was deleted.

7 changes: 0 additions & 7 deletions tasks/main.yml
View file
Open in desktop
Copy link

@michalg91 michalg91 Jul 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this task should stay and should be triggered if another switch exists eg. rke2_cleanup_secrets. This file is only triggered on fresh unprovisioned and just restored cluster.

Original file line number Diff line number Diff line change
Expand Up @@ -51,13 +51,6 @@
- inventory_hostname == groups[rke2_servers_group_name].0
- active_server is not defined

- name: Restore etcd specific tasks
ansible.builtin.include_tasks: first_server_restore.yml
when:
- active_server is defined
- inventory_hostname == active_server or inventory_hostname == groups[rke2_servers_group_name].0
- do_etcd_restore is defined or do_etcd_restore_from_s3 is defined

- name: Prepare and join remaining nodes of the cluster
ansible.builtin.include_tasks: remaining_nodes.yml
when:
Expand Down
27 changes: 27 additions & 0 deletions tasks/remaining_nodes.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,33 @@
when: (rke2_custom_registry_mirrors | length > 0 or rke2_custom_registry_configs | length > 0)
notify: "Config file changed"

- name: Fail if the cluster already has a <hostname>.node-password.rke2 secret and the node doesn't have a password file
block:
- name: Get list of existing node secrets
when: inventory_hostname is active_server
ansible.builtin.shell: |
set -o pipefail
{{ rke2_data_path }}/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml \
get secrets -n kube-system -o jsonpath='{.items[*].metadata.name}' | tr ' ' '\n' | grep -E 'node-password\.rke2$' | sed s/.node-password.rke2//g
args:
executable: /bin/bash
register: nodes_with_passwords # A node name on each line
- name: Set fact for existing node passwords
ansible.builtin.set_fact:
nodes_with_existing_passwords: "{{ nodes_with_passwords.stdout_lines }}"
when: inventory_hostname is active_server
- name: Warn if the node password already exists and /etc/rancher/node/password does not exist on the node
ansible.builtin.fail:
msg: "The node password secret already exists for node name {{ rke2_node_name }}, but no password file exists in /etc/rancher/node/password!\n\
The node will not be able to join the cluster with this node name without a password file matching the secret.\n\n\
This can happen for a few reasons:\n\
- The node was previously part of the cluster and RKE2 was removed without running `kubectl delete node {{ rke2_node_name }}`.\n\
- The cluster etcd was restored from a backup from before the node was correctly removed from the cluster.\n\n\
To join this node, please recreate the file with the password, use a different node name (rke2_node_name), or remove the secret from the cluster using:\n\
kubectl delete secret {{ rke2_node_name}}.node-password.rke2 -n kube-system"
when: rke2_node_name in nodes_with_existing_passwords
and not ansible.builtin.stat(path="/etc/rancher/node/password").stat.exists

- name: Start RKE2 service on the rest of the nodes
ansible.builtin.systemd:
name: "{{ rke2_service_name }}"
Expand Down