Skip to content

Use bootstrap tokens provisioned by ansible for K3s instead of persistent tokens in cloud-init metadata #589

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 16 commits into from
Feb 27, 2025
Merged

Use bootstrap tokens provisioned by ansible for K3s instead of persistent tokens in cloud-init metadata #589

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
0b69d4b
now uses bootstrap tokens instead of cloud-init metadata
wtripp180901 Feb 19, 2025
bfe9caf
bumped token timeout
wtripp180901 Feb 19, 2025
28b4205
fixed assuming default route
wtripp180901 Feb 19, 2025
aeeca4c
bump image
wtripp180901 Feb 19, 2025
e4ff694
refactored to separate agent and server runtimes + fixes + review com…
wtripp180901 Feb 21, 2025
178f853
removed inventory_secrets from ci
wtripp180901 Feb 21, 2025
7bb9920
Merge branch 'main' into feat/k3s-bootstrap
wtripp180901 Feb 21, 2025
3cc46b8
image bump
wtripp180901 Feb 21, 2025
5e9541e
testing moving agent runtime after nfs
wtripp180901 Feb 25, 2025
3508ebd
changed k3s conditionals to host patterns + server tweaks
wtripp180901 Feb 25, 2025
bd71974
comment suggestions
wtripp180901 Feb 25, 2025
19da5d5
k3s agent no longer uses task vars
wtripp180901 Feb 26, 2025
33b84bc
added comment for moving k3s
wtripp180901 Feb 26, 2025
051ca04
Explicitly settings empty string default for bootstrap token
wtripp180901 Feb 27, 2025
5fb1d33
secure pems for agent environment file
wtripp180901 Feb 27, 2025
1b83232
Merge branch 'main' into feat/k3s-bootstrap
wtripp180901 Feb 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion ansible/bootstrap.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -312,4 +312,4 @@
tasks:
- ansible.builtin.include_role:
name: k3s
tasks_from: install.yml
tasks_from: "{{ 'install.yml' if 'builder' in group_names else 'runtime.yml' }}"
1 change: 1 addition & 0 deletions ansible/roles/k3s/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@ k3s_version: "v1.31.0+k3s1"
k3s_selinux_release: v1.6.latest.1
k3s_selinux_rpm_version: 1.6-1
k3s_helm_version: v3.11.0
k3s_bootstrap_token_expiry: 20m
44 changes: 0 additions & 44 deletions ansible/roles/k3s/files/start_k3s.yml
View file
Open in desktop

This file was deleted.

5 changes: 0 additions & 5 deletions ansible/roles/k3s/tasks/install.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,8 +71,3 @@
ansible.builtin.lineinfile:
path: /etc/environment
line: "KUBECONFIG=/etc/rancher/k3s/k3s.yaml"

- name: Install ansible-init playbook for k3s agent or server activation
copy:
src: start_k3s.yml
dest: /etc/ansible-init/playbooks/0-start-k3s.yml
64 changes: 64 additions & 0 deletions ansible/roles/k3s/tasks/runtime.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
---
- name: Check if k3s agents are already connected
service_facts:
register: services_state

- name: Initialise and authenticate k3s server and agents
vars:
k3s_server_name: "{{ hostvars[groups['k3s_server'].0].ansible_host }}"
access_ip: "{{ ansible_host }}"
services_states: > # getting list of all unique agent service states
groups['k3s_agent']
| map('extract', hostvars, ['services', 'k3s-agent.service', 'state'])
| unique
when: not (services_state | length == 1 and services_state[0] == 'running')
block:
- name: Initialise server and generate bootstrap tokens
when: inventory_hostname in groups['k3s_server']
block:
- name: Template k3s env file
ansible.builtin.template:
dest: /etc/systemd/system/k3s.service.env
src: k3s.service.env.j2

- name: Start k3s server
ansible.builtin.systemd:
name: k3s
daemon_reload: true
state: started
enabled: true

- name: Generate bootstrap token
no_log: true
shell:
cmd: "k3s token create --ttl {{ k3s_bootstrap_token_expiry }}"
register: _token_output

- name: Initialise agents
when: inventory_hostname in groups['k3s_agent']
block:
- name: Template k3s agent env file
ansible.builtin.template:
dest: /etc/systemd/system/k3s-agent.service.env
src: k3s-agent.service.env.j2

- name: Ensure password directory exists
ansible.builtin.file:
path: "/etc/rancher/node"
state: directory

- name: Write node password
ansible.builtin.copy:
dest: /etc/rancher/node/password
content: "{{ vault_k3s_node_password }}"
owner: root
group: root
mode: 640 # normal k3s install is 644 but that doesn't feel right

- name: Start k3s agent
ansible.builtin.systemd:
name: k3s-agent
daemon_reload: true
state: started
enabled: true

3 changes: 3 additions & 0 deletions ansible/roles/k3s/templates/k3s-agent.service.env.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
K3S_NODE_IP={{ access_ip }}
K3S_TOKEN={{ hostvars[groups['control'] | first]._token_output.stdout }}
K3S_URL=https://{{ k3s_server_name }}:6443
1 change: 1 addition & 0 deletions ansible/roles/k3s/templates/k3s.service.env.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
K3S_NODE_IP={{ access_ip }}
2 changes: 1 addition & 1 deletion ansible/roles/passwords/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ slurm_appliance_secrets:
vault_openhpc_mungekey: "{{ secrets_openhpc_mungekey | default(vault_openhpc_mungekey | default(secrets_openhpc_mungekey_default)) }}"
vault_freeipa_ds_password: "{{ vault_freeipa_ds_password | default(lookup('password', '/dev/null')) }}"
vault_freeipa_admin_password: "{{ vault_freeipa_admin_password | default(lookup('password', '/dev/null')) }}"
vault_k3s_token: "{{ vault_k3s_token | default(lookup('ansible.builtin.password', '/dev/null', length=64)) }}"
vault_k3s_node_password: "{{ vault_k3s_node_password | default(lookup('ansible.builtin.password', '/dev/null', length=64)) }}"
vault_pulp_admin_password: "{{ vault_pulp_admin_password | default(lookup('password', '/dev/null', chars=['ascii_letters', 'digits'])) }}"
vault_demo_user_password: "{{ vault_demo_user_password | default(lookup('password', '/dev/null')) }}"

Expand Down
3 changes: 0 additions & 3 deletions ansible/roles/passwords/templates/k3s-token.auto.tfvars.json.j2
View file
Open in desktop

This file was deleted.

10 changes: 9 additions & 1 deletion environments/common/inventory/groups
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -145,8 +145,16 @@ freeipa_client
[compute_init]
# EXPERIMENTAL: Compute hosts to enable joining cluster on boot on

[k3s]
[k3s:children]
# Hosts to run k3s server/agent
k3s_server
k3s_agent

[k3s_server]
# Hosts to run k3s server (should only be single node i.e control node)

[k3s_agent]
# Hosts to run k3s agent

[k9s]
# Hosts to install k9s on
Expand Down
11 changes: 8 additions & 3 deletions environments/common/layouts/everything
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,9 +97,14 @@ cluster
# EXPERIMENTAL: Compute hosts to enable joining cluster on boot on
compute

[k3s:children]
# Hosts to run k3s server/agent
openhpc
[k3s_server:children]
# Hosts to run k3s server (should only be single node i.e control node)
control

[k3s_agent:children]
# Hosts to run k3s agent
compute
login

[k9s:children]
# Hosts to install k9s on
Expand Down
1 change: 0 additions & 1 deletion environments/skeleton/{{cookiecutter.environment}}/tofu/compute.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ module "compute" {
availability_zone = lookup(each.value, "availability_zone", "nova")

# computed
k3s_token = local.k3s_token
# not using openstack_compute_instance_v2.control.access_ip_v4 to avoid
# updates to node metadata on deletion/recreation of the control node:
control_address = openstack_networking_port_v2.control[var.cluster_networks[0].network].all_fixed_ips[0]
Expand Down
1 change: 0 additions & 1 deletion environments/skeleton/{{cookiecutter.environment}}/tofu/control.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,6 @@ resource "openstack_compute_instance_v2" "control" {

metadata = {
environment_root = var.environment_root
k3s_token = local.k3s_token
access_ip = openstack_networking_port_v2.control[var.cluster_networks[0].network].all_fixed_ips[0]
}

Expand Down
1 change: 0 additions & 1 deletion environments/skeleton/{{cookiecutter.environment}}/tofu/login.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@ module "login" {
ignore_image_changes = false

# computed
k3s_token = local.k3s_token
# not using openstack_compute_instance_v2.control.access_ip_v4 to avoid
# updates to node metadata on deletion/recreation of the control node:
control_address = openstack_networking_port_v2.control[var.cluster_networks[0].network].all_fixed_ips[0]
Expand Down
2 changes: 0 additions & 2 deletions environments/skeleton/{{cookiecutter.environment}}/tofu/node_group/nodes.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,6 @@ resource "openstack_compute_instance_v2" "compute_fixed_image" {
metadata = merge(
{
environment_root = var.environment_root
k3s_token = var.k3s_token
control_address = var.control_address
access_ip = openstack_networking_port_v2.compute["${each.key}-${var.networks[0].network}"].all_fixed_ips[0]
},
Expand Down Expand Up @@ -139,7 +138,6 @@ resource "openstack_compute_instance_v2" "compute" {
metadata = merge(
{
environment_root = var.environment_root
k3s_token = var.k3s_token
control_address = var.control_address
access_ip = openstack_networking_port_v2.compute["${each.key}-${var.networks[0].network}"].all_fixed_ips[0]
},
Expand Down
4 changes: 0 additions & 4 deletions environments/skeleton/{{cookiecutter.environment}}/tofu/node_group/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,10 +70,6 @@ variable "security_group_ids" {
type = list
}

variable "k3s_token" {
type = string
}

variable "control_address" {
description = "Name/address of control node"
type = string
Expand Down
4 changes: 0 additions & 4 deletions environments/skeleton/{{cookiecutter.environment}}/tofu/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,3 @@ variable "inventory_secrets_path" {
type = string
default = ""
}

locals {
k3s_token = data.external.inventory_secrets.result["vault_k3s_token"]
}
Loading