Conversation
|
Deploy preview for kubernetes-io-vnext-staging processing. Building with commit 0da3d32 https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/5c87d2e3d18c47000808dfa5 |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
/sig cluster-lifecycle |
|
in this PR we are going to have to document that there is no config field for the copy-certs functionality and we have to either pass everything as flags for HA |
|
@kubernetes/sig-cluster-lifecycle-pr-reviews |
|
/assign @fabriziopandini |
| cluster. | ||
| - Copy this output to a text file. You will need it later to join control plane and worker nodes to the cluster. | ||
| - When `--experimental-upload-certs` is used with `kubeadm init`, the certificates of the primary control plane | ||
| are uploaded to the cluster in a Secret and encrypted. |
There was a problem hiding this comment.
Maybe are encrypted and uploaded to the kubeadm-certs secret
| - It's recommended that you join new control plane nodes in a sequence, only after the first node has finished initializing. | ||
|
|
||
| 1. Copy the certificate files from the first control plane node to the rest: | ||
| 1. Optionally copy the `admin.conf` file from the first control plane node to the rest: |
There was a problem hiding this comment.
Why we should copy this config? [1]
There was a problem hiding this comment.
to use kubectl on the other CP nodes.
i'm OK with removing this but waiting on review by @fabriziopandini
There was a problem hiding this comment.
The join don't generate a config?
There was a problem hiding this comment.
that's actually a good point...
possibly best to remove this anyway.
@Klaven please remove these lines/steps
- Optionally copy the
admin.conf...
and
- Optionally move the
admin.conffile created...
There was a problem hiding this comment.
It is not necessary to copy the admin.conf file
However, I think we should still provide user instruction for manually copy certs if they want to opt out from the --experimental-upload-certs feature, so my suggestion is to move everyting related to "configure SSH" and scp certs (without the admin.conf file) in a dedicated paragraph "manual certs distribution"
| ### Steps for the rest of the control plane nodes | ||
|
|
||
| 1. Move the files created by the previous step where `scp` was used: | ||
| 1. Optionally move the `admin.conf` file created by the previous step where `scp` was used: |
|
/priority important-soon |
2534806 to
ead0a28
Compare
fabriziopandini
left a comment
There was a problem hiding this comment.
@Klaven great to see this work!
I think we can simplify the doc by moving "Configure SSH", and all the manual copy instruction under a separated paragraph "manual certs distribution".
In other words, the main workflow described should focus on using automatic copy, but there should be a note "if instead you want to copy certs manually/using automation tools, please refer to "manual copy certs" paragraph.
Additionally, if you don't mind, there are also following possible improvements to this doc:
- L22 (before your change) Change "Your clusters must run Kubernetes version 1.12 or later." into "This document refers to kubeadm version 1.14; similar documents are available for preview version as well"
- L60 (before your change) Remove "{{< note >}} The following examples run Calico ..." Not true anymore
- L71 (before your change) Remove "{{< note >}} {{< note >}} All commands ...". It seems out of context here and from a quick check there is already
sudobefore all command - L163 (before your change) Remove
apiServerfield and nestedCertsSANslist (not necessary) - L295 (before your change) Same (remove
apiServer/CertsSANs) - L343 (before your change) Remove Install a pod network, it is already part of the instructions above (eventually the content of the paragraph con be moved above)
| sudo kubeadm init --config=kubeadm-config.yaml --experimental-upload-certs | ||
| ``` | ||
|
|
||
| - The `--experimental-upload-certs` flags is used to upload the control plane |
There was a problem hiding this comment.
What about:
"The --experimental-upload-certs flags is used to upload the certificates that should be shared across all the control-plane instances to the cluster; If instead, you prefer to copy certs across control-plane nodes manually or using automation tools, please remove this flag and refer to "manual certs distribution" paragraph"
| - Copy this output to a text file. You will need it later to join control plane and worker nodes to the cluster. | ||
| - When `--experimental-upload-certs` is used with `kubeadm init`, the certificates of the primary control plane | ||
| are uploaded to the cluster in a Secret and encrypted. | ||
| - When joining new control plane nodes using `kubeadm join ... --experimental-control-plane`, |
There was a problem hiding this comment.
Please move this point after the kubeadm join --experimental-control-plane command (L256 before your changes)
| ``` | ||
|
|
||
| - It's recommended that you join new control plane nodes only after the first node has finished initializing. | ||
| - It's recommended that you join new control plane nodes in a sequence, only after the first node has finished initializing. |
There was a problem hiding this comment.
Please move this point before/after the kubeadm join --experimental-control-plane command (L256 before your changes)
| - It's recommended that you join new control plane nodes in a sequence, only after the first node has finished initializing. | ||
|
|
||
| 1. Copy the certificate files from the first control plane node to the rest: | ||
| 1. Optionally copy the `admin.conf` file from the first control plane node to the rest: |
There was a problem hiding this comment.
It is not necessary to copy the admin.conf file
However, I think we should still provide user instruction for manually copy certs if they want to opt out from the --experimental-upload-certs feature, so my suggestion is to move everyting related to "configure SSH" and scp certs (without the admin.conf file) in a dedicated paragraph "manual certs distribution"
| - `ETCD_2_IP` | ||
|
|
||
| 1. Run `kubeadm init --config kubeadm-config.yaml` on this node. | ||
| 1. Run `kubeadm init --config kubeadm-config.yaml --experimental-upload-certs` on this node. |
There was a problem hiding this comment.
@yagonobre I don't remember if certificates for the external etcd are copied automatically or not...
If not, we should add a note that the user must take care of distributing those certs on all control-plane nodes
There was a problem hiding this comment.
it's upload, we only skip certs upload in case of external ca.
| ... | ||
| You can now join any number of machines by running the following on each node | ||
| as root: | ||
| You can now join any number of control-plane node running the following command on each as a root: |
There was a problem hiding this comment.
| You can now join any number of control-plane node running the following command on each as a root: | |
| You can now join any number of control-plane nodes by running the following command on each as a root: |
There was a problem hiding this comment.
this is a CLI typo, can't fix here.
edit: well we can, but we need to fix in kubeadm too.
| kubeadm join 192.168.0.200:6443 --token 9vr73a.a8uxyaju799qwdjv --discovery-token-ca-cert-hash sha256:7c2e69131a36ae2a042a339b33381c6d0d43887e2de83720eff5359e26aec866 --experimental-control-plane --certificate-key f8902e114ef118304e561c3ecd4d0b543adc226b7a07f675f56564185ffe0c07 | ||
|
|
||
| kubeadm join 192.168.0.200:6443 --token j04n3m.octy8zely83cy2ts --discovery-token-ca-cert-hash sha256:84938d2a22203a8e56a787ec0c6ddad7bc7dbd52ebabc62fd5f4dbea72b14d1f | ||
| Please note that the certificate-key gives access to cluster sensitive data, keep it secret! |
There was a problem hiding this comment.
Maybe highlight this a bit more by wrapping it in note tags
| ``` | ||
|
|
||
| - It's recommended that you join new control plane nodes only after the first node has finished initializing. | ||
| - It's recommended that you join new control plane nodes in a sequence, only after the first node has finished initializing. |
There was a problem hiding this comment.
| - It's recommended that you join new control plane nodes in a sequence, only after the first node has finished initializing. | |
| - It's recommended that you join new control plane nodes sequentially, only after the first node has finished initializing. |
|
/close |
|
@neolit123: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
this PR will update the kubeadm reference documentation regarding HA for 1.14.
xref: kubernetes/kubeadm#1422
/sig cluster-lifecycle