[Kubernetes] Make HA master setup compatible with SONiC buildimage join process

[isabelmsft]

Description of PR

Summary:
Make HA master setup compatible with automated SONiC buildimage join process

• Bug fix
• Testbed and Framework(new/improvement)
• Test case(new/improvement)

Approach

What is the motivation for this PR?

The current SONiC buildimage assumes the Kubernetes conf file is available at HTTP server on master; this conf file is used to join the SONiC worker node to the Kubernetes master. Previously, the HA testbed master expected SONiC worker nodes to join manually via a command output during master initialization. This PR allows automated join of the SONiC DUT to the HA Kubernetes master by downloading the necessary conf file from a new HTTP server hosted at the master VIP.

How did you do it?

• Host Apache server on HAProxy node, as the SONiC worker node communicates with the VIP (IP of HAProxy node)
• Set up necessary firewall and SSL certs
• Copy conf file from Kubernetes master to HAProxy node and enable download
• Change HAProxy node to be listening on port 6443 (to be compatible with port_check in SONiC buildimage)

How did you verify/test it?

• Created HA master on testbed server via testbed-cli.sh script
• Joined SONiC DUT automatically by configuring master server VIP via sudo config kube server ip <HAPROXY NODE IP/VIP>
• show kube server on SONiC DUT shows master is connected
• kubectl get nodes on master shows all 3 master nodes and SONiC DUT

[qiluo-msft]

/tmp/helper/ [](start = 10, length = 12)

Why not set dest to /var/www/html directly? #Closed

[isabelmsft]

This saves the file to host server so that the file can be transferred from one VM to another VM. init_master_leader.yml is running on Master1 VM, but I need the file on the HAProxy VM

[qiluo-msft]

Then you may remove this fetch completely, and use below copy with src as /etc/kubernetes/admin.conf ?

---

In reply to: 508867244 [](ancestors = 508867244)

[isabelmsft]

Then I get this error:
"Could not find or access '/etc/kubernetes/admin.conf' on the Ansible Controller. When I wrote the original code I also thought there would be a more straightforward way to copy the file from one VM to another, but using the /tmp directory was the only way I tried that worked for me

[qiluo-msft]

I understand now. Please give correct comments, especially on the src/dest machines.

---

In reply to: 508884204 [](ancestors = 508884204,508867244)

[isabelmsft]

To clarify, I get that error because the /etc/kubernetes/admin.conf is on the server, not on the VM.
For fetch module:

• src is the master VM, on which /etc/kubernetes/admin.conf is present
• dest is the server

For copy module:

• src is the server
• dest is the HAProxy VM

[qiluo-msft]

777 [](start = 11, length = 3)

Everyone can write or del it, is it safe? #Closed

[isabelmsft]

I changed to 755 permissions. This was the most restrictive I could make it while ensuring that the SONiC DUT could still download the file properly. This is also in-line with the response here https://askubuntu.com/questions/451922/apache-access-denied-because-search-permissions-are-missing

[qiluo-msft]

777 [](start = 11, length = 3)

Is it too broad permission? #Closed

[isabelmsft]

I changed to 755 permissions. This was the most restrictive I could make it while ensuring that the SONiC DUT could still download the file properly. This is also in-line with the response here https://askubuntu.com/questions/451922/apache-access-denied-because-search-permissions-are-missing

[qiluo-msft]

Apaache [](start = 15, length = 7)

typo? #Closed

[isabelmsft]

Yes, fixed :)

[qiluo-msft]

beadm init --control-plane-endpoint {{ haproxy_ip }}:{{ k8 [](start = 11, length = 58)

This line is too long to read. Could you split? #Closed

[isabelmsft]

Yes, I split it

[qiluo-msft]

As comments

[isabelmsft]

retest vsimage please