Description
What steps did you take and what happened:
I setup an e2e test for CAPO and in some cases nodes were not able to join the cluster.
What did you expect to happen:
Nodes are able to join the cluster
Anything else you would like to add:
(See also: https://kubernetes.slack.com/archives/C8TSNPY4T/p1585035222084200)
To be clear that's not a problem for me anymore, but maybe for somebody else. I'm opening this issue only to discuss if we should change anything. My use case is already solved.
I'm currently setting up e2e tests for CAPO in OpenLab. These tests are not using the built-in images / binaries from the OS. Before kubeadm runs, CI artifacts are downloaded from the kubernetes-release-dev GCS bucket. Because of oversubscription of the underlying OpenStack and some not-ideal bootstrap code (installing and using gsutil instead of just curl), this sometimes took over 20 min. The kubeadm join call then failed because the bootstrap token was not valid anymore.
The kubeadm bootstrapper generates bootstrap tokens with a (hard-coded) default TTL of 15 minutes. These tokens are renewed/refreshed until the infrastructure (e.g. OpenStackMachine) is marked as ready. In case of CAPA/CAPO this means the VM is in state running/active. The problem is now that if it takes longer then 15 minutes after the VM is in state running/active to execute kubeadm join, so the bootstrap token won't be valid anymore. As I said I solved my problem already (by speeding up the ci artifacts download).
Some ideas how this can be solved, if we want to change anything:
- increase the hard coded default TTL
- make the TTL configurable
- refresh the token until the node joined the cluster (if we want, we can even revoke it after the node has joined)
Environment:
- Cluster-api version: v0.3.2
- Minikube/KIND version: 0.7.0
- Kubernetes version: (use
kubectl version): 1.17.3
/kind bug