Gen Certs Does Not Work With Multi-master

[rsmitty]

Okay, last issue I encountered. It seems that the gen_certs.yml file does not work as expected when deploying with multiple masters. The first three tasks, copy tokens generation script, generate tokens for master components, and generate tokens for node components all seemed to fail for me. This is because of some combination of the run_once directive and the inventory_hostname == groups['kube-master'][0] filter. It seems that the first inventory_hostname is not groups['kube-master'][0], and since the run_once is defined, it only tries that one host. Commenting out run_once works, but I don't think it's a good fix. Need to do some digging on how we can always target the first master in combination with the run_once. More digging to do in that regard.

[Smana]

could you please share your inventory?
in our tests the masters are in the kube-node group too. What about you?

[rsmitty]

They are not in the kube-node group. Seems like that would allow scheduling of pods to my master nodes, which I'd rather not do. The architecture I've been working with thus far has been 3 controllers (also hosting etcd) and 3 worker nodes. Here's a sample inventory.

[kube-master]
xxx.yyy.zzz.169 ansible_ssh_user=centos
xxx.yyy.zzz.87 ansible_ssh_user=centos
xxx.yyy.zzz.85 ansible_ssh_user=centos

[etcd]
xxx.yyy.zzz.169 ansible_ssh_user=centos
xxx.yyy.zzz.87 ansible_ssh_user=centos
xxx.yyy.zzz.85 ansible_ssh_user=centos

[kube-node]
xxx.yyy.zzz.80 ansible_ssh_user=centos
xxx.yyy.zzz.90 ansible_ssh_user=centos
xxx.yyy.zzz.18 ansible_ssh_user=centos

[k8s-cluster:children]
kube-node
kube-master

[Smana]

Ok, i will do some tests with your inventory. thank you :)

[Smana]

Hi @rsmitty, Please confirm that the change fixes your issue.

[rsmitty]

Confirmed working for me. Awesome awesome awesome! Thank you.