docs: kubeadm migration guide improvements

Add a note about service token issues.

Signed-off-by: Thomas Lemarchand <tlemarchand@users.noreply.github.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>

website/content/v1.5/advanced/migrating-from-kubeadm.md

@@ -57,7 +57,7 @@ you can do the following:
 
    ```bash
    # inside a control plane node
-   kubeadm token create
+   kubeadm token create --ttl 0
    ```
 
 3. Create Talos secrets from the PKI directory you downloaded on step 1 and the token you generated on step 2:
@@ -93,45 +93,58 @@ you can do the following:
 7. Go through the rest of `controlplane.yaml` and `worker.yaml` to customize them according to your needs, especially :
     - `.cluster.secretboxEncryptionSecret` should be either removed if you don't currently use `EncryptionConfig` on your `kube-apiserver` or set to the correct value
 
-8. Bring up a Talos node to be the initial Talos control plane node.
+8. Make sure that, on your current Kubeadm cluster, the first `--service-account-issuer=` parameter in `/etc/kubernetes/manifests/kube-apiserver.yaml` is equal to the value of `.cluster.controlPlane.endpoint` in `controlplane.yaml`.
+   If it's not, add a new `--service-account-issuer=` parameter with the correct value before your current one in `/etc/kubernetes/manifests/kube-apiserver.yaml` on all of your control planes nodes, and restart the kube-apiserver containers.
 
-9. Apply the generated `controlplane.yaml` to the Talos control plane node:
+9. Bring up a Talos node to be the initial Talos control plane node.
+
+10. Apply the generated `controlplane.yaml` to the Talos control plane node:
 
     ```bash
     talosctl --nodes <TALOS_NODE_IP> apply-config --insecure --file controlplane.yaml
     ```
 
-10. Wait until the new control plane node joins the cluster and is ready.
+11. Wait until the new control plane node joins the cluster and is ready.
 
     ```bash
     kubectl get node -owide --watch
     ```
 
-11. Update your load balancer to point to the new control plane node.
+12. Update your load balancer to point to the new control plane node.
 
-12. Drain the old control plane node you are replacing:
+13. Drain the old control plane node you are replacing:
 
     ```bash
     kubectl drain <OLD_NODE> --delete-emptydir-data --force --ignore-daemonsets --timeout=10m
     ```
 
-13. Remove the old control plane node from the cluster:
+14. Remove the old control plane node from the cluster:
 
     ```bash
     kubectl delete node <OLD_NODE>
     ```
 
-14. Destroy the old node:
+15. Destroy the old node:
 
     ```bash
     # inside the node
     sudo kubeadm reset --force
     ```
 
-15. Repeat the same steps, starting from step 7, for all control plane nodes.
+16. Repeat the same steps, starting from step 7, for all control plane nodes.
 
-16. Repeat the same steps, starting from step 7, for all worker nodes while applying the `worker.yaml` instead and skipping the LB step:
+17. Repeat the same steps, starting from step 7, for all worker nodes while applying the `worker.yaml` instead and skipping the LB step:
 
     ```bash
     talosctl --nodes <TALOS_NODE_IP> apply-config --insecure --file worker.yaml
     ```
+
+18. Your kubeadm `kube-proxy` configuration may not be compatible with the one generated by Talos, which will make the Talos Kubernetes upgrades impossible (labels may not be the same, and `selector.matchLabels` is an immutable field).
+    To be sure, export your current kube-proxy daemonset manifest, check the labels, they have to be:
+
+    ```yaml
+    tier: node
+    k8s-app: kube-proxy
+    ```
+
+    If the are not, modify all the labels fields, save the file, delete your current kube-proxy daemonset, and apply the one you modified.

website/content/v1.6/advanced/migrating-from-kubeadm.md

@@ -57,7 +57,7 @@ you can do the following:
 
    ```bash
    # inside a control plane node
-   kubeadm token create
+   kubeadm token create --ttl 0
    ```
 
 3. Create Talos secrets from the PKI directory you downloaded on step 1 and the token you generated on step 2:
@@ -93,45 +93,58 @@ you can do the following:
 7. Go through the rest of `controlplane.yaml` and `worker.yaml` to customize them according to your needs, especially :
     - `.cluster.secretboxEncryptionSecret` should be either removed if you don't currently use `EncryptionConfig` on your `kube-apiserver` or set to the correct value
 
-8. Bring up a Talos node to be the initial Talos control plane node.
+8. Make sure that, on your current Kubeadm cluster, the first `--service-account-issuer=` parameter in `/etc/kubernetes/manifests/kube-apiserver.yaml` is equal to the value of `.cluster.controlPlane.endpoint` in `controlplane.yaml`.
+   If it's not, add a new `--service-account-issuer=` parameter with the correct value before your current one in `/etc/kubernetes/manifests/kube-apiserver.yaml` on all of your control planes nodes, and restart the kube-apiserver containers.
 
-9. Apply the generated `controlplane.yaml` to the Talos control plane node:
+9. Bring up a Talos node to be the initial Talos control plane node.
+
+10. Apply the generated `controlplane.yaml` to the Talos control plane node:
 
     ```bash
     talosctl --nodes <TALOS_NODE_IP> apply-config --insecure --file controlplane.yaml
     ```
 
-10. Wait until the new control plane node joins the cluster and is ready.
+11. Wait until the new control plane node joins the cluster and is ready.
 
     ```bash
     kubectl get node -owide --watch
     ```
 
-11. Update your load balancer to point to the new control plane node.
+12. Update your load balancer to point to the new control plane node.
 
-12. Drain the old control plane node you are replacing:
+13. Drain the old control plane node you are replacing:
 
     ```bash
     kubectl drain <OLD_NODE> --delete-emptydir-data --force --ignore-daemonsets --timeout=10m
     ```
 
-13. Remove the old control plane node from the cluster:
+14. Remove the old control plane node from the cluster:
 
     ```bash
     kubectl delete node <OLD_NODE>
     ```
 
-14. Destroy the old node:
+15. Destroy the old node:
 
     ```bash
     # inside the node
     sudo kubeadm reset --force
     ```
 
-15. Repeat the same steps, starting from step 7, for all control plane nodes.
+16. Repeat the same steps, starting from step 7, for all control plane nodes.
 
-16. Repeat the same steps, starting from step 7, for all worker nodes while applying the `worker.yaml` instead and skipping the LB step:
+17. Repeat the same steps, starting from step 7, for all worker nodes while applying the `worker.yaml` instead and skipping the LB step:
 
     ```bash
     talosctl --nodes <TALOS_NODE_IP> apply-config --insecure --file worker.yaml
     ```
+
+18. Your kubeadm `kube-proxy` configuration may not be compatible with the one generated by Talos, which will make the Talos Kubernetes upgrades impossible (labels may not be the same, and `selector.matchLabels` is an immutable field).
+    To be sure, export your current kube-proxy daemonset manifest, check the labels, they have to be:
+
+    ```yaml
+    tier: node
+    k8s-app: kube-proxy
+    ```
+
+    If the are not, modify all the labels fields, save the file, delete your current kube-proxy daemonset, and apply the one you modified.