Fail if node cannot join the cluster because a <host>.node-password.rke2 secret already exists in cluster #335
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
There was a problem hiding this comment. we should not delete this file and put here logic with deleting secrets and diffed nodes like in previous deleted parts, and execute it if specific variables are set. This will cover all the cases like before in |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,13 +5,22 @@ | |
| args: | ||
| executable: /bin/bash | ||
| changed_when: false | ||
| register: registered_node_names | ||
|
|
||
| - name: Restore etcd - cleanup <node>.node-password.rke2 secrets | ||
|
There was a problem hiding this comment. please delete the trailing whitespace https://github.com/lablabs/ansible-role-rke2/actions/runs/16873948643/job/49236826242 |
||
| ansible.builtin.shell: | | ||
| {{ rke2_data_path }}/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml \ | ||
| delete secret {{ item }}.node-password.rke2 -n kube-system 2>&1 || true | ||
| args: | ||
| executable: /bin/bash | ||
| with_items: "{{ registered_node_names.stdout_lines }}" | ||
| when: item != rke2_node_name | ||
|
|
||
| - name: Restore etcd - remove old (not existing) nodes | ||
| ansible.builtin.shell: | | ||
| {{ rke2_data_path }}/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml \ | ||
| delete node {{ item }} 2>&1 || true | ||
| args: | ||
| executable: /bin/bash | ||
| with_items: "{{ registered_node_names.stdout_lines | difference(groups[rke2_cluster_group_name]) }}" | ||
| changed_when: false | ||
|
There was a problem hiding this comment. this task should stay and should be triggered if another switch exists |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -46,6 +46,46 @@ | |
| when: (rke2_custom_registry_mirrors | length > 0 or rke2_custom_registry_configs | length > 0) | ||
| notify: "Config file changed" | ||
|
|
||
| - name: Get current nodes secrets | ||
| delegate_to: "{{ active_server }}" | ||
| run_once: true | ||
| block: | ||
| - name: Get list of existing node secrets | ||
| ansible.builtin.shell: | | ||
| set -o pipefail | ||
| "{{ rke2_data_path }}/bin/kubectl" --kubeconfig /etc/rancher/rke2/rke2.yaml \ | ||
| get secrets -n kube-system -o jsonpath="{.items[*].metadata.name}" | tr ' ' '\n' | grep -E 'node-password\.rke2$' | sed 's/\.node-password\.rke2//g' | ||
| args: | ||
| executable: /bin/bash | ||
| register: nodes_with_passwords # A node name on each line | ||
| changed_when: false | ||
| - name: Set fact for existing node passwords | ||
| ansible.builtin.set_fact: | ||
| nodes_with_existing_passwords: "{{ nodes_with_passwords.stdout_lines }}" | ||
|
|
||
|
|
||
| - name: Validate presence of node password file when secret exists | ||
| block: | ||
| - name: Register if rke2 password file exists | ||
| ansible.builtin.stat: | ||
| path: /etc/rancher/node/password | ||
| register: node_password_file | ||
|
|
||
| - name: Fail if the cluster already has a <hostname>.node-password.rke2 secret and the node doesn't have a password file | ||
| ansible.builtin.fail: | ||
| msg: | | ||
| The node password secret already exists for node name {{ rke2_node_name }}, but no password file exists in /etc/rancher/node/password! | ||
| The node will not be able to join the cluster with this node name without a password file matching the secret. | ||
| This can happen for a few reasons: | ||
| - The node was previously part of the cluster and RKE2 was removed without running `kubectl delete node {{ rke2_node_name }}`. | ||
| - The cluster etcd was restored from a backup from before the node was correctly removed from the cluster. | ||
| To join this node, please recreate the file with the password, use a different node name (rke2_node_name), or remove the secret from the cluster using: | ||
| kubectl delete secret {{ rke2_node_name}}.node-password.rke2 -n kube-system | ||
| when: | ||
|
There was a problem hiding this comment. please delete the trailing whitespace https://github.com/lablabs/ansible-role-rke2/actions/runs/16873948643/job/49236826242 |
||
| - rke2_node_name in nodes_with_existing_passwords | ||
| - not node_password_file.stat.exists | ||
|
|
||
| - name: Start RKE2 service on the rest of the nodes | ||
| ansible.builtin.systemd: | ||
| name: "{{ rke2_service_name }}" | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please add this new variable also to the README.md file and to the argument_specs.yml