This message was deleted Rancher Users #k3s

Join Slack Communities

This message was deleted.

# k3s

adamant-kite-43734

06/17/2023, 12:53 PM

This message was deleted.

creamy-pencil-82913

06/17/2023, 5:47 PM

Can you show how you created the token and passed it to the agent?

creamy-pencil-82913

06/17/2023, 5:49 PM

Did the node ever join the cluster? If it did join once, there should be a node for it, and it will try to use node identity to authenticate instead of the token. If you delete the node from the cluster, you may have to clean some files from the agent to get it to use the token again.

creamy-pencil-82913

06/17/2023, 5:50 PM

If you can describe exactly what steps you followed that would be helpful

worried-jackal-89144

06/17/2023, 8:42 PM

Thanx @creamy-pencil-82913 At the end I scraped all the VMs and created them from scratch with terraform. And after fixing some bugs it was correctly added. What I did (maybe it can be useful for someone): 1. token was created with:

k3s token create  --ttl 10m

2. it was passed to the install script using K3S_TOKEN env variable. Probably the issue was that I created one token, and passed it to the install script. k3s agent was not able to start properly. I fixed something and then created a new token and passed it to the install script. But IMHO install script is not restarting/refreshing the service with new token and it was probably outdated. I think better option to pass the token might be by using either file or config file, and then restarting the service.

worried-jackal-89144

06/17/2023, 9:25 PM

I did some experiments. I deleted a node from the cluster (

kubectl delete node xxx

) and tried either the original token (one used for bootstraping the node) or a fresh new one but in both cases I get the 401 Unauthorized error message

worried-jackal-89144

06/17/2023, 9:34 PM

I followed: https://docs.k3s.io/architecture#how-agent-node-registration-works and deleted /etc/rancher/node/password from the agent node

worried-jackal-89144

06/17/2023, 10:15 PM

To bootstrap again the node after it was deleted I had to execute:

Copy code

root@dev-worker-0:/var/lib/rancher/k3s/agent# rm -r  /etc/rancher/node/ client-kubelet.crt client-kubelet.key kubelet.kubeconfig serving-kubelet.crt serving-kubelet.key k3scontroller.kubeconfig client-k3s-controller.crt client-k3s-controller.key kubeproxy.kubeconfig

It might not be the minimal set of files to delete

creamy-pencil-82913

06/18/2023, 3:32 AM

Would you mind opening an issue on GH? The agent should probably handle this better.

creamy-pencil-82913

06/18/2023, 3:32 AM

All you should need to delete is the client-kubelet cert and key, I believe

creamy-pencil-82913

06/18/2023, 3:33 AM

Maybe the kubeconfig too?

worried-jackal-89144

06/18/2023, 6:54 PM

I deleted

rm -r  /etc/rancher/node/ /var/lib/rancher/k3s/agent/client-kubelet.crt /var/lib/rancher/k3s/agent/client-kubelet.key

and it was enough.

worried-jackal-89144

06/18/2023, 7:07 PM

Thanx @creamy-pencil-82913. I just have reported this as a bug here https://github.com/k3s-io/k3s/issues/7797

creamy-pencil-82913

06/18/2023, 7:12 PM

It should probably just fall back to the token if node identity fails. Should be fixable by the July releases, June will be out early next week so it's too late for that.

👍 1

211 Views

Open in Slack

Previous Next