nodes are unable to join cluster #127
Description
When using a configuration very similar to your example -- except supplying our own bootstrap token of course, the nodes fail to come online because they can't retrieve the CA token.
Notice: /Stage[main]/K8s::Common/File[/root/.kube]/ensure: created
Notice: /Stage[main]/K8s::Node::Kubelet/Exec[Remove broken CA]/returns: executed successfully
Info: /Stage[main]/K8s::Node::Kubelet/Exec[Remove broken CA]: Scheduling refresh of Exec[Retrieve K8s CA]
Notice: /Stage[main]/K8s::Node::Kubelet/Exec[Retrieve K8s CA]/returns: E0422 22:52:02.097623 1309935 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: unknown"
Notice: /Stage[main]/K8s::Node::Kubelet/Exec[Retrieve K8s CA]/returns: E0422 22:52:02.102260 1309935 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: unknown"
Notice: /Stage[main]/K8s::Node::Kubelet/Exec[Retrieve K8s CA]/returns: E0422 22:52:02.106345 1309935 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: unknown"
Notice: /Stage[main]/K8s::Node::Kubelet/Exec[Retrieve K8s CA]/returns: E0422 22:52:02.110465 1309935 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: unknown"
Notice: /Stage[main]/K8s::Node::Kubelet/Exec[Retrieve K8s CA]/returns: E0422 22:52:02.115065 1309935 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: unknown"
Notice: /Stage[main]/K8s::Node::Kubelet/Exec[Retrieve K8s CA]/returns: Error from server (Forbidden): unknown
Error: 'kubectl --server='https://example-k8s.example.com:6443' --username=anonymous --insecure-skip-tls-verify=true get --namespace=kube-system configmap cluster-info --output=jsonpath={.data.ca} > '/var/lib/kubelet/pki/ca.pem'' returned 1 instead of one of [0]
Error: /Stage[main]/K8s::Node::Kubelet/Exec[Retrieve K8s CA]/returns: change from 'notrun' to ['0'] failed: 'kubectl --server='https://example-k8s.example.com:6443' --username=anonymous --insecure-skip-tls-verify=true get --namespace=kube-system configmap cluster-info --output=jsonpath={.data.ca} > '/var/lib/kubelet/pki/ca.pem'' returned 1 instead of one of [0]
Notice: /Stage[main]/K8s::Node::Kubelet/Exec[Retrieve K8s CA]: Triggered 'refresh' from 1 event
Notice: /Stage[main]/K8s::Node::Kubelet/Kubeconfig[/srv/kubernetes/bootstrap-kubelet.kubeconf]: Dependency Exec[Retrieve K8s CA] has failures: true
Testing manually from that node confirms this query won't work:
# kubectl --server='https://example-k8s.example.com:6443' --username=anonymous --insecure-skip-tls-verify=true get --namespace=kube-system configmap cluster-info -oyaml
E0422 22:53:19.658375 1310295 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: unknown"
E0422 22:53:19.662981 1310295 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: unknown"
E0422 22:53:19.667140 1310295 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: unknown"
E0422 22:53:19.671012 1310295 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: unknown"
E0422 22:53:19.674882 1310295 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: unknown"
Error from server (Forbidden): unknown
We aren't disabling anonymous auth, and I do see anonymous authentication is enabled on the running apiserver process... I suspect something has changed in kubernetes 1.32 which means that the very manual setup used in k8s::server::resources is likely out of date?