Pre-determined `add-node` token
chaospuppy opened this issue · 2 comments
Summary
When configuring a multi-node cluster using automation (such as terraform), it would be helpful to be able to pre-determine the registration string used in microk8s join <ip>:<port>/<token>/<check>. As it stands, all of those fields except for <check> can be pre-configured. Looking at ${SNAP}/actions/common/utils.sh, I see that the server_cert_check function is just the first 6 characters of the sha256 hash of the server cert in DER format.
Because this shasum is guaranteed to be unique each time a new cluster is created (as SANs and timestamps will vary), it is impossible to know its value ahead of time, making automating the creating of a multi-node cluster difficult (stdout needs to be parsed and fed into subsequent add-node commands).
I am curious to know why this shasum is a required input for new node registration.
Why is this important?
It is difficult/impossible to know the value of <check> in advance of creating the first server node, or at least in advance of server certificate generation. Because of this, performing a non-interactive cluster bootstrap is made needlessly tedious/requires additional provisioning tools, such as Ansible. More maybe it isn't needless, but I'd be curious to understand why the worker node needs to send this shasum to the server when joining.
Are you interested in contributing to this feature?
Update: It should've been obvious in hindsight that the input is used to validate the authenticity of the certificate offered by the first server node, and this verification can be skipped with microk8s join <registration string> --skip-verify. Closing.
It may still be a benefit to end-users to describe what the <check> string is and what function it performs in Microk8s documentation, since it isn't totally clear just looking at the command or examples.