Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

APIVIP validation doesn't consider node type #533

Open
hardys opened this issue Aug 16, 2024 · 6 comments
Open

APIVIP validation doesn't consider node type #533

hardys opened this issue Aug 16, 2024 · 6 comments
Assignees
@atanasdinov
Labels
enhancement New feature or request triaged The team has reviewed the issue

Comments

@hardys
Copy link
Contributor

hardys commented Aug 16, 2024
edited
Loading

In the image validation we check for the number of nodes, and if it's more than one we enforce configuration of an APIVIP

https://github.com/suse-edge/edge-image-builder/blob/main/pkg/image/validation/kubernetes.go#L52

However it's valid to deploy a single controlplane (type: server) host without any APIVIP, but also define one or more compute (type: agent) hosts.

So I think the validation (and other relevant checks for number of nodes related to configuration/defaults) should consider not only the node list length, but also filter by type.
@atanasdinov
Copy link
Contributor

While it is valid, do we want to do it? Joining a node at a later point in time is much more robust if it's based on a virtual IP backed by MetalLB. I'd generally assume that MetalLB (and Endpoint Copier Operator) do not really bring that much complexity and / or load to the cluster so I went with the assumption that it's better to always use virtual IP even in said architecture models.

@hardys
Copy link
Contributor Author

hardys commented Aug 16, 2024

@atanasdinov the issue is in many PoC situations you don't control the lab networking, and in that case obtaining an additional address for the VIP is problematic for many users.

So for example you have two machines and you want to create a 1 controlplane and 1 worker/agent, but all IPs are managed via DHCP - with this current validation it's not possible to do that using a single EIB image AFAICS.

@atanasdinov atanasdinov added enhancement New feature or request triaged The team has reviewed the issue labels Aug 16, 2024
@atanasdinov atanasdinov added this to the v1.1 milestone Aug 16, 2024
@agracey
Copy link

agracey commented Aug 17, 2024
edited
Loading

Is there any way we could look at using mdns/avahi/zeroconfig to broadcast a join address? It wouldn't be too hard to do but I'm not sure about the security implications

@atanasdinov
Copy link
Contributor

We'll revisit this for the next version of EIB.

@atanasdinov atanasdinov removed this from the v1.1 milestone Aug 19, 2024
@jdob
Copy link
Contributor

jdob commented Oct 22, 2024

One option is to remove the strict validation requirement and simply log a message to the user indicating that they may want to consider an explicit IP. I don't have examples off the top of my head, but I know we do that sort of output for things that are not strictly enforced but probably a good idea.

@atanasdinov
Copy link
Contributor

This will not work. We need another way for nodes to join the cluster if apiVIP is not set. Hence why I bumped this out of v1.1 - it requires too many changes and careful testing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@atanasdinov atanasdinov

Labels
enhancement New feature or request triaged The team has reviewed the issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jdob @agracey @hardys @atanasdinov