Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Label the node with the Talos configured virtual IP #167

Open
nogweii opened this issue Jun 7, 2024 · 6 comments
Open

Label the node with the Talos configured virtual IP #167

nogweii opened this issue Jun 7, 2024 · 6 comments

Comments

@nogweii
Copy link

nogweii commented Jun 7, 2024

Feature Request

Basically, implement siderolabs/talos#7166 in Talos-CCM.

Description

It would be handy to have a label that gets moved around as the VIP changes nodes. I'd expect it to only support the built-in vip rather than any other implementation's. I'm not sure how to determine what the VIP is configured to be, though.

@sergelogvinov
Copy link
Collaborator

Hi, do you use Talos VIP (float-ip in control plane) for EgressGateway ?

@nogweii
Copy link
Author

nogweii commented Jun 7, 2024

Nope. My current planned use-case is to dynamically decide which endpoint to use in my shell scripts wrapping talosctl by setting -e to whichever node has the VIP. But not to the VIP itself as per the documentation's recommendation.

@sergelogvinov
Copy link
Collaborator

To be honest, i did not get your idea.
talosctl get addesses can show you there the VIP (control plane float ip) currently exists.
talosctl config can contain multiple IP endpoints, and it will use one that is active (alive).

@smira
Copy link
Member

smira commented Jun 7, 2024

Don't use Talos VIP for Talos API endpoint - it will break, as it depends on etcd quorum, and Talos API access you need all the time.

@ccureau
Copy link

ccureau commented Oct 9, 2024

I'm using kube-vip for my own cluster vip, and things all seem good, except for the certificate approval process. Whichever node currently is serving the VIP does not get its certificates approved automatically.

E1009 19:00:03.845312       1 controller.go:98] "CertificateSigningRequestReconciler: failed to reconcile CSR" err="providerChecks has an error: csrNodeChecks: CSR talos-cp-2 Node IP addresses don't match corresponding Node IP addresses [\"192.168.100.6\" \"192.168.100.6\" \"talos-cp-2\"], got \"192.168.100.102\"" name="csr-qml8g"
E1009 19:00:03.887570       1 controller.go:98] "CertificateSigningRequestReconciler: failed to reconcile CSR" err="providerChecks has an error: csrNodeChecks: CSR talos-cp-2 Node IP addresses don't match corresponding Node IP addresses [\"192.168.100.6\" \"192.168.100.6\" \"talos-cp-2\"], got \"192.168.100.102\"" name="csr-sw2cs"
E1009 19:00:04.202785       1 controller.go:98] "CertificateSigningRequestReconciler: failed to reconcile CSR" err="providerChecks has an error: csrNodeChecks: CSR talos-cp-2 Node IP addresses don't match corresponding Node IP addresses [\"192.168.100.6\" \"192.168.100.6\" \"talos-cp-2\"], got \"192.168.100.102\"" name="csr-w97mh"
E1009 19:00:04.252855       1 controller.go:98] "CertificateSigningRequestReconciler: failed to reconcile CSR" err="providerChecks has an error: csrNodeChecks: CSR talos-cp-2 Node IP addresses don't match corresponding Node IP addresses [\"192.168.100.6\" \"192.168.100.6\" \"talos-cp-2\"], got \"192.168.100.102\"" name="csr-xhpc2"

@sergelogvinov
Copy link
Collaborator

Hi, sorry for delay.

It looks like the kubelet may have announced the wrong IP and is using the kube-vip IP as the node IP. If you are using kube-vip or other floating IP solutions, you should set the node IP in the machine configuration to avoid problems:

machine:
  kubelet:
    nodeIP:
      validSubnets: ["192.168.100.6/32"]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants