During Resource Enrollment

cc-ansible --playbook ./playbooks/k3s.yml issues

Unable to read /etc/rancher/k3s/k3s.yaml

kubectl get pods -A -o wide
WARN[0000] Unable to read /etc/rancher/k3s/k3s.yaml, please start server with --write-kubeconfig-mode to modify kube config permissions 
error: error loading config file "/etc/rancher/k3s/k3s.yaml": open /etc/rancher/k3s/k3s.yaml: permission denied

To overcome this issue, add the following line to roles/k3s/templates/config.yaml.j2:

write-kubeconfig-mode: "0644"

Wait till the Tigera Operator has fully applied

k3s : Wait till the Tigera Operator has fully applied
fatal: [edge -> localhost]: FAILED! => {"changed": false, "msg": "Failed to gather information about TigeraStatus(s) even after waiting for 123 seconds"}

By default the timeout for the tigera operator is 120 seconds. If you face this error, increase it 5 mins by adding wait_timeout: 300 just after wait: yes in roles/k3s/tasks/config-calico.yml corresponding tasks. Such as below:

- name: Wait till the Tigera Operator has fully applied
  delegate_to: "{{ groups['deployment'][0] }}"
  kubernetes.core.k8s_info:
    kind: TigeraStatus
    name: calico
    namespace: default
    wait: yes
    wait_condition:
      type: "Available"
      status: "True"
      reason: "AllObjectsAvailable"
    wait_timeout: 300

- name: Wait till the Calico Installation is created
  delegate_to: "{{ groups['deployment'][0] }}"
  kubernetes.core.k8s_info:
    kind: Installation
    name: default
    namespace: default
    wait: yes
    wait_condition:
      type: "Ready"
      status: "True"
      reason: "AllObjectsAvailable"
    wait_timeout: 300

In addition to that, this must be run in a completly clean state.

Change cluster ip CIDR

In case it is colliding with any of the used subnets, it is better to change it at roles/k3s/defaults/main.yml. More info could be find here.

Apply Calico network policies

TASK [k3s : Apply Calico global network policies] **********************************************************************************************************************************************************
failed: [edge-mv -> localhost] (item=default-deny) => {"ansible_loop_var": "item", "changed": false, "item": "default-deny", "msg": "Failed to find exact match for projectcalico.org/v1.GlobalNetworkPolicy by [kind, name, singularName, shortNames]"}
failed: [edge-mv -> localhost] (item=allow-ping) => {"ansible_loop_var": "item", "changed": false, "item": "allow-ping", "msg": "Failed to find exact match for projectcalico.org/v1.GlobalNetworkPolicy by [kind, name, singularName, shortNames]"}

Solution according to here is to add apply: yes to the task.kubernetes.core.k8s.

Configure Neutron

TASK [k3s : Create calico network] *************************************************************************************************************************************************************************
fatal: [edge-mv]: FAILED! => {"action": "os_network", "changed": false, "extra_data": {"data": null, "details": "Running without keystone AuthN requires that tenant_id is specified", "response": "{\"NeutronError\": {\"type\": \"HTTPBadRequest\", \"message\": \"Running without keystone AuthN requires that tenant_id is specified\", \"detail\": \"\"}}"}, "msg": "BadRequestException: 400: Client Error for url: http://10.0.87.254:9696/v2.0/networks, Running without keystone AuthN requires that tenant_id is specified"}

Solution: open the webportal, create Calico network, subnet, and router from there. OR, add the following line to 'Create calico network', 'Create calico subnet', and 'Fetch existing NAT router' tasks <task>.kolla_toolbox.module_args in roles/k3s/tasks/config-neutron.yml:

project: "{{ keystone_admin_project }}"

Generate Calico/Neutron connection script

TASK [k3s : Generate Calico/Neutron connection script] *****************************************************************************************************************************************************
fatal: [edge-mv]: FAILED! => {"changed": false, "checksum": "0b5e563c74380eba5d02bb1a041e4703aac71e28", "msg": "Destination /etc/rancher/k3s not writable"}

The solution is to add become: yes to the task Generate Calico/Neutron connection script in roles/k3s/tasks/config-neutron.yml.

NOTE: Run these when a new snapshot is loaded:

  1. Configs

    sudo chown root:expeca-deploy /opt
sudo chmod g+rw /opt

  2. Add enable_k3s: yes to

    sudo vim /opt/site-config/defaults.yml

  3. Add wait_timeout: 300 to 'Wait till the Tigera Operator has fully applied' and 'Wait till the Calico Installation is created' tasks just after wait: yes in roles/k3s/tasks/config-calico.yml.

  4. Change cluster ip CIDR at roles/k3s/defaults/main.yml.

  5. Add apply: yes to the last task in roles/k3s/tasks/config-calico.yml.

  6. Add the following line to 'Create calico network', 'Create calico subnet', and 'Fetch existing NAT router' tasks <task>.kolla_toolbox.module_args in roles/k3s/tasks/config-neutron.yml:

    project: "{{ keystone_admin_project }}"

  7. Add become: yes to the task Generate Calico/Neutron connection script in roles/k3s/tasks/config-neutron.yml.

PreviousDuring Deployment

Last updated