Airgap install throws token must not be empty

[GitHanter]

Airgap install throws token must not be empty

Seems the latest security fix by "using K3S_TOKEN environment variable " commit caused this issue Security exposure related to the token (https://github.com/k3s-io/k3s-ansible/pull/356)

[dereknola]

You always have to provide a token in the inventory.yaml, PR #356 didn't change that requirement. What exactly is the error you are seeing.

[GitHanter]

You always have to provide a token in the inventory.yaml, PR #356 didn't change that requirement. What exactly is the error you are seeing.

I provided the token in the inventory.yaml, but it doesn't work. I have to append the --token parameter to the systemd service again ExecStart=/usr/local/bin/k3s server --cluster-init --data-dir {{ k3s_server_location }} --token {{ token }} {{ extra_server_args }} , which was deleted in the PR, then everything works.

[dereknola]

I tested this out, and I'm still not seeing the issue as you described. My setup was a airgapped cluster of pi4s with my inventory.yml looking like:

---
k3s_cluster:
  children:
    server:
      hosts:
        # localhost:
        192.168.1.91:
    agent:
      hosts:
         192.168.1.92:
  # Required Vars
  vars:
    #ansible_port: 22
    ansible_user: "pi"
    airgap_dir: "./my-airgap"
    # k3s_version: v1.28.11+k3s1
    token: "mytoken"  # Use ansible vault if you want to keep it secret
    api_endpoint: "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}"
    extra_server_args: ""
    extra_agent_args: ""

Additionally, my airgap folder contains k3s binary and the k3s-airgap-images-arm64.tar.zst
What does your inventory look like?

[GitHanter]

This is my inventory, I try to setup the kubernetes cluster in my raspberry pi cm4 cluster

k3s_cluster:
  children:
    server:
      hosts:
        rpicm404:
    agent:
      hosts:
        rpicm401:
        rpicm402:
        rpicm403:


  # Required Vars
  vars:
    ansible_port: 22
    k3s_version: v1.31.0+k3s1
    token: "<The-token>"
    api_endpoint: "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}"
    extra_server_args: "--flannel-backend=none --disable-network-policy --disable-helm-controller --disable-cloud-controller --disable=servicelb --disable=traefik"
    extra_agent_args: ""
    airgap_dir: /<the-base-dir>/k3s-airgap/v1.31.0+k3s1

[dereknola]

I did find a minor issue with the agent airgap setup (fix was previously only written in the server code), I have a PR to fix that. However, I am still unable to replicate your issue (using as close to your inventory as possible). I will note that your extra_server_args leave me to believe you are installing additional helm charts or components by hand? Because the cluster is not operational with all of those core components disabled.

What is the exact wording of the failure you are seeing? Can you post some of the actual ansible logs?

You might try the latest master commit and see it the issue is still there.

[GitHanter]

Yes, I install cilium as CNI by helm chart (Also used as Gateway API component), and nginx ingress controller as my ingress controller (Not familiar with traefik).

I already provisioned the cluster by adding the token variable to the previous location, so I don't have environment to test it now, I'll find other SBCs to test it again, will let you know the result, thanks.

[dereknola]

Closing this for now, feel free to add more info if you hit it again, I will reopen.