7.3 KiB
Design Document
Overview
The fastpass-additional-control-plane Ansible role will enable the deployment of additional control plane nodes to an existing FastPass Kubernetes cluster. This role follows the established patterns from fastpass-first-control-plane but focuses on joining nodes to an already initialized cluster rather than initializing a new one. The role ensures high availability by creating redundant master nodes that can handle API requests, scheduling, and cluster management tasks.
The key difference from the first control plane role is that this role will use kubeadm join with control plane flags instead of kubeadm init, and it will need to retrieve join tokens and certificate keys from the existing cluster.
Architecture
Role Structure
The role will follow the standard Ansible role structure:
ansible/playbooks/roles/fastpass-additional-control-plane/
├── defaults/
│ └── main.yml
├── tasks/
│ └── main.yml
├── handlers/
│ └── main.yml (if needed)
└── meta/
└── main.yml (if needed)
Integration Points
- DNS Management: Uses the existing
dns-managerrole for consistent DNS record creation - Kubeconfig Management: Uses the existing
kubeconfig-managerrole for local kubeconfig setup - Firewall Configuration: Reuses firewall service definitions from the first control plane role
- Cluster Integration: Coordinates with the first control plane node to obtain join credentials
Dependencies
- The first control plane node must be fully initialized and running
- The
dns-managerrole must be available for DNS record creation - The
kubeconfig-managerrole must be available for kubeconfig setup - Required Kubernetes prerequisites must be installed on target nodes
Components and Interfaces
Main Task Flow
- Pre-flight Checks: Verify cluster readiness and node prerequisites
- DNS Configuration: Set up DNS records for the new control plane node
- Firewall Configuration: Open required ports for control plane services
- Kubelet Configuration: Create initial kubelet configuration
- Join Token Retrieval: Get join token and certificate key from first control plane
- Cluster Join: Execute kubeadm join with control plane flags
- Service Management: Ensure kubelet is enabled and running
- Kubeconfig Setup: Configure local kubeconfig access
- Verification: Validate successful cluster join
Key Variables
cluster_name: Name of the Kubernetes clusterip_address: IP address of the current control plane nodefirst_control_plane_host: Hostname/IP of the first control plane nodekubernetes_services_control_plane: List of firewall services to openjoin_token_ttl: TTL for join tokens (default: 24h)certificate_key_ttl: TTL for certificate keys (default: 2h)
External Role Interfaces
- dns-manager: Provides DNS record creation with
host_namevariable - kubeconfig-manager: Handles kubeconfig merging with
cluster_namevariable - First Control Plane: Source for join tokens and certificate keys
Data Models
Join Credentials Structure
join_credentials:
token: "abcdef.1234567890abcdef"
discovery_token_ca_cert_hash: "sha256:..."
certificate_key: "..."
api_server_endpoint: "cluster-name:6443"
Firewall Services
kubernetes_services_control_plane:
- kubernetes_API # Port 6443
- etcd # Ports 2379-2380
- kubelet # Port 10250
- kube-scheduler # Port 10259
- kube-controller-manager # Port 10257
Node Status Tracking
node_status:
joined: false
kubelet_running: false
dns_configured: false
kubeconfig_ready: false
Error Handling
Join Token Management
- Token Expiration: Automatically generate new tokens if existing ones are expired
- Certificate Key Rotation: Handle certificate key expiration gracefully
- Network Connectivity: Retry join operations with exponential backoff
- API Server Availability: Wait for API server readiness before attempting join
Idempotency Checks
- Already Joined Nodes: Skip join process if node is already part of the cluster
- Existing Configuration: Preserve existing kubelet configuration if valid
- DNS Records: Update existing DNS records instead of creating duplicates
- Service Status: Only restart services if configuration changes
Failure Recovery
- Partial Join Failures: Clean up partial configurations and retry
- Network Issues: Provide clear error messages for connectivity problems
- Permission Errors: Validate sudo/root access before attempting operations
- Resource Constraints: Check system resources before proceeding
Testing Strategy
Unit Testing Approach
- Task Validation: Test individual tasks with mock data
- Variable Validation: Ensure required variables are properly defined
- Conditional Logic: Test all conditional branches in tasks
- Error Scenarios: Validate error handling for common failure cases
Integration Testing
- Multi-Node Clusters: Test with 3 and 5 control plane node configurations
- Network Scenarios: Test across different network topologies
- OS Compatibility: Validate on supported operating systems (Ubuntu/Debian)
- Version Compatibility: Test with different Kubernetes versions
Validation Checks
- Cluster Health: Verify all control plane nodes are healthy after join
- API Availability: Confirm API server is accessible from all nodes
- Etcd Cluster: Validate etcd cluster membership and health
- Scheduling: Test pod scheduling across all control plane nodes
- Failover: Verify cluster continues operating if one control plane fails
Test Scenarios
- Fresh Join: Join additional control plane to newly created cluster
- Existing Cluster: Add control plane to cluster with existing workloads
- Network Partitions: Test behavior during temporary network issues
- Token Expiration: Handle expired join tokens gracefully
- Retry Operations: Validate retry logic for transient failures
Implementation Considerations
Security
- Token Security: Ensure join tokens are handled securely and not logged
- Certificate Management: Properly manage and rotate certificate keys
- Network Security: Validate firewall rules don't expose unnecessary ports
- Access Control: Ensure proper RBAC is maintained after node joins
Performance
- Parallel Execution: Support joining multiple control plane nodes simultaneously
- Resource Usage: Monitor CPU and memory usage during join process
- Network Bandwidth: Optimize data transfer during cluster join
- Startup Time: Minimize time to achieve cluster readiness
Monitoring and Observability
- Join Progress: Provide clear progress indicators during join process
- Health Checks: Implement comprehensive health validation
- Logging: Ensure adequate logging for troubleshooting
- Metrics: Expose relevant metrics for monitoring cluster growth
Compatibility
- Kubernetes Versions: Support current and previous Kubernetes versions
- Operating Systems: Maintain compatibility with Ubuntu and Debian
- Container Runtimes: Work with containerd runtime configuration
- Network Plugins: Compatible with Flannel CNI configuration