fix: k3s install automation — skip Cilium on join, Longhorn via server, default root user

- Skip Cilium install for joining servers (already in cluster via daemonset) - Longhorn annotation for workers: SSH to server node from CLI to apply kubectl annotation (workers don't have kubectl access) - Default SSH user for k3s/app commands changed to 'root' (operations need root privileges, using 'lab' user broke installs) - k3s server config: cluster-init for initial server, server+token for joins Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 16:02:19 +01:00
parent a68d6d617e
commit 06fc40a857
5 changed files with 30 additions and 13 deletions
--- a/bastion/src/cli/src/commands/app.ts
+++ b/bastion/src/cli/src/commands/app.ts
@@ -70,7 +70,7 @@ export function registerAppCommand(program: Command): void {
    .command("install <target>")
    .description("Install k3s on a target machine (hostname, IP, or MAC)")
    .option("--role <role>", "k3s role: infra (server) or worker (agent)", "infra")
-    .option("--user <user>", "SSH user", "lab")
+    .option("--user <user>", "SSH user", "root")
    .option("--k3s-server <url>", "k3s server URL (required for worker role)")
    .option("--k3s-token <token>", "k3s join token (required for worker role)")
    .action(async (target: string, opts: {
@@ -164,7 +164,7 @@ export function registerAppCommand(program: Command): void {
  k3sCmd
    .command("health [target]")
    .description("Check k3s health (all hosts if no target given)")
-    .option("--user <user>", "SSH user", "lab")
+    .option("--user <user>", "SSH user", "root")
    .action(async (target: string | undefined, opts: { user: string }) => {
      const sshKey = findSshKey();

@@ -304,7 +304,7 @@ export function registerAppCommand(program: Command): void {
  k3sCmd
    .command("list")
    .description("List installed machines and their k3s status")
-    .option("--user <user>", "SSH user", "lab")
+    .option("--user <user>", "SSH user", "root")
    .action(async (opts: { user: string }) => {
      let state: BastionState;
      try {
--- a/bastion/src/cli/src/commands/asahi.ts
+++ b/bastion/src/cli/src/commands/asahi.ts
@@ -59,7 +59,7 @@ export function registerAsahiCommand(parent: Command): void {
      console.log(`    labvg/longhorn (remaining space)${RESET}`);
      console.log("");
      console.log(`  After first boot, SSH in and run the firstboot script:`);
-      console.log(`    ${BOLD}ssh lab@<ip> 'curl -sf ${bastionUrl}/asahi/firstboot.sh | sudo bash'${RESET}`);
+      console.log(`    ${BOLD}ssh root@<ip> 'curl -sf ${bastionUrl}/asahi/firstboot.sh | bash'${RESET}`);
      console.log("");
      console.log(`  This sets up LVM, detects hostname/MAC, and self-registers.`);
      console.log(`  Then install k3s:`);
--- a/bastion/src/cli/src/commands/labcontroller.ts
+++ b/bastion/src/cli/src/commands/labcontroller.ts
@@ -38,7 +38,7 @@ export function registerLabcontrollerCommands(appCmd: Command): void {
  lcCmd
    .command("deploy <target>")
    .description("Deploy labcontroller stack to a k3s node")
-    .option("--user <user>", "SSH user", "lab")
+    .option("--user <user>", "SSH user", "root")
    .option("--crdb-replicas <n>", "CockroachDB replicas", "1")
    .action(async (target: string, opts: {
      user: string;
@@ -193,7 +193,7 @@ export function registerLabcontrollerCommands(appCmd: Command): void {
  lcCmd
    .command("status [target]")
    .description("Check labcontroller deployment status (all hosts if no target)")
-    .option("--user <user>", "SSH user", "lab")
+    .option("--user <user>", "SSH user", "root")
    .action(async (target: string | undefined, opts: { user: string }) => {
      const sshKey = findSshKey();
      const sshOpts = sshKey ? { keyPath: sshKey } : {};
--- a/bastion/src/modules/modules/k3s/src/k3s-module.ts
+++ b/bastion/src/modules/modules/k3s/src/k3s-module.ts
@@ -78,9 +78,10 @@ export class K3sModule implements Module {
      return toModuleResult("install", [...prepResults, ...k3sResults], start);
    }

-    // Phase 3: Networking (server only — agents don't install Cilium)
+    // Phase 3: Networking (initial server only — joining servers get Cilium via daemonset)
    let netResults: OperationResult[] = [];
-    if (isServer) {
+    const isJoiningServer = isServer && !!opCtx.config.k3sServerUrl;
+    if (isServer && !isJoiningServer) {
      netResults = await runNetworking(opCtx);
    }

--- a/bastion/src/modules/modules/k3s/src/operations/longhorn-disk.ts
+++ b/bastion/src/modules/modules/k3s/src/operations/longhorn-disk.ts
@@ -3,6 +3,7 @@

 import type { Operation, OperationResult } from "../types.js";
 import { sshOpts } from "../utils.js";
+import { sshExec as remoteSshExec } from "../../../../src/ssh.js";

 export const configureLonghornDisk: Operation = async (ctx): Promise<OperationResult> => {
  // Check if /var/lib/longhorn exists on this node
@@ -15,12 +16,11 @@ export const configureLonghornDisk: Operation = async (ctx): Promise<OperationRe
  const nodeNameResult = await ctx.ssh.exec("hostname -f 2>/dev/null || hostname", sshOpts(ctx));
  const nodeName = nodeNameResult.stdout.trim();

-  // Apply the annotation via kubectl (works on server nodes, or via KUBECONFIG on agents)
-  const kubectlPrefix = "k3s kubectl";
  const annotation = JSON.stringify([{ path: "/var/lib/longhorn", allowScheduling: true }]);

+  // Try kubectl locally first (works on server nodes)
  const result = await ctx.ssh.exec(
-    `${kubectlPrefix} annotate node "${nodeName}" "node.longhorn.io/default-disks-config=${annotation}" --overwrite 2>&1 || true`,
+    `k3s kubectl annotate node "${nodeName}" "node.longhorn.io/default-disks-config=${annotation}" --overwrite 2>&1 || true`,
    sshOpts(ctx),
  );

@@ -28,7 +28,23 @@ export const configureLonghornDisk: Operation = async (ctx): Promise<OperationRe
    return { success: true, changed: true, message: `Longhorn disk annotation applied to ${nodeName}` };
  }

-  // If kubectl isn't available (agent node without server access), that's OK —
-  // the label is set, annotation can be applied from the server later
+  // For worker/agent nodes without local kubectl: apply via the server
+  if (ctx.config.k3sServerUrl) {
+    // The CLI has SSH access to the server — use sshExec from there
+    const serverHost = new URL(ctx.config.k3sServerUrl).hostname;
+    try {
+      const remoteResult = await remoteSshExec(
+        serverHost, "root",
+        `k3s kubectl annotate node "${nodeName}" "node.longhorn.io/default-disks-config=${annotation}" --overwrite`,
+        { ...(ctx.ssh.keyPath ? { keyPath: ctx.ssh.keyPath } : {}), timeoutMs: 15_000 },
+      );
+      if (remoteResult.stdout.includes("annotated") || remoteResult.stdout.includes("unchanged")) {
+        return { success: true, changed: true, message: `Longhorn disk annotation applied to ${nodeName} (via server)` };
+      }
+    } catch {
+      // Fall through to manual instruction
+    }
+  }
+
  return { success: true, changed: false, message: "Longhorn disk label set (annotation requires server kubectl)" };
 };