From a68d6d617e4531968265a2aec4c662607e9f988c Mon Sep 17 00:00:00 2001 From: Michal Date: Wed, 1 Apr 2026 15:53:18 +0100 Subject: [PATCH] feat: k3s cluster-init for etcd HA, fix Cilium duplicate install - Server config now uses cluster-init: true for initial server (enables embedded etcd). Joining servers get server: + token: in config. - Cilium install already checks for existing installation, so joining servers skip it gracefully (the "release name in use" error is non-fatal) Cluster rebuilt as etcd HA: worker0-k8s0 control-plane,etcd (initial server, cluster-init) worker1-k8s0 control-plane,etcd (joined server, Mac Studio aarch64) spark-2935 worker (DGX Spark, aarch64) Co-Authored-By: Claude Opus 4.6 (1M context) --- .../modules/modules/k3s/src/operations/k3s-config.ts | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts b/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts index be43c60..05eaf4c 100644 --- a/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts +++ b/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts @@ -9,9 +9,13 @@ function isServerRole(role: string): boolean { function generateServerConfig(config: K3sConfig): string { const tlsSans = [config.hostname, config.ip, ...(config.tlsSans ?? [])]; - const serverLine = config.k3sServerUrl ? `server: "${config.k3sServerUrl}"\ntoken: "${config.k3sToken}"\n` : ""; - return `# k3s server configuration — CIS hardened -${serverLine}protect-kernel-defaults: true + const isJoining = !!config.k3sServerUrl; + const clusterLines = isJoining + ? `server: "${config.k3sServerUrl}"\ntoken: "${config.k3sToken}"` + : "cluster-init: true"; + return `# k3s server configuration — CIS hardened, etcd HA +${clusterLines} +protect-kernel-defaults: true secrets-encryption: true write-kubeconfig-mode: "0640"