feat: k3s cluster-init for etcd HA, fix Cilium duplicate install

- Server config now uses cluster-init: true for initial server (enables embedded etcd). Joining servers get server: + token: in config. - Cilium install already checks for existing installation, so joining servers skip it gracefully (the "release name in use" error is non-fatal) Cluster rebuilt as etcd HA: worker0-k8s0 control-plane,etcd (initial server, cluster-init) worker1-k8s0 control-plane,etcd (joined server, Mac Studio aarch64) spark-2935 worker (DGX Spark, aarch64) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 15:53:18 +01:00
parent c49a650888
commit a68d6d617e
1 changed files with 7 additions and 3 deletions
--- a/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts
+++ b/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts
@@ -9,9 +9,13 @@ function isServerRole(role: string): boolean {
 function generateServerConfig(config: K3sConfig): string {
  const tlsSans = [config.hostname, config.ip, ...(config.tlsSans ?? [])];
-  const serverLine = config.k3sServerUrl ? `server: "${config.k3sServerUrl}"\ntoken: "${config.k3sToken}"\n` : "";
+  const isJoining = !!config.k3sServerUrl;
-  return `# k3s server configuration — CIS hardened
+  const clusterLines = isJoining
-${serverLine}protect-kernel-defaults: true
+    ? `server: "${config.k3sServerUrl}"\ntoken: "${config.k3sToken}"`
    : "cluster-init: true";
  return `# k3s server configuration — CIS hardened, etcd HA
 ${clusterLines}
 protect-kernel-defaults: true
 secrets-encryption: true
 write-kubeconfig-mode: "0640"