How to generate kubeadm token for secondary control plane node(s)
You need to run on master
kubeadm init phase upload-certs --upload-certsRemember the output.
Then you need to run on master
kubeadm token create --print-join-commandThen compose joining command for joinning-master-node from this output and add to it --control-plane --certificate-key xxxx
See this video to explain with example:https://www.youtube.com/watch?v=27v36t-3afQThe most interesting is from 20:40.There are some 'experimental' words in video due to older version.
Based on the comments of the users it seems that when someone runs this command:
kubeadm token create --print-join-commandShould populate two strings sample:
kubeadm join loadBalancerIP:6443 --token xxxx --discovery-token-ca-cert-hash sha256:xxxxkubeadm join loadBalancerIP:6443 --token xxxx --discovery-token-ca-cert-hash sha256:xxxx --control-plane --certificate-key xxxxIn my case unfortunately it did not. Maybe because I am using self signed certs from kubeadm or maybe because the deployment is on bare metal nodes.
Never the less I managed to resolve my problem with a different way.
According to the official documentation Steps for the first control plane node:
"You can also specify a custom --certificate-key during init that can later be used by join. To generate such a key you can use the following command:"
kubeadm alpha certs certificate-keyOnce the user runs the command on indented master prime node (not started node yet) it should see something like that:
# kubeadm alpha certs certificate-keyxxxxThen as the documentation says:
"Note: The kubeadm init flags --config and --certificate-key cannot be mixed, therefore if you want to use the kubeadm configuration you must add the certificateKey field in the appropriate config locations (under InitConfiguration and JoinConfiguration: controlPlane)."
In my case I use a conf file so I add the content into my file:
apiVersion: kubeadm.k8s.io/v1beta2kind: InitConfigurationcertificateKey: xxxxlocalAPIEndpoint: advertiseAddress: bindPort: 6443---apiServer: timeoutForControlPlane: 4m0sapiVersion: kubeadm.k8s.io/v1beta2certificatesDir: /etc/kubernetes/pkiclusterName: kubernetes---etc etcOnce the user has this key and launches the prime master with this key (as shown above), the next step is to use exactly the same cert key for the secondary master nodes e.g.:
kubeadm join loadBalancerIP:6443 --token xxxx --discovery-token-ca-cert-hash sha256:xxxx --control-plane --certificate-key xxxxNote: It is recommended to use a script to produce this data in order to use a new cert key when you destroy / create the master node(s).
Hope this helps someone else on the future in order not to spend so much as I did.
The command kubeadm token create does not have any flag --control-plane
From the docs
When you run the command kubeadm token create --print-join-command you get two commands in the output and you use the command with --control-plane flag to join the control plane node.