Document constraints of dynamic config install

[juanluisvaladas]

Description

I got a report of someone who had issues becuase the kubernetes.default.svc clusterIP was missing from the SANs of some control plane nodes. This happened because the certificate for kube-apiserver is generated without dynamic config. In the past we saw a similar issue with specifying spec.network.provider, but because it was reported in k0sctl we only fixed it for k0sctl.

We don't document anywhere this behavior but we copy it in k0sctl and in k0smotron we use the same configuration for every replica of the statefulset, we should tell .

Non-changeable fields can cause issues if not defined in the configuration file. This isn't immediately obvious by reading the docs so document it explicitly.

This was in the past

Fixes # (issue)

Type of change

• Bug fix (non-breaking change which fixes an issue) (I consider this a documentation bug)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update

How Has This Been Tested?

• Manual test
• Auto test added

Checklist:

• My code follows the style guidelines of this project
• My commit messages are signed-off
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules
• I have checked my code and corrected any misspellings

[juanluisvaladas]

Tagged it to backport to 1.30 only because the older versions need a manual backport due to CPLB.

[twz123]

I wonder if there's anything stopping us from actually supporting this to be dynamically reconciled? It currently feels like all that is needed is to add a Reconcile method to the Keepalived struct.

[juanluisvaladas]

I wonder if there's anything stopping us from actually supporting this to be dynamically reconciled? It currently feels like all that is needed is to add a Reconcile method to the Keepalived struct.

I discussed this with Jussi back in the day and we agreed we didn't want to support this because:
1- kube-apiserver relies con CPLB, if something goes wrong this creates a chicken-egg situation.
2- Some fields such as the interface might be different on a per node basis, for instance the interface used for VRRP instances.

[twz123]

1- kube-apiserver relies con CPLB, if something goes wrong this creates a chicken-egg situation.

I don't see why kube-apiserver is relying on that? If yes, then because users have actively configured it in that way.

2- Some fields such as the interface might be different on a per node basis, for instance the interface used for VRRP instances.

Right. Currently, k0s is only able to reconcile cluster-wide settings. Maybe that's something to be revisited in the future.

[juanluisvaladas]

I don't see why kube-apiserver is relying on that? If yes, then because users have actively configured it in that way.

This is used to fill the SANs of the kube-apiserver certificate. I think that was the only thing where it affected apiserver.

[k0s-bot]

Successfully created backport PR for release-1.30:

• [Backport release-1.30] Document constraints of dynamic config install #4576