diff --git a/internal/controller/huaweicloudmachine_controller.go b/internal/controller/huaweicloudmachine_controller.go index 842ea2d..9df8de6 100644 --- a/internal/controller/huaweicloudmachine_controller.go +++ b/internal/controller/huaweicloudmachine_controller.go @@ -386,7 +386,7 @@ func (r *HuaweiCloudMachineReconciler) reconcileNormal(_ context.Context, machin } // tasks that can take place during all known instance states - if machineScope.InstanceIsInKnownState() { + if machineScope.InstanceIsInKnownState() && machineScope.IsControlPlane() { if err := ecsSvc.AttachInstanceToElb(instance); err != nil { machineScope.Logger.Error(err, "failed to attach instance to ELB") return ctrl.Result{}, err diff --git a/pkg/services/ecs/cloudconfig.go b/pkg/services/ecs/cloudconfig.go index 801b971..d375f1b 100644 --- a/pkg/services/ecs/cloudconfig.go +++ b/pkg/services/ecs/cloudconfig.go @@ -50,8 +50,11 @@ func (c *CloudConfig) genCloudProviderSecretTask() (writeFile *WriteFile, runCmd } runCmd = []string{ - "if ! kubectl get secret cloud-config; then kubectl create secret generic cloud-config --from-file=/etc/kubernetes/cloud-config; fi", - // "rm -rf /etc/kubernetes/cloud-config", + // TODO: remove sleep if we can find a better way to wait for the cluster to be ready + "sleep 10", + "export KUBECONFIG=/etc/kubernetes/super-admin.conf", + "if ! kubectl -n kube-system get secret cloud-config; then kubectl -n kube-system create secret generic cloud-config --from-file=/etc/kubernetes/cloud-config; fi", + "rm -rf /etc/kubernetes/cloud-config", } return writeFile, runCmd, nil diff --git a/templates/cluster-template.yaml b/templates/cluster-template.yaml index dd08dd2..0d5f2ae 100644 --- a/templates/cluster-template.yaml +++ b/templates/cluster-template.yaml @@ -132,6 +132,139 @@ apiVersion: v1 data: hw-cp-external.yaml: | --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: system:cloud-controller-manager + rules: + - resources: + - tokenreviews + verbs: + - get + - list + - watch + - create + - update + - patch + apiGroups: + - authentication.k8s.io + - resources: + - configmaps + - endpoints + - pods + - services + - secrets + - serviceaccounts + - serviceaccounts/token + verbs: + - get + - list + - watch + - create + - update + - patch + apiGroups: + - '' + - resources: + - nodes + verbs: + - get + - list + - watch + - delete + - patch + - update + apiGroups: + - '' + - resources: + - services/status + - pods/status + verbs: + - update + - patch + apiGroups: + - '' + - resources: + - nodes/status + verbs: + - patch + - update + apiGroups: + - '' + - resources: + - events + - endpoints + verbs: + - create + - patch + - update + apiGroups: + - '' + - resources: + - leases + verbs: + - get + - update + - create + - delete + apiGroups: + - coordination.k8s.io + - resources: + - customresourcedefinitions + verbs: + - get + - update + - create + - delete + apiGroups: + - apiextensions.k8s.io + - resources: + - ingresses + verbs: + - get + - list + - watch + - update + - create + - patch + - delete + apiGroups: + - networking.k8s.io + - resources: + - ingresses/status + verbs: + - update + - patch + apiGroups: + - networking.k8s.io + - resources: + - endpointslices + verbs: + - get + - list + - watch + apiGroups: + - discovery.k8s.io + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + name: cloud-controller-manager + namespace: kube-system + --- + kind: ClusterRoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + metadata: + name: system:cloud-controller-manager + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:cloud-controller-manager + subjects: + - kind: ServiceAccount + name: cloud-controller-manager + namespace: kube-system + --- apiVersion: apps/v1 kind: DaemonSet metadata: