Remove the ci-ok-to-test: feature is now included in failfast-ci

Improve logging of kubeadm init failure of first control plane node (#12216 )
Split retry task of 'kubeadm init' to show the failure log of the first execution.
2025-12-14 13:54:37 +03:00 · 2025-05-16 12:05:35 +02:00 · 2025-05-16 03:01:13 -07:00 · 2025-05-15 12:45:13 -07:00 · 2025-05-15 12:39:14 -07:00 · 2025-05-15 18:35:34 +02:00
8 changed files with 66 additions and 67 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -59,33 +59,6 @@ before_script:
    - pre-commit            # lint
    - vagrant-validate      # lint

-# For failfast, at least 1 job must be defined in .gitlab-ci.yml
-# Premoderated with manual actions
-ci-not-authorized:
-  stage: build
-  before_script: []
-  after_script: []
-  rules:
-    # LGTM or ok-to-test labels
-    - if: $PR_LABELS =~ /.*,(lgtm|approved|ok-to-test).*|^(lgtm|approved|ok-to-test).*/i
-      variables:
-        CI_OK_TO_TEST: '0'
-      when: always
-    - if: $CI_PIPELINE_SOURCE == "schedule" || $CI_PIPELINE_SOURCE == "trigger"
-      variables:
-        CI_OK_TO_TEST: '0'
-    - if: $CI_COMMIT_BRANCH == "master"
-      variables:
-        CI_OK_TO_TEST: '0'
-    - when: always
-      variables:
-        CI_OK_TO_TEST: '1'
-  script:
-    - exit $CI_OK_TO_TEST
-  tags:
-    - ffci
-  needs: []
-
 include:
  - .gitlab-ci/build.yml
  - .gitlab-ci/lint.yml
--- a/.gitlab-ci/kubevirt.yml
+++ b/.gitlab-ci/kubevirt.yml
@@ -55,6 +55,7 @@ pr:
          - ubuntu22-calico-all-in-one
          - ubuntu22-calico-all-in-one-upgrade
          - ubuntu24-calico-etcd-datastore
+          - ubuntu24-ha-separate-etcd

 # The ubuntu20-calico-all-in-one jobs are meant as early stages to prevent running the full CI if something is horribly broken
 ubuntu20-calico-all-in-one:
--- a/roles/etcd/tasks/gen_certs_script.yml
+++ b/roles/etcd/tasks/gen_certs_script.yml
@@ -98,28 +98,6 @@
  loop_control:
    label: "{{ item.item }}"

-# This is a hack around the fact kubeadm expect the same certs path on all kube_control_plane
-# TODO: fix certs generation to have the same file everywhere
-# OR work with kubeadm on node-specific config
- name: Gen_certs | Pretend all control plane have all certs (with symlinks)
-  file:
-    state: link
-    src: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}{{ item[0] }}.pem"
-    dest: "{{ etcd_cert_dir }}/node-{{ item[1] }}{{ item[0] }}.pem"
-    mode: "0640"
-  loop: "{{ suffixes | product(groups['kube_control_plane']) }}"
-  vars:
-    suffixes:
-      - ''
-      - '-key'
-  when:
-    - ('kube_control_plane' in group_names)
-    - item[1] != inventory_hostname
-  register: symlink_created
-  failed_when:
-    - symlink_created is failed
-    - ('refusing to convert from file to symlink' not in symlink_created.msg)
-
 - name: Gen_certs | Gather node certs from first etcd node
  slurp:
    src: "{{ item }}"
@@ -175,3 +153,25 @@
    owner: "{{ etcd_owner }}"
    mode: "{{ etcd_cert_dir_mode }}"
    recurse: true
+
+# This is a hack around the fact kubeadm expect the same certs path on all kube_control_plane
+# TODO: fix certs generation to have the same file everywhere
+# OR work with kubeadm on node-specific config
+- name: Gen_certs | Pretend all control plane have all certs (with symlinks)
+  file:
+    state: link
+    src: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}{{ item[0] }}.pem"
+    dest: "{{ etcd_cert_dir }}/node-{{ item[1] }}{{ item[0] }}.pem"
+    mode: "0640"
+  loop: "{{ suffixes | product(groups['kube_control_plane']) }}"
+  vars:
+    suffixes:
+      - ''
+      - '-key'
+  when:
+    - ('kube_control_plane' in group_names)
+    - item[1] != inventory_hostname
+  register: symlink_created
+  failed_when:
+    - symlink_created is failed
+    - ('refusing to convert from file to symlink' not in symlink_created.msg)
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -20,7 +20,7 @@ coredns_default_zone_cache_block: |
 coredns_pod_disruption_budget: false
 # value for coredns pdb
 coredns_pod_disruption_budget_max_unavailable: "30%"
-deploy_coredns: true
+
 # coredns_additional_configs adds any extra configuration to coredns
 # coredns_additional_configs: |
 #   whoami
--- a/roles/kubernetes-apps/ansible/tasks/main.yml
+++ b/roles/kubernetes-apps/ansible/tasks/main.yml
@@ -22,9 +22,7 @@
    - coredns
  vars:
    clusterIP: "{{ skydns_server }}"
-  when:
-    - dns_mode in ['coredns', 'coredns_dual']
-    - deploy_coredns
+  when: dns_mode in ['coredns', 'coredns_dual']

 - name: Kubernetes Apps | CoreDNS Secondary
  command:
@@ -40,7 +38,6 @@
    coredns_ordinal_suffix: "-secondary"
  when:
    - dns_mode == 'coredns_dual'
-    - deploy_coredns

 - name: Kubernetes Apps | nodelocalDNS
  command:
--- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
@@ -61,6 +61,7 @@
    dest: "{{ audit_policy_file }}"
    mode: "0640"
  when: kubernetes_audit or kubernetes_audit_webhook
+  notify: Control plane | Restart apiserver

 - name: Write api audit webhook config yaml
  template:
@@ -68,6 +69,7 @@
    dest: "{{ audit_webhook_config_file }}"
    mode: "0640"
  when: kubernetes_audit_webhook
+  notify: Control plane | Restart apiserver

 - name: Create apiserver tracing config directory
  file:
@@ -82,6 +84,7 @@
    dest: "{{ kube_config_dir }}/tracing/apiserver-tracing.yaml"
    mode: "0640"
  when: kube_apiserver_tracing
+  notify: Control plane | Restart apiserver

 # Nginx LB(default), If kubeadm_config_api_fqdn is defined, use other LB by kubeadm controlPlaneEndpoint.
 - name: Set kubeadm_config_api_fqdn define
@@ -109,6 +112,7 @@
    dest: "{{ kube_config_dir }}/admission-controls/admission-controls.yaml"
    mode: "0640"
  when: kube_apiserver_admission_control_config_file
+  notify: Control plane | Restart apiserver

 - name: Kubeadm | Push admission control config files
  template:
@@ -119,6 +123,7 @@
    - kube_apiserver_admission_control_config_file
    - item in kube_apiserver_admission_plugins_needs_configuration
  loop: "{{ kube_apiserver_enable_admission_plugins }}"
+  notify: Control plane | Restart apiserver

 - name: Kubeadm | Check apiserver.crt SANs
  vars:
@@ -166,22 +171,32 @@
    - not kube_external_ca_mode

 - name: Kubeadm | Initialize first control plane node
-  command: >-
-    timeout -k {{ kubeadm_init_timeout }} {{ kubeadm_init_timeout }}
-    {{ bin_dir }}/kubeadm init
-    --config={{ kube_config_dir }}/kubeadm-config.yaml
-    --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
-    --skip-phases={{ kubeadm_init_phases_skip | join(',') }}
-    {{ kube_external_ca_mode | ternary('', '--upload-certs') }}
-  register: kubeadm_init
-  # Retry is because upload config sometimes fails
-  retries: 3
-  until: kubeadm_init is succeeded or "field is immutable" in kubeadm_init.stderr
  when: inventory_hostname == first_kube_control_plane and not kubeadm_already_run.stat.exists
-  failed_when: kubeadm_init.rc != 0 and "field is immutable" not in kubeadm_init.stderr
+  vars:
+    kubeadm_init_first_control_plane_cmd: >-
+      timeout -k {{ kubeadm_init_timeout }} {{ kubeadm_init_timeout }}
+      {{ bin_dir }}/kubeadm init
+      --config={{ kube_config_dir }}/kubeadm-config.yaml
+      --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
+      --skip-phases={{ kubeadm_init_phases_skip | join(',') }}
+      {{ kube_external_ca_mode | ternary('', '--upload-certs') }}
  environment:
    PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}"
  notify: Control plane | restart kubelet
+  block:
+    - name: Kubeadm | Initialize first control plane node (1st try)
+      command: "{{ kubeadm_init_first_control_plane_cmd }}"
+      register: kubeadm_init
+      failed_when: kubeadm_init.rc != 0 and "field is immutable" not in kubeadm_init.stderr
+  rescue:
+    # Retry is because upload config sometimes fails
+    # This retry task is separated from 1st task to show log of failure of 1st task.
+    - name: Kubeadm | Initialize first control plane node (retry)
+      command: "{{ kubeadm_init_first_control_plane_cmd }}"
+      register: kubeadm_init
+      retries: 2
+      until: kubeadm_init is succeeded or "field is immutable" in kubeadm_init.stderr
+      failed_when: kubeadm_init.rc != 0 and "field is immutable" not in kubeadm_init.stderr

 - name: Set kubeadm certificate key
  set_fact:
--- a/roles/kubespray_defaults/defaults/main/download.yml
+++ b/roles/kubespray_defaults/defaults/main/download.yml
@@ -897,7 +897,7 @@ downloads:
      - k8s_cluster

  dnsautoscaler:
-    enabled: "{{ dns_mode in ['coredns', 'coredns_dual'] }}"
+    enabled: "{{ dns_mode in ['coredns', 'coredns_dual'] and enable_dns_autoscaler }}"
    container: true
    repo: "{{ dnsautoscaler_image_repo }}"
    tag: "{{ dnsautoscaler_image_tag }}"
--- a/tests/files/ubuntu24-ha-separate-etcd.yml
+++ b/tests/files/ubuntu24-ha-separate-etcd.yml
@@ -0,0 +1,13 @@
+---
+cloud_image: ubuntu-2404
+cluster_layout:
+  - node_groups: ['kube_control_plane']
+  - node_groups: ['kube_control_plane']
+  - node_groups: ['kube_control_plane']
+  - node_groups: ['kube_node']
+  - node_groups: ['etcd']
+  - node_groups: ['etcd']
+  - node_groups: ['etcd']
+
+kube_network_plugin: calico
+calico_datastore: etcd
Author	SHA1	Message	Date
ant31	c5db7d1e10	Remove the ci-ok-to-test: feature is now included in failfast-ci	2025-05-16 12:05:35 +02:00
Takuya Murakami	c6dfe22a41	Improve logging of kubeadm init failure of first control plane node (#12216 ) Split retry task of 'kubeadm init' to show the failure log of the first execution.	2025-05-16 03:01:13 -07:00
Seena Fallah	ec85b7e2c9	download: respect enable_dns_autoscaler when enabling dnsautoscaler (#12217 ) dnsautoscaler should only be enabled when enable_dns_autoscaler is set to true. without this, it could be enabled without any manifest actually using it, which makes it a false signal. Signed-off-by: Seena Fallah <seenafallah@gmail.com>	2025-05-15 12:45:13 -07:00
Kubernetes Prow Robot	acd6872c80	Merge pull request #12219 from VannTen/test/ha_etcd_separate Fix broken workaround for separate etcd setup	2025-05-15 12:39:14 -07:00
Max Gautier	22d3cf9c2b	Move 'pretend certificates' after cert distribution The link target will only exist after we distribute the certs on each node.	2025-05-15 18:35:34 +02:00
Max Gautier	2d3bd8686f	Add testcase separate ha-etcd Also use a distinct node to test certificate distribution.	2025-05-15 18:20:13 +02:00
Hyeonki Hong	2c3b6c9199	feat: add trigger to restart kube-apiserver when config files change (#12172 ) * feat: add trigger to restart kube-apiserver when config files change * fix: remove not upgrade_cluster_setup condition * refactor: streamline kube-apiserver restart notifications	2025-05-15 06:51:14 -07:00