mirror of
https://github.com/kubernetes-sigs/kubespray.git
synced 2025-12-13 21:34:40 +03:00
b551fe083d
* Refactor control plane upgrades with reconfiguration support Adds revised support for: - The previously removed `--config` argument for `kubeadm upgrade apply` - Changes to `ClusterConfiguration` as part of the `upgrade-cluster.yml` playbook lifecycle - kubeadm-config `v1beta4` `UpgradeConfiguration` for the `kubeadm upgrade apply` command: [UpgradeConfiguration v1beta4](https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta4/#kubeadm-k8s-io-v1beta4-UpgradeConfiguration). * Add kubeadm upgrade node support Per discussion: - Use `kubeadm upgrade node` on secondary control plane upgrades - Add support for UpgradeConfiguration.node in kubeadm-config.v1beta4 - Remove redundant `allowRCUpgrades` config - Revert from `block` for first and secondary control plane back to unblocked tasks since they no longer share much code and it's more readable this way * Add kubelet and kube-proxy reconfiguration to upgrades * Fix task to use `kubeadm init phase etcd local` * Rebase with changes from "Adapt checksums and versions to new hashes updater" PR * Add `imagePullPolicy` and `imagePullSerial` to kubeadm-config v1beta4 `InitConfiguration.nodeRegistration`
106 lines
4.3 KiB
YAML
106 lines
4.3 KiB
YAML
---
|
|
- name: Ensure kube-apiserver is up before upgrade
|
|
import_tasks: check-api.yml
|
|
|
|
# kubeadm-config.v1beta4 with UpgradeConfiguration requires some values that were previously allowed as args to be specified in the config file
|
|
- name: Kubeadm | Upgrade first control plane node
|
|
command: >-
|
|
timeout -k 600s 600s
|
|
{{ bin_dir }}/kubeadm upgrade apply -y v{{ kube_version }}
|
|
{%- if kubeadm_config_api_version == 'v1beta3' %}
|
|
--certificate-renewal={{ kubeadm_upgrade_auto_cert_renewal }}
|
|
--ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
|
|
--allow-experimental-upgrades
|
|
--etcd-upgrade={{ (etcd_deployment_type == "kubeadm") | lower }}
|
|
{% if kubeadm_patches | length > 0 %}--patches={{ kubeadm_patches_dir }}{% endif %}
|
|
--force
|
|
{%- else %}
|
|
--config={{ kube_config_dir }}/kubeadm-config.yaml
|
|
{%- endif -%}
|
|
register: kubeadm_upgrade
|
|
when: inventory_hostname == first_kube_control_plane
|
|
failed_when: kubeadm_upgrade.rc != 0 and "field is immutable" not in kubeadm_upgrade.stderr
|
|
environment:
|
|
PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}"
|
|
|
|
- name: Kubeadm | Upgrade other control plane nodes
|
|
command: >-
|
|
{{ bin_dir }}/kubeadm upgrade node
|
|
{%- if kubeadm_config_api_version == 'v1beta3' %}
|
|
--certificate-renewal={{ kubeadm_upgrade_auto_cert_renewal }}
|
|
--ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
|
|
--etcd-upgrade={{ (etcd_deployment_type == "kubeadm") | lower }}
|
|
{% if kubeadm_patches | length > 0 %}--patches={{ kubeadm_patches_dir }}{% endif %}
|
|
{%- else %}
|
|
--config={{ kube_config_dir }}/kubeadm-config.yaml
|
|
{%- endif -%}
|
|
register: kubeadm_upgrade
|
|
when: inventory_hostname != first_kube_control_plane
|
|
failed_when: kubeadm_upgrade.rc != 0 and "field is immutable" not in kubeadm_upgrade.stderr
|
|
environment:
|
|
PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}"
|
|
|
|
# kubeadm upgrade no longer reconciles ClusterConfiguration and KubeProxyConfiguration changes, this must be done separately after upgrade to ensure the latest config is applied
|
|
- name: Update kubeadm and kubelet configmaps after upgrade
|
|
command: "{{ bin_dir }}/kubeadm init phase upload-config all --config {{ kube_config_dir }}/kubeadm-config.yaml"
|
|
register: kubeadm_upload_config
|
|
# Retry is because upload config sometimes fails
|
|
retries: 3
|
|
until: kubeadm_upload_config.rc == 0
|
|
when:
|
|
- inventory_hostname == first_kube_control_plane
|
|
|
|
- name: Update kube-proxy configmap after upgrade
|
|
command: "{{ bin_dir }}/kubeadm init phase addon kube-proxy --config {{ kube_config_dir }}/kubeadm-config.yaml"
|
|
register: kube_proxy_upload_config
|
|
# Retry is because upload config sometimes fails
|
|
retries: 3
|
|
until: kube_proxy_upload_config.rc == 0
|
|
when:
|
|
- inventory_hostname == first_kube_control_plane
|
|
- ('addon/kube-proxy' not in kubeadm_init_phases_skip)
|
|
|
|
- name: Rewrite kubeadm managed etcd static pod manifests with updated configmap
|
|
command: "{{ bin_dir }}/kubeadm init phase etcd local --config {{ kube_config_dir }}/kubeadm-config.yaml"
|
|
when:
|
|
- etcd_deployment_type == "kubeadm"
|
|
notify: Control plane | restart kubelet
|
|
|
|
- name: Rewrite kubernetes control plane static pod manifests with updated configmap
|
|
command: "{{ bin_dir }}/kubeadm init phase control-plane all --config {{ kube_config_dir }}/kubeadm-config.yaml"
|
|
notify: Control plane | restart kubelet
|
|
|
|
- name: Flush kubelet handlers
|
|
meta: flush_handlers
|
|
|
|
- name: Ensure kube-apiserver is up after upgrade and control plane configuration updates
|
|
import_tasks: check-api.yml
|
|
|
|
- name: Kubeadm | Remove binding to anonymous user
|
|
command: "{{ kubectl }} -n kube-public delete rolebinding kubeadm:bootstrap-signer-clusterinfo --ignore-not-found"
|
|
when: remove_anonymous_access
|
|
|
|
- name: Kubeadm | clean kubectl cache to refresh api types
|
|
file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
with_items:
|
|
- /root/.kube/cache
|
|
- /root/.kube/http-cache
|
|
|
|
# FIXME: https://github.com/kubernetes/kubeadm/issues/1318
|
|
- name: Kubeadm | scale down coredns replicas to 0 if not using coredns dns_mode
|
|
command: >-
|
|
{{ kubectl }}
|
|
-n kube-system
|
|
scale deployment/coredns --replicas 0
|
|
register: scale_down_coredns
|
|
retries: 6
|
|
delay: 5
|
|
until: scale_down_coredns is succeeded
|
|
run_once: true
|
|
when:
|
|
- kubeadm_scale_down_coredns_enabled
|
|
- dns_mode not in ['coredns', 'coredns_dual']
|
|
changed_when: false
|