* Deduplicate GraphQL node IDs in update-hashes to fix 502
* Bump component_hash_update version to 1.0.1
Avoids stale pip/uv installation cache in CI pipelines
after the GraphQL deduplication fix.
---------
Co-authored-by: Hamza <12420351+0xMH@users.noreply.github.com>
Currently, if changing the inventory variable `kubeadm_patches`, new
patches will be created, but the existing ones will also be left on the
filesystem, and applied by kubeadm ; this means that removed or changed
configuration can linger.
Cleanup old patches (which are the difference between existing patches
on filesystem and the one created for the current runs).
Co-authored-by: Max Gautier <mg@max.gautier.name>
When joining a control plane node and "upgrading" the cluster setup (for
example, to update etcd addresses after adding a new etcd) in the same
playbook run, the node can take a bit of time to become ready after
joining.
This triggers a kubeadm preflight check (ControlPlaneNodesReady) in
kubeadm upgrade, which is run directly after the join tasks.
Add a configurable wait for the control plane node to become Ready to
fix this race condition.
Co-authored-by: Max Gautier <mg@max.gautier.name>
We currently **recursively** set the permissions of /etc/ssl/etcd/ssl
(default path) to 700. But this removes group permission from the files
under it, and certain composents (like calio with etcd datastore) rely
on it ; thus, the upgrade of a cluster can fail because the
calico-kube-controller can't access the certs, and thus the etcd.
This works in other case because as far as I can tell, the apiserver
which do access the etcd run as root (the owner of the files, not just
the "group owner")
We also for some reasons do this twice.
Only create the etcd cert directory with the correct permissions once,
not recursively.
Co-authored-by: Max Gautier <mg@max.gautier.name>
The config.json.j2 template was generating invalid JSON when multiple
crio_registry_auth entries were defined, resulting in multiple top-level
"auths" objects being rendered, e.g.:
{
"auths": { "registry1": { "auth": "xxxx" } },
"auths": { "registry2": { "auth": "yyyy" } }
}
This change moves the loop inside the "auths" object so that all registries
are rendered as siblings under a single "auths" key, producing valid JSON:
{
"auths": {
"registry1": { "auth": "xxxx" },
"registry2": { "auth": "yyyy" }
}
}
Co-authored-by: Martin Cahill <martin.cahill@gmail.com>
The way to obtain the IP of a particular member is convoluted and depend
on multiple variables. The match is also textual and it's not clear
against what we're matching
It's also broken for etcd member which are not also Kubernetes nodes,
because the "Lookup node IP in kubernetes" task will fail and abort the
play.
Instead, match against 'peerURLs', which does not need new variable, and
use json output.
- Add testcase for etcd removal on external etcd
* CI: Try a full ssh connection on hosts instead of only checking the port
If we only try the port, we can try to connect in the playbook which is
executed next even though the managed node has not yet completed it's
boot-up sequence ("System is booting up. Unprivileged users are not
permitted to log in yet. Please come back later. For technical details,
see pam_nologin(8).")
This does not account for python-less hosts, but we don't use those in
CI anyway (for now, at least).
* CI: Remove connection method override when creating VMs
This prevented wait_for_connection to work correctly by hijacking the
connection to localhost, thus bypassing the connection check.
---------
Co-authored-by: Max Gautier <mg@max.gautier.name>
kubeadm errors out if 'all' is specified with specific checks, so check
that case when we add hardcoded checks.
Add a test to catch regression.
Co-authored-by: Max Gautier <mg@max.gautier.name>
Fixes a bug where `kube-apiserver` fails to start if the PodSecurity
configuration file doesn't have the `apiVersion` and `kind` keys.
Signed-off-by: Alejandro Macedo <alex.macedopereira@gmail.com>
Co-authored-by: Alejandro Macedo <alex.macedopereira@gmail.com>
Add 1.32 conditional defaults
Restore support for kubeadm upgrade node --skip-phases < 1.32, apply still needs to be restricted
Co-authored-by: Chad Swenson <chadswen@gmail.com>
* cilium: pass cluster DNS to hubble.peerService in values.yaml.j2
* Add dedicated Hubble variable defaulting to inventory cluster domain
---------
Co-authored-by: Mustafa Mertcan CAM <mertcancam@gmail.com>
k8s-infra-cherrypick-robot