From bab3d4af6894cf04b6d08e621c0a5f6a155ac876 Mon Sep 17 00:00:00 2001 From: Hyeonki Hong Date: Mon, 28 Apr 2025 23:35:57 +0900 Subject: [PATCH 1/3] feat: add trigger to restart kube-apiserver when config files change --- .../control-plane/tasks/kubeadm-setup.yml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml index 08da3293c13..f61a2ce4879 100644 --- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml +++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml @@ -60,6 +60,7 @@ src: apiserver-audit-policy.yaml.j2 dest: "{{ audit_policy_file }}" mode: "0640" + register: apiserver_audit_policy_update when: kubernetes_audit or kubernetes_audit_webhook - name: Write api audit webhook config yaml @@ -67,6 +68,7 @@ src: apiserver-audit-webhook-config.yaml.j2 dest: "{{ audit_webhook_config_file }}" mode: "0640" + register: apiserver_audit_webhook_config_update when: kubernetes_audit_webhook - name: Create apiserver tracing config directory @@ -81,6 +83,7 @@ src: apiserver-tracing.yaml.j2 dest: "{{ kube_config_dir }}/tracing/apiserver-tracing.yaml" mode: "0640" + register: apiserver_tracing_config_update when: kube_apiserver_tracing # Nginx LB(default), If kubeadm_config_api_fqdn is defined, use other LB by kubeadm controlPlaneEndpoint. @@ -108,6 +111,7 @@ src: "admission-controls.yaml.j2" dest: "{{ kube_config_dir }}/admission-controls/admission-controls.yaml" mode: "0640" + register: apiserver_admission_control_config_update when: kube_apiserver_admission_control_config_file - name: Kubeadm | Push admission control config files @@ -115,6 +119,7 @@ src: "{{ item | lower }}.yaml.j2" dest: "{{ kube_config_dir }}/admission-controls/{{ item | lower }}.yaml" mode: "0640" + register: apiserver_admission_control_plugin_config_update when: - kube_apiserver_admission_control_config_file - item in kube_apiserver_admission_plugins_needs_configuration @@ -229,6 +234,21 @@ - name: Kubeadm | Join other control plane nodes include_tasks: kubeadm-secondary.yml +- name: Kubeadm | Trigger restart kube-apiserver + debug: + msg: Detected changes in kube-apiserver config files + changed_when: true + when: + - not upgrade_cluster_setup + - kubeadm_already_run.stat.exists + - > + apiserver_audit_policy_update.changed or + apiserver_audit_webhook_config_update.changed or + apiserver_tracing_config_update.changed or + apiserver_admission_control_config_update.changed or + apiserver_admission_control_plugin_config_update.changed + notify: Control plane | Restart apiserver + - name: Kubeadm | upgrade kubernetes cluster to {{ kube_version }} include_tasks: kubeadm-upgrade.yml when: From b037994476ee916a7f4a008677050557440312c3 Mon Sep 17 00:00:00 2001 From: Hyeonki Hong Date: Tue, 29 Apr 2025 00:31:39 +0900 Subject: [PATCH 2/3] fix: remove not upgrade_cluster_setup condition --- .../control-plane/tasks/kubeadm-setup.yml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml index f61a2ce4879..d8be298b313 100644 --- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml +++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml @@ -234,12 +234,17 @@ - name: Kubeadm | Join other control plane nodes include_tasks: kubeadm-secondary.yml +- name: Kubeadm | upgrade kubernetes cluster to {{ kube_version }} + include_tasks: kubeadm-upgrade.yml + when: + - upgrade_cluster_setup + - kubeadm_already_run.stat.exists + - name: Kubeadm | Trigger restart kube-apiserver debug: msg: Detected changes in kube-apiserver config files changed_when: true when: - - not upgrade_cluster_setup - kubeadm_already_run.stat.exists - > apiserver_audit_policy_update.changed or @@ -249,12 +254,6 @@ apiserver_admission_control_plugin_config_update.changed notify: Control plane | Restart apiserver -- name: Kubeadm | upgrade kubernetes cluster to {{ kube_version }} - include_tasks: kubeadm-upgrade.yml - when: - - upgrade_cluster_setup - - kubeadm_already_run.stat.exists - # FIXME(mattymo): from docs: If you don't want to taint your control-plane node, set this field to an empty slice, i.e. `taints: {}` in the YAML file. - name: Kubeadm | Remove taint for control plane node with node role command: "{{ kubectl }} taint node {{ inventory_hostname }} {{ item }}" From 431b9459835205e094b6f1af215aca66ac568ac1 Mon Sep 17 00:00:00 2001 From: Hyeonki Hong Date: Mon, 12 May 2025 23:51:43 +0900 Subject: [PATCH 3/3] refactor: streamline kube-apiserver restart notifications --- .../control-plane/tasks/kubeadm-setup.yml | 24 ++++--------------- 1 file changed, 5 insertions(+), 19 deletions(-) diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml index d8be298b313..c33f94b3004 100644 --- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml +++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml @@ -60,16 +60,16 @@ src: apiserver-audit-policy.yaml.j2 dest: "{{ audit_policy_file }}" mode: "0640" - register: apiserver_audit_policy_update when: kubernetes_audit or kubernetes_audit_webhook + notify: Control plane | Restart apiserver - name: Write api audit webhook config yaml template: src: apiserver-audit-webhook-config.yaml.j2 dest: "{{ audit_webhook_config_file }}" mode: "0640" - register: apiserver_audit_webhook_config_update when: kubernetes_audit_webhook + notify: Control plane | Restart apiserver - name: Create apiserver tracing config directory file: @@ -83,8 +83,8 @@ src: apiserver-tracing.yaml.j2 dest: "{{ kube_config_dir }}/tracing/apiserver-tracing.yaml" mode: "0640" - register: apiserver_tracing_config_update when: kube_apiserver_tracing + notify: Control plane | Restart apiserver # Nginx LB(default), If kubeadm_config_api_fqdn is defined, use other LB by kubeadm controlPlaneEndpoint. - name: Set kubeadm_config_api_fqdn define @@ -111,19 +111,19 @@ src: "admission-controls.yaml.j2" dest: "{{ kube_config_dir }}/admission-controls/admission-controls.yaml" mode: "0640" - register: apiserver_admission_control_config_update when: kube_apiserver_admission_control_config_file + notify: Control plane | Restart apiserver - name: Kubeadm | Push admission control config files template: src: "{{ item | lower }}.yaml.j2" dest: "{{ kube_config_dir }}/admission-controls/{{ item | lower }}.yaml" mode: "0640" - register: apiserver_admission_control_plugin_config_update when: - kube_apiserver_admission_control_config_file - item in kube_apiserver_admission_plugins_needs_configuration loop: "{{ kube_apiserver_enable_admission_plugins }}" + notify: Control plane | Restart apiserver - name: Kubeadm | Check apiserver.crt SANs vars: @@ -240,20 +240,6 @@ - upgrade_cluster_setup - kubeadm_already_run.stat.exists -- name: Kubeadm | Trigger restart kube-apiserver - debug: - msg: Detected changes in kube-apiserver config files - changed_when: true - when: - - kubeadm_already_run.stat.exists - - > - apiserver_audit_policy_update.changed or - apiserver_audit_webhook_config_update.changed or - apiserver_tracing_config_update.changed or - apiserver_admission_control_config_update.changed or - apiserver_admission_control_plugin_config_update.changed - notify: Control plane | Restart apiserver - # FIXME(mattymo): from docs: If you don't want to taint your control-plane node, set this field to an empty slice, i.e. `taints: {}` in the YAML file. - name: Kubeadm | Remove taint for control plane node with node role command: "{{ kubectl }} taint node {{ inventory_hostname }} {{ item }}"