kubespray/roles/kubernetes/kubeadm/tasks/main.yml

---
- name: Set kubeadm_discovery_address
  set_fact:
    # noqa: jinja[spacing]
    kubeadm_discovery_address: >-
      {%- if "127.0.0.1" in kube_apiserver_endpoint or "localhost" in kube_apiserver_endpoint -%}
      {{ first_kube_control_plane_address }}:{{ kube_apiserver_port }}
      {%- else -%}
      {{ kube_apiserver_endpoint | replace("https://", "") }}
      {%- endif %}
  tags:
    - facts

- name: Check if kubelet.conf exists
  stat:
    path: "{{ kube_config_dir }}/kubelet.conf"
    get_attributes: false
    get_checksum: false
    get_mime: false
  register: kubelet_conf

- name: Check if kubeadm CA cert is accessible
  stat:
    path: "{{ kube_cert_dir }}/ca.crt"
    get_attributes: false
    get_checksum: false
    get_mime: false
  register: kubeadm_ca_stat
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  run_once: true

- name: Calculate kubeadm CA cert hash
  shell: set -o pipefail && openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
  args:
    executable: /bin/bash
  register: kubeadm_ca_hash
  when:
    - kubeadm_ca_stat.stat is defined
    - kubeadm_ca_stat.stat.exists
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  run_once: true
  changed_when: false

- name: Create kubeadm token for joining nodes with 24h expiration (default)
  command: "{{ bin_dir }}/kubeadm token create"
  register: temp_token
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  when: kubeadm_token is not defined
  changed_when: false

- name: Set kubeadm_token to generated token
  set_fact:
    kubeadm_token: "{{ temp_token.stdout }}"
  when: kubeadm_token is not defined

- name: Set kubeadm api version to v1beta3
  set_fact:
    kubeadmConfig_api_version: v1beta3

- name: Get kubeconfig for join discovery process
  command: "{{ kubectl }} -n kube-public get cm cluster-info -o jsonpath='{.data.kubeconfig}'"
  register: kubeconfig_file_discovery
  run_once: true
  delegate_to: "{{ groups['kube_control_plane'] | first }}"
  when: kubeadm_use_file_discovery

- name: Copy discovery kubeconfig
  copy:
    dest: "{{ kube_config_dir }}/cluster-info-discovery-kubeconfig.yaml"
    content: "{{ kubeconfig_file_discovery.stdout }}"
    owner: "root"
    mode: "0644"
  when:
    - ('kube_control_plane' not in group_names)
    - not kubelet_conf.stat.exists
    - kubeadm_use_file_discovery

- name: Create kubeadm client config
  template:
    src: "kubeadm-client.conf.{{ kubeadmConfig_api_version }}.j2"
    dest: "{{ kube_config_dir }}/kubeadm-client.conf"
    backup: true
    mode: "0640"
  when: ('kube_control_plane' not in group_names)

- name: Join to cluster if needed
  environment:
    PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}:/sbin"
  when:
    - ('kube_control_plane' not in group_names)
    - not kubelet_conf.stat.exists
  block:

    - name: Join to cluster
      command: >-
        timeout -k {{ kubeadm_join_timeout }} {{ kubeadm_join_timeout }}
        {{ bin_dir }}/kubeadm join
        --config {{ kube_config_dir }}/kubeadm-client.conf
        --ignore-preflight-errors=DirAvailable--etc-kubernetes-manifests
        --skip-phases={{ kubeadm_join_phases_skip | join(',') }}
      register: kubeadm_join
      changed_when: kubeadm_join is success

  rescue:

    - name: Join to cluster with ignores
      command: >-
        timeout -k {{ kubeadm_join_timeout }} {{ kubeadm_join_timeout }}
        {{ bin_dir }}/kubeadm join
        --config {{ kube_config_dir }}/kubeadm-client.conf
        --ignore-preflight-errors=all
        --skip-phases={{ kubeadm_join_phases_skip | join(',') }}
      register: kubeadm_join
      changed_when: kubeadm_join is success

  always:

    - name: Display kubeadm join stderr if any
      when: kubeadm_join is failed
      debug:
        msg: |
          Joined with warnings
          {{ kubeadm_join.stderr_lines }}

- name: Update server field in kubelet kubeconfig
  lineinfile:
    dest: "{{ kube_config_dir }}/kubelet.conf"
    regexp: 'server:'
    line: '    server: {{ kube_apiserver_endpoint }}'
    backup: true
  when:
    - kubeadm_config_api_fqdn is not defined
    - ('kube_control_plane' not in group_names)
    - kubeadm_discovery_address != kube_apiserver_endpoint | replace("https://", "")
  notify: Kubeadm | restart kubelet

- name: Update server field in kubelet kubeconfig - external lb
  lineinfile:
    dest: "{{ kube_config_dir }}/kubelet.conf"
    regexp: '^    server: https'
    line: '    server: {{ kube_apiserver_endpoint }}'
    backup: true
  when:
    - ('kube_control_plane' not in group_names)
    - loadbalancer_apiserver is defined
  notify: Kubeadm | restart kubelet

- name: Get current resourceVersion of kube-proxy configmap
  command: "{{ kubectl }} get configmap kube-proxy -n kube-system -o jsonpath='{.metadata.resourceVersion}'"
  register: original_configmap_resource_version
  run_once: true
  delegate_to: "{{ groups['kube_control_plane'] | first }}"
  delegate_facts: false
  when:
    - kube_proxy_deployed
  tags:
    - kube-proxy

# FIXME(mattymo): Need to point to localhost, otherwise control plane nodes will all point
#                 incorrectly to first control plane node, creating SPoF.
- name: Update server field in kube-proxy kubeconfig
  shell: >-
    set -o pipefail && {{ kubectl }} get configmap kube-proxy -n kube-system -o yaml
    | sed 's#server:.*#server: https://127.0.0.1:{{ kube_apiserver_port }}#g'
    | {{ kubectl }} replace -f -
  args:
    executable: /bin/bash
  run_once: true
  delegate_to: "{{ groups['kube_control_plane'] | first }}"
  delegate_facts: false
  when:
    - kubeadm_config_api_fqdn is not defined
    - kubeadm_discovery_address != kube_apiserver_endpoint | replace("https://", "")
    - kube_proxy_deployed
    - loadbalancer_apiserver_localhost
  tags:
    - kube-proxy

- name: Update server field in kube-proxy kubeconfig - external lb
  shell: >-
    set -o pipefail && {{ kubectl }} get configmap kube-proxy -n kube-system -o yaml
    | sed 's#server:.*#server: {{kube_apiserver_endpoint}}#g'
    | {{ kubectl }} replace -f -
  args:
    executable: /bin/bash
  run_once: true
  delegate_to: "{{ groups['kube_control_plane'] | first }}"
  delegate_facts: false
  when:
    - kube_proxy_deployed
    - loadbalancer_apiserver is defined
  tags:
    - kube-proxy

- name: Get new resourceVersion of kube-proxy configmap
  command: "{{ kubectl }} get configmap kube-proxy -n kube-system -o jsonpath='{.metadata.resourceVersion}'"
  register: new_configmap_resource_version
  run_once: true
  delegate_to: "{{ groups['kube_control_plane'] | first }}"
  delegate_facts: false
  when:
    - kube_proxy_deployed
  tags:
    - kube-proxy

- name: Set ca.crt file permission
  file:
    path: "{{ kube_cert_dir }}/ca.crt"
    owner: root
    group: root
    mode: "0644"

- name: Restart all kube-proxy pods to ensure that they load the new configmap
  command: "{{ kubectl }} delete pod -n kube-system -l k8s-app=kube-proxy --force --grace-period=0"
  run_once: true
  delegate_to: "{{ groups['kube_control_plane'] | first }}"
  delegate_facts: false
  when:
    - kubeadm_config_api_fqdn is not defined or loadbalancer_apiserver is defined
    - kubeadm_discovery_address != kube_apiserver_endpoint | replace("https://", "") or loadbalancer_apiserver is defined
    - kube_proxy_deployed
    - original_configmap_resource_version.stdout != new_configmap_resource_version.stdout
  tags:
    - kube-proxy

- name: Extract etcd certs from control plane if using etcd kubeadm mode
  include_tasks: kubeadm_etcd_node.yml
  when:
    - etcd_deployment_type == "kubeadm"
    - inventory_hostname not in groups['kube_control_plane']
    - kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
    - kube_network_plugin != "calico" or calico_datastore == "etcd"