Fix kubeadm upgrade node skipPhases with multiple CP nodes (#12367)

Add 1.32 conditional defaults Restore support for kubeadm upgrade node --skip-phases < 1.32, apply still needs to be restricted
2 months ago · 1e523a267c
3 changed files with 14 additions and 7 deletions
--- a/roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml
@ -4,7 +4,7 @@

  # kubeadm-config.v1beta4 with UpgradeConfiguration requires some values that were previously allowed as args to be specified in the config file
  # TODO: Remove --skip-phases from command when v1beta4 UpgradeConfiguration supports skipPhases
- name: Kubeadm | Upgrade first control plane node
+- name: Kubeadm | Upgrade first control plane node to {{ kube_version }}
  command: >-
    timeout -k 600s 600s
    {{ bin_dir }}/kubeadm upgrade apply -y v{{ kube_version }}
@ -27,8 +27,8 @@
  environment:
    PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}"

-  # TODO: Remove --skip-phases from command when v1beta4 UpgradeConfiguration supports skipPhases
- name: Kubeadm | Upgrade other control plane nodes
+# TODO: When we retire kubeadm-config.v1beta3, remove --certificate-renewal, --ignore-preflight-errors, --etcd-upgrade, --patches, and --skip-phases from command, since v1beta4+ supports these in UpgradeConfiguration.node
+- name: Kubeadm | Upgrade other control plane nodes to {{ kube_version }}
  command: >-
    {{ bin_dir }}/kubeadm upgrade node
    {%- if kubeadm_config_api_version == 'v1beta3' %}
@ -39,9 +39,7 @@
    {%- else %}
    --config={{ kube_config_dir }}/kubeadm-config.yaml
    {%- endif %}
-    {%- if kube_version is version('1.32.0', '>=') %}
-    --skip-phases={{ kubeadm_init_phases_skip | join(',') }}
-    {%- endif %}
+    --skip-phases={{ kubeadm_upgrade_node_phases_skip | join(',') }}
  register: kubeadm_upgrade
  when: inventory_hostname != first_kube_control_plane
  failed_when: kubeadm_upgrade.rc != 0 and "field is immutable" not in kubeadm_upgrade.stderr
--- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
@ -491,7 +491,7 @@ node:
 {% endif %}
  imagePullPolicy: {{ k8s_image_pull_policy }}
  imagePullSerial: {{ kubeadm_image_pull_serial | lower }}
-{% for skip_phase in kubeadm_init_phases_skip %}
+{% for skip_phase in kubeadm_upgrade_node_phases_skip %}
 {% if loop.first %}
  skipPhases:
 {% endif %}
--- a/roles/kubespray_defaults/defaults/main/main.yml
+++ b/roles/kubespray_defaults/defaults/main/main.yml
@ -66,6 +66,15 @@ kubeadm_join_phases_skip_default: []
 kubeadm_join_phases_skip: >-
 {{ kubeadm_join_phases_skip_default }}

+# List of kubeadm upgrade node phases that should be skipped when upgrading a secondary control plane node (supports different phases than kubeadm init and kubeadm upgrade apply)
+kubeadm_upgrade_node_phases_skip_default: []
+kubeadm_upgrade_node_phases_skip: >-
+  {%- if kube_version is version('1.32.0', '>=') -%}
+  {{ kubeadm_upgrade_node_phases_skip_default + kubeadm_init_phases_skip }}
+  {%- else -%}
+  {{ kubeadm_upgrade_node_phases_skip_default }}
+  {%- endif -%}
+
 # Set to true to remove the role binding to anonymous users created by kubeadm
 remove_anonymous_access: false