Merge pull request #2256 from mlushpenko/fix-kubeadm-safe-upgrade

Fix safe upgrade
7 years ago · 60460c025c
6 changed files with 9 additions and 11 deletions
--- a/inventory/sample/group_vars/all.yml
+++ b/inventory/sample/group_vars/all.yml
@ -96,10 +96,6 @@ bin_dir: /usr/local/bin

 ## Uncomment to enable experimental kubeadm deployment mode
 #kubeadm_enabled: false
-#kubeadm_token_first: "{{ lookup('password', inventory_dir + '/credentials/kubeadm_token_first length=6  chars=ascii_lowercase,digits') }}"
-#kubeadm_token_second: "{{ lookup('password', inventory_dir + '/credentials/kubeadm_token_second length=16 chars=ascii_lowercase,digits') }}"
-#kubeadm_token: "{{ kubeadm_token_first }}.{{ kubeadm_token_second }}"
-#
 ## Set these proxy values in order to update package manager and docker daemon to use proxies
 #http_proxy: ""
 #https_proxy: ""
--- a/roles/kubernetes/kubeadm/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/tasks/main.yml
@ -22,12 +22,20 @@
  delegate_to: "{{ groups['kube-master'][0] }}"
  run_once: true

+- name: Create kubeadm token for joining nodes with 24h expiration (default)
+  command: "{{ bin_dir }}/kubeadm token create"
+  run_once: true
+  register: temp_token
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
 - name: Create kubeadm client config
  template:
    src: kubeadm-client.conf.j2
    dest: "{{ kube_config_dir }}/kubeadm-client.conf"
    backup: yes
  when: not is_kube_master
+  vars:
+    kubeadm_token: "{{ temp_token.stdout }}"
  register: kubeadm_client_conf

 - name: Join to cluster if needed
--- a/roles/kubernetes/master/defaults/main.yml
+++ b/roles/kubernetes/master/defaults/main.yml
@ -82,9 +82,6 @@ controller_mgr_custom_flags: []

 scheduler_custom_flags: []

-# kubeadm settings
-## Value of 0 means it never expires
-kubeadm_token_ttl: 0
 ## Extra args for k8s components passing by kubeadm
 kube_kubeadm_controller_extra_args: {}
 kube_kubeadm_scheduler_extra_args: {}
--- a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
@ -29,8 +29,6 @@ authorizationModes:
 {% for mode in authorization_modes %}
 - {{ mode }}
 {% endfor %}
-token: {{ kubeadm_token }}
-tokenTTL: "{{ kubeadm_token_ttl }}"
 selfHosted: false
 apiServerExtraArgs:
  bind-address: {{ kube_apiserver_bind_address }}
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@ -147,7 +147,6 @@ helm_deployment_type: host

 # Enable kubeadm deployment (experimental)
 kubeadm_enabled: false
-kubeadm_token: "abcdef.0123456789abcdef"

 # Make a copy of kubeconfig on the host that runs Ansible in GITDIR/artifacts
 kubeconfig_localhost: false
--- a/roles/upgrade/post-upgrade/tasks/main.yml
+++ b/roles/upgrade/post-upgrade/tasks/main.yml
@ -2,4 +2,4 @@
 - name: Uncordon node
  command: "{{ bin_dir }}/kubectl uncordon {{ inventory_hostname }}"
  delegate_to: "{{ groups['kube-master'][0] }}"
-  when: (needs_cordoning|default(false)) and ( {%- if inventory_hostname in groups['kube-node'] -%} true {%- else -%} false {%- endif -%} )
+  when: needs_cordoning|default(false)