From 71a323039fe1fe3e97a08aff5333ce2d4d73419d Mon Sep 17 00:00:00 2001
From: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
Date: Mon, 28 Apr 2025 16:27:26 +0800
Subject: [PATCH] Fix: kubelet-csr-approver moves to regular application
 installation (#12141)

This commit fixed the process to ensure that CCM is installed first to
avoid the chicken-and-egg problem.

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
---
 playbooks/cluster.yml               | 1 -
 roles/kubernetes-apps/meta/main.yml | 7 +++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/playbooks/cluster.yml b/playbooks/cluster.yml
index ca67a28d3..f7ebfcf84 100644
--- a/playbooks/cluster.yml
+++ b/playbooks/cluster.yml
@@ -50,7 +50,6 @@
     - { role: kubernetes/node-label, tags: node-label }
     - { role: kubernetes/node-taint, tags: node-taint }
     - { role: network_plugin, tags: network }
-    - { role: kubernetes-apps/kubelet-csr-approver, tags: kubelet-csr-approver }
 
 - name: Install Calico Route Reflector
   hosts: calico_rr
diff --git a/roles/kubernetes-apps/meta/main.yml b/roles/kubernetes-apps/meta/main.yml
index 01cf315f3..dedbacda6 100644
--- a/roles/kubernetes-apps/meta/main.yml
+++ b/roles/kubernetes-apps/meta/main.yml
@@ -104,6 +104,13 @@ dependencies:
     tags:
       - gateway_api
 
+  - role: kubernetes-apps/kubelet-csr-approver
+    when:
+      - kubelet_csr_approver_enabled
+      - inventory_hostname == groups['kube_control_plane'][0]
+    tags:
+      - kubelet-csr-approver
+
   - role: kubernetes-apps/metallb
     when:
       - metallb_enabled