diff --git a/kubernetes/kubernetes-1.22.5/centos/files/update-k8s-feature-gates.sh b/kubernetes/kubernetes-1.22.5/centos/files/update-k8s-feature-gates.sh index 590797612..df2b9007f 100644 --- a/kubernetes/kubernetes-1.22.5/centos/files/update-k8s-feature-gates.sh +++ b/kubernetes/kubernetes-1.22.5/centos/files/update-k8s-feature-gates.sh @@ -16,8 +16,17 @@ # SCTPSupport blocks kube-apiserver pod to spawn after control-plane upgrade # TTLAfterFinished value defaults to true from k8s 1.21 # +# The script also preserves the advertise-address in kube-apiserver +# manifest that gets overwritten as kubeadm init is run again in this script. +# In other words, it maintains the effect of this commit +# https://opendev.org/starlingx/stx-puppet/commit/04a1c1b0809f66488bd54e3f31d323430e7d9913 +# +# Similarly, it removes the seccomp profiles configuration from the +# kube-apiserver manifest file to maintain the effect of this commit, +# https://opendev.org/starlingx/stx-puppet/commit/52ace69c837acc7e3aff8a2d584968297afd70fe KUBEADM_CONFIGMAP_TMPFILE='/tmp/kubeadm_cm' +API_SERVER_MANIFEST='/etc/kubernetes/manifests/kube-apiserver.yaml' rc_controller_manager=0 rc_apiserver=0 @@ -36,7 +45,7 @@ function get_kubeadm_configmap { kubectl --kubeconfig=/etc/kubernetes/admin.conf -n kube-system get \ configmap kubeadm-config -o "$1" > ${KUBEADM_CONFIGMAP_TMPFILE} RC=$? - if [ 0 == ${RC} ] ; then + if [ ${RC} == 0 ] ; then log "Kubeadm configmap retrieved." break fi @@ -63,7 +72,7 @@ function update_kubeadm_configmap { 's/^\( *\)feature-gates:\s.*RemoveSelfLink=false/\1feature-gates: RemoveSelfLink=false/g' \ ${KUBEADM_CONFIGMAP_TMPFILE} rc_apiserver=$? - if [ 0 == ${rc_apiserver} ]; then + if [ ${rc_apiserver} == 0 ]; then log "Successfully updated kube-apiserver feature-gates in retrieved kubeadm-config" else log "Failed to update kube-apiserver feature-gates in retrieved kubeadm-config with error code: [${rc_apiserver}]" @@ -73,7 +82,7 @@ function update_kubeadm_configmap { sed -i \ '/feature-gates: TTLAfterFinished=true/d' ${KUBEADM_CONFIGMAP_TMPFILE} rc_controller_manager=$? - if [ 0 == ${rc_controller_manager} ]; then + if [ ${rc_controller_manager} == 0 ]; then log "Successfully updated controller-manager feature-gates in retrieved kubeadm-config" else # we need not gracefully exit here as failing to update this does not @@ -105,11 +114,11 @@ function update_manifests { get_kubeadm_configmap jsonpath='{.data.ClusterConfiguration}' # Rewrite apiserver manifest only if it is updated in the configmap - if [ 0 == ${rc_apiserver} ]; then + if [ ${rc_apiserver} == 0 ]; then kubeadm init phase control-plane apiserver \ --config ${KUBEADM_CONFIGMAP_TMPFILE} RC=$? - if [ 0 == ${RC} ]; then + if [ ${RC} == 0 ]; then log "Success executing kubeadm init phase control-plane for kube-api-server" else log "Failed to update kube-api-server manifest with error code: [${RC}]" @@ -119,11 +128,11 @@ function update_manifests { fi # Rewrite controller-manager manifest only if it is updated in the configmap - if [ 0 == ${rc_controller_manager} ]; then + if [ ${rc_controller_manager} == 0 ]; then kubeadm init phase control-plane controller-manager \ --config ${KUBEADM_CONFIGMAP_TMPFILE} RC=$? - if [ 0 == ${RC} ]; then + if [ ${RC} == 0 ]; then log "Success executing kubeadm init phase control-plane for kube-controller-manager" else log "Failed to update kube-controller-manager manifest with error code: [${RC}]" @@ -134,8 +143,53 @@ function update_manifests { } +function preserve_apiserver_manifest_params { + + # The following code preserves the kube-apiserver advertise address that gets overwitten + # after kubeadm init phase is run in order to preserve the effect of: + # https://opendev.org/starlingx/stx-puppet/commit/04a1c1b0809f66488bd54e3f31d323430e7d9913 + DEFAULT_NETWORK_INTERFACE=$(grep 'advertise-address=' ${API_SERVER_MANIFEST} | cut -d "=" -f2) + RC=$? + if [ ${RC} == 0 ]; then + log "advertise-address: ${DEFAULT_NETWORK_INTERFACE}" + else + log "Failed to get advertise address from kube-apiserver manifest. Error code: [${RC}]" + fi + + if [ "${DEFAULT_NETWORK_INTERFACE}" ] && [ "${APISERVER_ADVERTISE_ADDRESS}" ]; then + sed -i "/oidc-issuer-url/! s/${DEFAULT_NETWORK_INTERFACE}/${APISERVER_ADVERTISE_ADDRESS}/g" ${API_SERVER_MANIFEST} + RC=$? + if [ ${RC} == 0 ]; then + log "Advertise address [${DEFAULT_NETWORK_INTERFACE}] is replaced by [${APISERVER_ADVERTISE_ADDRESS}] in kube-apiserver manifest." + else + log "Failed to preserve advertise address in kube-apiserver manifest. Error code: [${RC}]" + fi + fi + + # The following code removes seccomp profiles configuration from the kube-apiserver manifest + # to preserve the effect of: + # https://opendev.org/starlingx/stx-puppet/commit/52ace69c837acc7e3aff8a2d584968297afd70fe + sed -i '/securityContext:/,/type: RuntimeDefault/d' ${API_SERVER_MANIFEST} + RC=$? + if [ ${RC} == 0 ]; then + log "Seccomp Profile configuration removed from the kube-apiserver manifest if existed." + else + log "Failed to remove Seccomp Profile configuration from the kube-apiserver manifest. Error code: [${RC}]" + fi + +} + +APISERVER_ADVERTISE_ADDRESS=$(grep 'advertise-address=' ${API_SERVER_MANIFEST} | cut -d "=" -f2) +RC=$? +if [ ${RC} == 0 ]; then + log "advertise-address: ${APISERVER_ADVERTISE_ADDRESS}" +else + log "Failed to get advertise address from kube-apiserver manifest. Error code: [${RC}]" +fi + update_kubeadm_configmap update_manifests +preserve_apiserver_manifest_params rm -f ${KUBEADM_CONFIGMAP_TMPFILE}