From a233cda232070015dc70f32663af597857bb0fc2 Mon Sep 17 00:00:00 2001 From: Sven Tennie Date: Tue, 27 Aug 2024 11:49:37 +0200 Subject: [PATCH 1/2] Fix "renew certs" for newer Kubespray clusters The command line interface of `kubeadm`' changed a bit: - Used commands aren't *alpha* anymore - `--apiserver-advertise-address` is gone for `kubeconfig user` (it works as expected without) - `--config` is required for `kubeconfig user` --- ansible/kubernetes-renew-certs.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/ansible/kubernetes-renew-certs.yml b/ansible/kubernetes-renew-certs.yml index 41fb1d600..bcb824fdd 100644 --- a/ansible/kubernetes-renew-certs.yml +++ b/ansible/kubernetes-renew-certs.yml @@ -45,16 +45,16 @@ ansible.builtin.shell: | set -eo pipefail - kubeadm alpha certs renew apiserver-kubelet-client - kubeadm alpha certs renew apiserver - kubeadm alpha certs renew front-proxy-client - kubeadm alpha kubeconfig user --client-name system:kube-controller-manager > /etc/kubernetes/controller-manager.conf - kubeadm alpha kubeconfig user --client-name system:kube-scheduler > /etc/kubernetes/scheduler.conf + kubeadm certs renew apiserver-kubelet-client + kubeadm certs renew apiserver + kubeadm certs renew front-proxy-client + kubeadm kubeconfig user --client-name system:kube-controller-manager --config /etc/kubernetes/kubeadm-config.yaml > /etc/kubernetes/controller-manager.conf + kubeadm kubeconfig user --client-name system:kube-scheduler --config /etc/kubernetes/kubeadm-config.yaml > /etc/kubernetes/scheduler.conf # note: if apiserver_loadbalancer_domain_name is not defined it might be that you talk to the cps directly # in that case replace {{ apiserver_loadbalancer_domain_name }} with the public ip / domain of the cps - kubeadm alpha kubeconfig user --client-name system:node:$(hostname) --org system:nodes --apiserver-advertise-address={{ apiserver_loadbalancer_domain_name }} > /etc/kubernetes/kubelet.conf + kubeadm kubeconfig user --client-name system:node:$(hostname) --org system:nodes --config /etc/kubernetes/kubeadm-config.yaml > /etc/kubernetes/kubelet.conf - kubeadm alpha kubeconfig user --client-name kubernetes-admin --org system:masters > /etc/kubernetes/admin.conf + kubeadm kubeconfig user --client-name kubernetes-admin --org system:masters --config /etc/kubernetes/kubeadm-config.yaml > /etc/kubernetes/admin.conf - debug: var: command_output.stdout_lines From 3d008dcb52c321899d6e1266e78e57fc820f0847 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vedran=20Ivankovi=C4=87?= <33936733+Veki301@users.noreply.github.com> Date: Fri, 4 Jul 2025 14:48:31 +0200 Subject: [PATCH 2/2] add a better description to playbook comment --- ansible/kubernetes-renew-certs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/kubernetes-renew-certs.yml b/ansible/kubernetes-renew-certs.yml index bcb824fdd..949e17100 100644 --- a/ansible/kubernetes-renew-certs.yml +++ b/ansible/kubernetes-renew-certs.yml @@ -51,7 +51,7 @@ kubeadm kubeconfig user --client-name system:kube-controller-manager --config /etc/kubernetes/kubeadm-config.yaml > /etc/kubernetes/controller-manager.conf kubeadm kubeconfig user --client-name system:kube-scheduler --config /etc/kubernetes/kubeadm-config.yaml > /etc/kubernetes/scheduler.conf # note: if apiserver_loadbalancer_domain_name is not defined it might be that you talk to the cps directly - # in that case replace {{ apiserver_loadbalancer_domain_name }} with the public ip / domain of the cps + # in that case replace pass apiserver_loadbalancer_domain_name to ansible with `-e` flag and with the public ip / domain of the cps kubeadm kubeconfig user --client-name system:node:$(hostname) --org system:nodes --config /etc/kubernetes/kubeadm-config.yaml > /etc/kubernetes/kubelet.conf kubeadm kubeconfig user --client-name kubernetes-admin --org system:masters --config /etc/kubernetes/kubeadm-config.yaml > /etc/kubernetes/admin.conf