force_etcd_cert_refresh variable ignored in condition #11931
Labels
kind/bug
Categorizes issue or PR as related to a bug.
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened?
Hi, i've deployed a k8s cluster using collection and after running it once more i've noticed that the etcd certificates are generated every playbook run. I've changed the value of force_etcd_cert_refresh to false, but nothing changed, and the following tasks weren't skipped:
I've fixed it with changing force_etcd_cert_refresh to force_etcd_cert_refresh | bool and then this tasks were skipped.
What did you expect to happen?
The tasks that were responsible for setting gen_certs to true are skipped
How can we reproduce it (as minimally and precisely as possible)?
Run the cluster playbook on existing cluster with -e force_etcd_cert_refresh=false.
OS
Linux 6.8.0-51-generic x86_64
PRETTY_NAME="Ubuntu 24.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.1 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
Version of Ansible
ansible [core 2.16.14]
Version of Python
Python 3.12.3
Version of Kubespray (commit)
1567e8e
Network plugin used
cilium
Full inventory with variables
etcd_data_dir: /var/lib/etcd
etcd_kubeadm_enabled: false
bin_dir: /usr/local/bin
loadbalancer_apiserver_localhost: false
loadbalancer_apiserver_port: 6443
loadbalancer_apiserver_healthcheck_port: 8081
cloud_provider: external
external_cloud_provider: openstack
no_proxy_exclude_workers: false
cert_management: script
force_etcd_cert_refresh: false
kube_config_dir: /etc/kubernetes
kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
kube_manifest_dir: "{{ kube_config_dir }}/manifests"
kube_cert_dir: "{{ kube_config_dir }}/ssl"
kube_token_dir: "{{ kube_config_dir }}/tokens"
kube_api_anonymous_auth: true
kube_version: v1.29
local_release_dir: "/tmp/releases"
retry_stagger: 5
kube_owner: root
kube_cert_group: kube-cert
kube_log_level: 2
credentials_dir: "{{ inventory_dir }}/credentials"
kube_network_plugin: cilium
kube_network_plugin_multus: false
kube_service_addresses: 10.233.0.0/18
kube_pods_subnet: 10.233.64.0/18
kube_network_node_prefix: 24
enable_dual_stack_networks: false
kube_service_addresses_ipv6: fd85:ee78:d8a6:8607::1000/116
kube_pods_subnet_ipv6: fd85:ee78:d8a6:8607::1:0000/112
kube_network_node_prefix_ipv6: 120
kube_apiserver_ip: "{{ kube_service_addresses | ansible.utils.ipaddr('net') | ansible.utils.ipaddr(1) | ansible.utils.ipaddr('address') }}"
kube_apiserver_port: 6443
kube_proxy_mode: ipvs
kube_proxy_strict_arp: false
kube_proxy_nodeport_addresses: >-
{%- if kube_proxy_nodeport_addresses_cidr is defined -%}
[{{ kube_proxy_nodeport_addresses_cidr }}]
{%- else -%}
[]
{%- endif -%}
kube_encrypt_secret_data: false
cluster_name: cluster
ndots: 2
dns_mode: coredns
enable_nodelocaldns: true
enable_nodelocaldns_secondary: false
nodelocaldns_ip: 169.254.25.10
nodelocaldns_health_port: 9254
nodelocaldns_second_health_port: 9256
nodelocaldns_bind_metrics_host_ip: false
nodelocaldns_secondary_skew_seconds: 5
enable_coredns_k8s_external: false
coredns_k8s_external_zone: k8s_external.local
enable_coredns_k8s_endpoint_pod_names: false
resolvconf_mode: none
deploy_netchecker: false
skydns_server: "{{ kube_service_addresses | ansible.utils.ipaddr('net') | ansible.utils.ipaddr(3) | ansible.utils.ipaddr('address') }}"
skydns_server_secondary: "{{ kube_service_addresses | ansible.utils.ipaddr('net') | ansible.utils.ipaddr(4) | ansible.utils.ipaddr('address') }}"
dns_domain: "{{ cluster_name }}"
container_manager: containerd
kata_containers_enabled: false
kubeadm_certificate_key: "{{ lookup('password', credentials_dir + '/kubeadm_certificate_key.creds length=64 chars=hexdigits') | lower }}"
k8s_image_pull_policy: IfNotPresent
kubernetes_audit: false
default_kubelet_config_dir: "{{ kube_config_dir }}/dynamic_kubelet_dir"
volume_cross_zone_attachment: false
persistent_volumes_enabled: false
event_ttl_duration: "1h0m0s"
auto_renew_certificates: false
remove_anonymous_access: false
Command used to invoke ansible
ansible-playbook -i ./inventory/inventory.ini -u k8s-user -b --diff -e ansible_os_family=Debian --private-key=~/.ssh/cluster.rsa playbooks/kubespray.yaml -e force_etcd_cert_refresh=false
Output of ansible run
task path: /Users/jsobczak/Documents/Projects/gitlab.cloudferro.com/devops/devops-infra/staging/waw3-1-kubespray-01-staging/ansible/collections/ansible_collections/kubernetes_sigs/kubespray/roles/etcd/tasks/check_certs.yml:42
ok: [waw3-1-kubespray-01-staging-master-1] => (item=/etc/ssl/etcd/ssl/ca.pem) => {"ansible_facts": {"gen_certs": true}, "ansible_loop_var": "item", "changed": false, "item": "/etc/ssl/etcd/ssl/ca.pem"}
ok: [waw3-1-kubespray-01-staging-master-1] => (item=/etc/ssl/etcd/ssl/admin-waw3-1-kubespray-01-staging-master-1.pem) => {"ansible_facts": {"gen_certs": true}, "ansible_loop_var": "item", "changed": false, "item": "/etc/ssl/etcd/ssl/admin-waw3-1-kubespray-01-staging-master-1.pem"}
ok: [waw3-1-kubespray-01-staging-master-1] => (item=/etc/ssl/etcd/ssl/admin-waw3-1-kubespray-01-staging-master-1-key.pem) => {"ansible_facts": {"gen_certs": true}, "ansible_loop_var": "item", "changed": false, "item": "/etc/ssl/etcd/ssl/admin-waw3-1-kubespray-01-staging-master-1-key.pem"}
ok: [waw3-1-kubespray-01-staging-master-1] => (item=/etc/ssl/etcd/ssl/member-waw3-1-kubespray-01-staging-master-1.pem) => {"ansible_facts": {"gen_certs": true}, "ansible_loop_var": "item", "changed": false, "item": "/etc/ssl/etcd/ssl/member-waw3-1-kubespray-01-staging-master-1.pem"}
ok: [waw3-1-kubespray-01-staging-master-1] => (item=/etc/ssl/etcd/ssl/member-waw3-1-kubespray-01-staging-master-1-key.pem) => {"ansible_facts": {"gen_certs": true}, "ansible_loop_var": "item", "changed": false, "item": "/etc/ssl/etcd/ssl/member-waw3-1-kubespray-01-staging-master-1-key.pem"}
ok: [waw3-1-kubespray-01-staging-master-1] => (item=/etc/ssl/etcd/ssl/admin-waw3-1-kubespray-01-staging-master-2.pem) => {"ansible_facts": {"gen_certs": true}, "ansible_loop_var": "item", "changed": false, "item": "/etc/ssl/etcd/ssl/admin-waw3-1-kubespray-01-staging-master-2.pem"}
ok: [waw3-1-kubespray-01-staging-master-1] => (item=/etc/ssl/etcd/ssl/admin-waw3-1-kubespray-01-staging-master-2-key.pem) => {"ansible_facts": {"gen_certs": true}, "ansible_loop_var": "item", "changed": false, "item": "/etc/ssl/etcd/ssl/admin-waw3-1-kubespray-01-staging-master-2-key.pem"}
ok: [waw3-1-kubespray-01-staging-master-1] => (item=/etc/ssl/etcd/ssl/member-waw3-1-kubespray-01-staging-master-2.pem) => {"ansible_facts": {"gen_certs": true}, "ansible_loop_var": "item", "changed": false, "item": "/etc/ssl/etcd/ssl/member-waw3-1-kubespray-01-staging-master-2.pem"}
ok: [waw3-1-kubespray-01-staging-master-1] => (item=/etc/ssl/etcd/ssl/member-waw3-1-kubespray-01-staging-master-2-key.pem) => {"ansible_facts": {"gen_certs": true}, "ansible_loop_var": "item", "changed": false, "item": "/etc/ssl/etcd/ssl/member-waw3-1-kubespray-01-staging-master-2-key.pem"}
ok: [waw3-1-kubespray-01-staging-master-1] => (item=/etc/ssl/etcd/ssl/admin-waw3-1-kubespray-01-staging-master-3.pem) => {"ansible_facts": {"gen_certs": true}, "ansible_loop_var": "item", "changed": false, "item": "/etc/ssl/etcd/ssl/admin-waw3-1-kubespray-01-staging-master-3.pem"}
ok: [waw3-1-kubespray-01-staging-master-1] => (item=/etc/ssl/etcd/ssl/admin-waw3-1-kubespray-01-staging-master-3-key.pem) => {"ansible_facts": {"gen_certs": true}, "ansible_loop_var": "item", "changed": false, "item": "/etc/ssl/etcd/ssl/admin-waw3-1-kubespray-01-staging-master-3-key.pem"}
ok: [waw3-1-kubespray-01-staging-master-1] => (item=/etc/ssl/etcd/ssl/member-waw3-1-kubespray-01-staging-master-3.pem) => {"ansible_facts": {"gen_certs": true}, "ansible_loop_var": "item", "changed": false, "item": "/etc/ssl/etcd/ssl/member-waw3-1-kubespray-01-staging-master-3.pem"}
ok: [waw3-1-kubespray-01-staging-master-1] => (item=/etc/ssl/etcd/ssl/member-waw3-1-kubespray-01-staging-master-3-key.pem) => {"ansible_facts": {"gen_certs": true}, "ansible_loop_var": "item", "changed": false, "item": "/etc/ssl/etcd/ssl/member-waw3-1-kubespray-01-staging-master-3-key.pem"}
ok: [waw3-1-kubespray-01-staging-master-1] => (item=/etc/ssl/etcd/ssl/node-waw3-1-kubespray-01-staging-master-1.pem) => {"ansible_facts": {"gen_certs": true}, "ansible_loop_var": "item", "changed": false, "item": "/etc/ssl/etcd/ssl/node-waw3-1-kubespray-01-staging-master-1.pem"}
ok: [waw3-1-kubespray-01-staging-master-1] => (item=/etc/ssl/etcd/ssl/node-waw3-1-kubespray-01-staging-master-1-key.pem) => {"ansible_facts": {"gen_certs": true}, "ansible_loop_var": "item", "changed": false, "item": "/etc/ssl/etcd/ssl/node-waw3-1-kubespray-01-staging-master-1-key.pem"}
ok: [waw3-1-kubespray-01-staging-master-1] => (item=/etc/ssl/etcd/ssl/node-waw3-1-kubespray-01-staging-master-2.pem) => {"ansible_facts": {"gen_certs": true}, "ansible_loop_var": "item", "changed": false, "item": "/etc/ssl/etcd/ssl/node-waw3-1-kubespray-01-staging-master-2.pem"}
ok: [waw3-1-kubespray-01-staging-master-1] => (item=/etc/ssl/etcd/ssl/node-waw3-1-kubespray-01-staging-master-2-key.pem) => {"ansible_facts": {"gen_certs": true}, "ansible_loop_var": "item", "changed": false, "item": "/etc/ssl/etcd/ssl/node-waw3-1-kubespray-01-staging-master-2-key.pem"}
ok: [waw3-1-kubespray-01-staging-master-1] => (item=/etc/ssl/etcd/ssl/node-waw3-1-kubespray-01-staging-master-3.pem) => {"ansible_facts": {"gen_certs": true}, "ansible_loop_var": "item", "changed": false, "item": "/etc/ssl/etcd/ssl/node-waw3-1-kubespray-01-staging-master-3.pem"}
ok: [waw3-1-kubespray-01-staging-master-1] => (item=/etc/ssl/etcd/ssl/node-waw3-1-kubespray-01-staging-master-3-key.pem) => {"ansible_facts": {"gen_certs": true}, "ansible_loop_var": "item", "changed": false, "item": "/etc/ssl/etcd/ssl/node-waw3-1-kubespray-01-staging-master-3-key.pem"}
Anything else we need to know
No response
The text was updated successfully, but these errors were encountered: