Preserve kube-apiserver manifest params during upgrade-activate

This change a6a5349d02 (k8s-1.22.5: remove feature-gates) adds a script that is run during upgrade activate. The script modifies kubeadm cluster config and eventually updates kube-apiserver manifest to remove deprecated features-gates in k8s 1.22. As 'kubeadm init phase' is rerun in the script, it updates the kube-apiserver manifest to be in sync with the kubeadm cluster config. In that process, it nullifies the effect of these two commits, 04a1c1b080 (Rework advertise address in apiserver-change-param) and 52ace69c83 (Amend kube-apiserver 1.23 configuration to use PSP) This change adds a function to the script that preserves the effect of above listed commits. Test Plan: On CentOS AIO-SX PASS: Upgrade Successful. Check if advertise address in kube-apiserver manifest before and after running upgrade-activate is same. Ensure that the seccomp profile configuration is removed after upgrade-activate. Kube-apiserver is running and cluster is accessible after the upgrade. PASS: No Shellcheck errors Closes-Bug: 1986854 Signed-off-by: Kaustubh Dhokte <kaustubh.dhokte@windriver.com> Change-Id: Ib97e14bc5b4ed208e65e16888e1380a3bd9fdb8f
2022-08-17 15:04:36 -04:00 · 2022-08-17 15:04:36 -04:00 · 73632416b3
commit 73632416b3
parent 9195c75b7c
1 changed files with 61 additions and 7 deletions
--- a/kubernetes/kubernetes-1.22.5/centos/files/update-k8s-feature-gates.sh
+++ b/kubernetes/kubernetes-1.22.5/centos/files/update-k8s-feature-gates.sh
@ -16,8 +16,17 @@
 # SCTPSupport blocks kube-apiserver pod to spawn after control-plane upgrade
 # TTLAfterFinished value defaults to true from k8s 1.21
 #
+# The script also preserves the advertise-address in kube-apiserver
+# manifest that gets overwritten as kubeadm init is run again in this script.
+# In other words, it maintains the effect of this commit
+# https://opendev.org/starlingx/stx-puppet/commit/04a1c1b0809f66488bd54e3f31d323430e7d9913
+#
+# Similarly, it removes the seccomp profiles configuration from the
+# kube-apiserver manifest file to maintain the effect of this commit,
+# https://opendev.org/starlingx/stx-puppet/commit/52ace69c837acc7e3aff8a2d584968297afd70fe

 KUBEADM_CONFIGMAP_TMPFILE='/tmp/kubeadm_cm'
+API_SERVER_MANIFEST='/etc/kubernetes/manifests/kube-apiserver.yaml'

 rc_controller_manager=0
 rc_apiserver=0
@ -36,7 +45,7 @@ function get_kubeadm_configmap {
        kubectl --kubeconfig=/etc/kubernetes/admin.conf -n kube-system get \
            configmap kubeadm-config -o "$1" > ${KUBEADM_CONFIGMAP_TMPFILE}
        RC=$?
-        if [ 0 == ${RC} ] ; then
+        if [ ${RC} == 0 ] ; then
            log "Kubeadm configmap retrieved."
            break
        fi
@ -63,7 +72,7 @@ function update_kubeadm_configmap {
    's/^\( *\)feature-gates:\s.*RemoveSelfLink=false/\1feature-gates: RemoveSelfLink=false/g' \
    ${KUBEADM_CONFIGMAP_TMPFILE}
    rc_apiserver=$?
-    if [ 0 == ${rc_apiserver} ]; then
+    if [ ${rc_apiserver} == 0 ]; then
        log "Successfully updated kube-apiserver feature-gates in retrieved kubeadm-config"
    else
        log "Failed to update kube-apiserver feature-gates in retrieved kubeadm-config with error code: [${rc_apiserver}]"
@ -73,7 +82,7 @@ function update_kubeadm_configmap {
    sed -i \
    '/feature-gates: TTLAfterFinished=true/d' ${KUBEADM_CONFIGMAP_TMPFILE}
    rc_controller_manager=$?
-    if [ 0 == ${rc_controller_manager} ]; then
+    if [ ${rc_controller_manager} == 0 ]; then
        log "Successfully updated controller-manager feature-gates in retrieved kubeadm-config"
    else
        # we need not gracefully exit here as failing to update this does not
@ -105,11 +114,11 @@ function update_manifests {
    get_kubeadm_configmap jsonpath='{.data.ClusterConfiguration}'

    # Rewrite apiserver manifest only if it is updated in the configmap
-    if [ 0 == ${rc_apiserver} ]; then
+    if [ ${rc_apiserver} == 0 ]; then
        kubeadm init phase control-plane apiserver \
            --config ${KUBEADM_CONFIGMAP_TMPFILE}
        RC=$?
-        if [ 0 == ${RC} ]; then
+        if [ ${RC} == 0 ]; then
            log "Success executing kubeadm init phase control-plane for kube-api-server"
        else
            log "Failed to update kube-api-server manifest with error code: [${RC}]"
@ -119,11 +128,11 @@ function update_manifests {
    fi

    # Rewrite controller-manager manifest only if it is updated in the configmap
-    if [ 0 == ${rc_controller_manager} ]; then
+    if [ ${rc_controller_manager} == 0 ]; then
        kubeadm init phase control-plane controller-manager \
            --config ${KUBEADM_CONFIGMAP_TMPFILE}
        RC=$?
-        if [ 0 == ${RC} ]; then
+        if [ ${RC} == 0 ]; then
            log "Success executing kubeadm init phase control-plane for kube-controller-manager"
        else
            log "Failed to update kube-controller-manager manifest with error code: [${RC}]"
@ -134,8 +143,53 @@ function update_manifests {

 }

+function preserve_apiserver_manifest_params {
+
+    # The following code preserves the kube-apiserver advertise address that gets overwitten
+    # after kubeadm init phase is run in order to preserve the effect of:
+    # https://opendev.org/starlingx/stx-puppet/commit/04a1c1b0809f66488bd54e3f31d323430e7d9913
+    DEFAULT_NETWORK_INTERFACE=$(grep 'advertise-address=' ${API_SERVER_MANIFEST}  | cut -d "=" -f2)
+    RC=$?
+    if [ ${RC} == 0 ]; then
+        log "advertise-address: ${DEFAULT_NETWORK_INTERFACE}"
+    else
+        log "Failed to get advertise address from kube-apiserver manifest. Error code: [${RC}]"
+    fi
+
+    if [ "${DEFAULT_NETWORK_INTERFACE}" ] && [ "${APISERVER_ADVERTISE_ADDRESS}" ]; then
+        sed -i "/oidc-issuer-url/! s/${DEFAULT_NETWORK_INTERFACE}/${APISERVER_ADVERTISE_ADDRESS}/g" ${API_SERVER_MANIFEST}
+        RC=$?
+        if [ ${RC} == 0 ]; then
+            log "Advertise address [${DEFAULT_NETWORK_INTERFACE}] is replaced by [${APISERVER_ADVERTISE_ADDRESS}] in kube-apiserver manifest."
+        else
+            log "Failed to preserve advertise address in kube-apiserver manifest. Error code: [${RC}]"
+        fi
+    fi
+
+    # The following code removes seccomp profiles configuration from the kube-apiserver manifest
+    # to preserve the effect of:
+    # https://opendev.org/starlingx/stx-puppet/commit/52ace69c837acc7e3aff8a2d584968297afd70fe
+    sed -i '/securityContext:/,/type: RuntimeDefault/d' ${API_SERVER_MANIFEST}
+    RC=$?
+    if [ ${RC} == 0 ]; then
+        log "Seccomp Profile configuration removed from the kube-apiserver manifest if existed."
+    else
+        log "Failed to remove Seccomp Profile configuration from the kube-apiserver manifest. Error code: [${RC}]"
+    fi
+
+}
+
+APISERVER_ADVERTISE_ADDRESS=$(grep 'advertise-address=' ${API_SERVER_MANIFEST} | cut -d "=" -f2)
+RC=$?
+if [ ${RC} == 0 ]; then
+    log "advertise-address: ${APISERVER_ADVERTISE_ADDRESS}"
+else
+    log "Failed to get advertise address from kube-apiserver manifest. Error code: [${RC}]"
+fi
+
 update_kubeadm_configmap
 update_manifests
+preserve_apiserver_manifest_params

 rm -f ${KUBEADM_CONFIGMAP_TMPFILE}