From 3eefb5f2ad40df94158eb4ac4aad911759166c92 Mon Sep 17 00:00:00 2001
From: Hans Feldt <2808287+hafe@users.noreply.github.com>
Date: Wed, 21 Oct 2020 16:32:32 +0200
Subject: [PATCH] fix scaling in kubeadm etcd mode (#6822)

'ansible.vars.hostvars.HostVarsVars object' has no attribute 'kubeadm_upload_cert'

kubeadm_upload_cert will never be found as a hostvar for the first
master since the task is executed for a worker.

Fix by executing the upload task for the first master and register
the needed key. After that, workers can read hostvars for the master

Var kubeadm_etcd_refresh_cert_key removed since it no longer has
any use.
---
 roles/kubernetes/kubeadm/defaults/main.yml    |  3 ---
 .../kubeadm/tasks/kubeadm_etcd_node.yml       | 13 +------------
 scale.yml                                     | 19 +++++++++++++++++++
 3 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/roles/kubernetes/kubeadm/defaults/main.yml b/roles/kubernetes/kubeadm/defaults/main.yml
index 9dc577edf..b6ff3fc7f 100644
--- a/roles/kubernetes/kubeadm/defaults/main.yml
+++ b/roles/kubernetes/kubeadm/defaults/main.yml
@@ -11,8 +11,5 @@ kube_override_hostname: >-
   {{ inventory_hostname }}
   {%- endif -%}
 
-# Requests a fresh upload of certificates from first master
-kubeadm_etcd_refresh_cert_key: true
-
 # Experimental kubeadm etcd deployment mode. Available only for new deployment
 etcd_kubeadm_enabled: false
diff --git a/roles/kubernetes/kubeadm/tasks/kubeadm_etcd_node.yml b/roles/kubernetes/kubeadm/tasks/kubeadm_etcd_node.yml
index 322a34a17..b5c0f2552 100644
--- a/roles/kubernetes/kubeadm/tasks/kubeadm_etcd_node.yml
+++ b/roles/kubernetes/kubeadm/tasks/kubeadm_etcd_node.yml
@@ -1,18 +1,7 @@
 ---
-- name: Refresh certificates so they are fresh and not expired
-  command: >-
-    {{ bin_dir }}/kubeadm init phase
-    --config {{ kube_config_dir }}/kubeadm-config.yaml
-    upload-certs
-    --upload-certs
-  register: kubeadm_upload_cert
-  delegate_to: "{{ groups['kube-master'][0] }}"
-  when: kubeadm_etcd_refresh_cert_key
-  run_once: yes
-
 - name: Parse certificate key if not set
   set_fact:
-    kubeadm_certificate_key: "{{ hostvars[groups['kube-master'][0]]['kubeadm_upload_cert'].stdout_lines[-1] | trim }}"
+    kubeadm_certificate_key: "{{ hostvars[groups['kube-master'][0]]['kubeadm_certificate_key'] }}"
   when: kubeadm_certificate_key is undefined
 
 - name: Pull control plane certs down
diff --git a/scale.yml b/scale.yml
index 510f0aa44..ab1522145 100644
--- a/scale.yml
+++ b/scale.yml
@@ -74,6 +74,25 @@
     - { role: kubernetes/node, tags: node }
   environment: "{{ proxy_env }}"
 
+- name: Upload control plane certs and retrieve encryption key
+  hosts: kube-master | first
+  tags: kubeadm
+  tasks:
+    - name: include needed vars
+      include_vars: roles/kubespray-defaults/defaults/main.yaml
+    - name: Upload control plane certificates
+      command: >-
+        {{ bin_dir }}/kubeadm init phase
+        --config {{ kube_config_dir }}/kubeadm-config.yaml
+        upload-certs
+        --upload-certs
+      register: kubeadm_upload_cert
+      changed_when: false
+    - name: set fact 'kubeadm_certificate_key' for later use
+      set_fact:
+        kubeadm_certificate_key: "{{ kubeadm_upload_cert.stdout_lines[-1] | trim }}"
+      when: kubeadm_certificate_key is not defined
+
 - name: Target only workers to get kubelet installed and checking in on any new nodes(network)
   hosts: kube-node
   gather_facts: False
-- 
GitLab