kubeadm_patches: remove old patches on inventory change (#13022)

Currently, if changing the inventory variable `kubeadm_patches`, new patches will be created, but the existing ones will also be left on the filesystem, and applied by kubeadm ; this means that removed or changed configuration can linger. Cleanup old patches (which are the difference between existing patches on filesystem and the one created for the current runs). Co-authored-by: Max Gautier <mg@max.gautier.name>
2026-02-18 03:30:07 -03:30 · 2026-02-17 00:57:04 -08:00
parent 8d1174b26d
commit 00429b3d49
1 changed files with 21 additions and 1 deletions
--- a/roles/kubernetes/kubeadm_common/tasks/main.yml
+++ b/roles/kubernetes/kubeadm_common/tasks/main.yml
@@ -3,9 +3,19 @@
  file:
    path: "{{ kubeadm_patches_dir }}"
    state: directory
-    mode: "0640"
+    mode: "0750"
  when: kubeadm_patches | length > 0

+- name: Kubeadm | List existing kubeadm patches
+  find:
+    paths:
+      - "{{ kubeadm_patches_dir }}"
+    file_type: file
+    use_regex: true
+    patterns:
+      - '^(kube-apiserver|kube-controller-manager|kube-scheduler|etcd|kubeletconfiguration)[0-9]+\+(strategic|json|merge).yaml$'
+  register: existing_kubeadm_patches
+
 - name: Kubeadm | Copy kubeadm patches from inventory files
  copy:
    content: "{{ item.patch | to_yaml }}"
@@ -15,3 +25,13 @@
  loop: "{{ kubeadm_patches }}"
  loop_control:
    index_var: suffix
+  register: current_kubeadm_patches
+
+- name: Kubeadm | Delete old patches
+  loop: "{{ existing_kubeadm_patches.files | map(attribute='path') |
+            difference(
+            current_kubeadm_patches.results | map(attribute='dest')
+            ) }}"
+  file:
+    state: absent
+    path: "{{ item }}"