We currently **recursively** set the permissions of /etc/ssl/etcd/ssl
(default path) to 700. But this removes group permission from the files
under it, and certain composents (like calio with etcd datastore) rely
on it ; thus, the upgrade of a cluster can fail because the
calico-kube-controller can't access the certs, and thus the etcd.
This works in other case because as far as I can tell, the apiserver
which do access the etcd run as root (the owner of the files, not just
the "group owner")
We also for some reasons do this twice.
Only create the etcd cert directory with the correct permissions once,
not recursively.
The config.json.j2 template was generating invalid JSON when multiple
crio_registry_auth entries were defined, resulting in multiple top-level
"auths" objects being rendered, e.g.:
{
"auths": { "registry1": { "auth": "xxxx" } },
"auths": { "registry2": { "auth": "yyyy" } }
}
This change moves the loop inside the "auths" object so that all registries
are rendered as siblings under a single "auths" key, producing valid JSON:
{
"auths": {
"registry1": { "auth": "xxxx" },
"registry2": { "auth": "yyyy" }
}
}
Since we're not longer injecting pseudo DNS into /etc/hosts,
'lb-apiserver.kubernetes.local' (the previous default) won't resolve to
anything.
Instead, default to the loadbalancer IP if defined, or to the node local
loadbalancer if it's in use.
Make the necessary adjustements in use site to deal with ip addresses as
well as hostnames.
This pollutes ansible-lint output and force us to scroll to check what
the actuall issues are.
The spacing issues are minor and very opinionated, so it's no great
loss.
* Updated the job name to elastx_ubuntu24 and ci matrix and test file
Signed-off-by: sivaram <singana.sivaram.naidu@ibm.com>
* remove unused OVH CI tf file (tf-ovh_ubuntu20-calico.yml)
Signed-off-by: sivaram <singana.sivaram.naidu@ibm.com>
* remove ubuntu20 for pre-commit fix
Signed-off-by: sivaram <singana.sivaram.naidu@ibm.com>
---------
Signed-off-by: sivaram <singana.sivaram.naidu@ibm.com>
Only set `discard_unpacked_layers` in the CRI image config for containerd
versions earlier than 2.1.0.
Starting with containerd v2.1, the CRI plugin uses the Transfer Service for
image pulls by default. The `discard_unpacked_layers` option is incompatible
with the Transfer Service and triggers containerd to fall back to local
image pulls, logging a warning.
This change prevents unsupported configuration from being applied on newer
containerd versions, avoiding runtime warnings and ensuring default image
pull behavior.
Signed-off-by: Ali Afsharzadeh <afsharzadeh8@gmail.com>
- invoke setup module only once to gather ipv4 and ipv6 addresses
- eliminate remaining use of `fallback_ip` and `fallback_ip6`, allowing
us to define (with `set_fact` all the "computed" IPs variable in one
go, since there is no longer a dependency between them.
* Bump molecule to 25.12.0
Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
* Fixed ansible role not found in molecule after 25.2.0
Signed-off-by: ChengHao Yang
<17496418+tico88612@users.noreply.github.com>
---------
Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
Signed-off-by: ChengHao Yang
