Remove the ci-ok-to-test: feature is now included in failfast-ci

Split retry task of 'kubeadm init' to show the failure log of
the first execution.

.gitlab-ci.yml

@@ -59,33 +59,6 @@ before_script:
     - pre-commit            # lint
     - vagrant-validate      # lint
 
-# For failfast, at least 1 job must be defined in .gitlab-ci.yml
-# Premoderated with manual actions
-ci-not-authorized:
-  stage: build
-  before_script: []
-  after_script: []
-  rules:
-    # LGTM or ok-to-test labels
-    - if: $PR_LABELS =~ /.*,(lgtm|approved|ok-to-test).*|^(lgtm|approved|ok-to-test).*/i
-      variables:
-        CI_OK_TO_TEST: '0'
-      when: always
-    - if: $CI_PIPELINE_SOURCE == "schedule" || $CI_PIPELINE_SOURCE == "trigger"
-      variables:
-        CI_OK_TO_TEST: '0'
-    - if: $CI_COMMIT_BRANCH == "master"
-      variables:
-        CI_OK_TO_TEST: '0'
-    - when: always
-      variables:
-        CI_OK_TO_TEST: '1'
-  script:
-    - exit $CI_OK_TO_TEST
-  tags:
-    - ffci
-  needs: []
-
 include:
   - .gitlab-ci/build.yml
   - .gitlab-ci/lint.yml

.gitlab-ci/kubevirt.yml

@@ -55,6 +55,7 @@ pr:
           - ubuntu22-calico-all-in-one
           - ubuntu22-calico-all-in-one-upgrade
           - ubuntu24-calico-etcd-datastore
+          - ubuntu24-ha-separate-etcd
 
 # The ubuntu20-calico-all-in-one jobs are meant as early stages to prevent running the full CI if something is horribly broken
 ubuntu20-calico-all-in-one:

roles/etcd/tasks/gen_certs_script.yml

@@ -98,28 +98,6 @@
   loop_control:
     label: "{{ item.item }}"
 
-# This is a hack around the fact kubeadm expect the same certs path on all kube_control_plane
-# TODO: fix certs generation to have the same file everywhere
-# OR work with kubeadm on node-specific config
-- name: Gen_certs | Pretend all control plane have all certs (with symlinks)
-  file:
-    state: link
-    src: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}{{ item[0] }}.pem"
-    dest: "{{ etcd_cert_dir }}/node-{{ item[1] }}{{ item[0] }}.pem"
-    mode: "0640"
-  loop: "{{ suffixes | product(groups['kube_control_plane']) }}"
-  vars:
-    suffixes:
-      - ''
-      - '-key'
-  when:
-    - ('kube_control_plane' in group_names)
-    - item[1] != inventory_hostname
-  register: symlink_created
-  failed_when:
-    - symlink_created is failed
-    - ('refusing to convert from file to symlink' not in symlink_created.msg)
-
 - name: Gen_certs | Gather node certs from first etcd node
   slurp:
     src: "{{ item }}"
@@ -175,3 +153,25 @@
     owner: "{{ etcd_owner }}"
     mode: "{{ etcd_cert_dir_mode }}"
     recurse: true
+
+# This is a hack around the fact kubeadm expect the same certs path on all kube_control_plane
+# TODO: fix certs generation to have the same file everywhere
+# OR work with kubeadm on node-specific config
+- name: Gen_certs | Pretend all control plane have all certs (with symlinks)
+  file:
+    state: link
+    src: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}{{ item[0] }}.pem"
+    dest: "{{ etcd_cert_dir }}/node-{{ item[1] }}{{ item[0] }}.pem"
+    mode: "0640"
+  loop: "{{ suffixes | product(groups['kube_control_plane']) }}"
+  vars:
+    suffixes:
+      - ''
+      - '-key'
+  when:
+    - ('kube_control_plane' in group_names)
+    - item[1] != inventory_hostname
+  register: symlink_created
+  failed_when:
+    - symlink_created is failed
+    - ('refusing to convert from file to symlink' not in symlink_created.msg)

roles/kubernetes/control-plane/tasks/kubeadm-setup.yml

@@ -61,6 +61,7 @@
     dest: "{{ audit_policy_file }}"
     mode: "0640"
   when: kubernetes_audit or kubernetes_audit_webhook
+  notify: Control plane | Restart apiserver
 
 - name: Write api audit webhook config yaml
   template:
@@ -68,6 +69,7 @@
     dest: "{{ audit_webhook_config_file }}"
     mode: "0640"
   when: kubernetes_audit_webhook
+  notify: Control plane | Restart apiserver
 
 - name: Create apiserver tracing config directory
   file:
@@ -82,6 +84,7 @@
     dest: "{{ kube_config_dir }}/tracing/apiserver-tracing.yaml"
     mode: "0640"
   when: kube_apiserver_tracing
+  notify: Control plane | Restart apiserver
 
 # Nginx LB(default), If kubeadm_config_api_fqdn is defined, use other LB by kubeadm controlPlaneEndpoint.
 - name: Set kubeadm_config_api_fqdn define
@@ -109,6 +112,7 @@
     dest: "{{ kube_config_dir }}/admission-controls/admission-controls.yaml"
     mode: "0640"
   when: kube_apiserver_admission_control_config_file
+  notify: Control plane | Restart apiserver
 
 - name: Kubeadm | Push admission control config files
   template:
@@ -119,6 +123,7 @@
     - kube_apiserver_admission_control_config_file
     - item in kube_apiserver_admission_plugins_needs_configuration
   loop: "{{ kube_apiserver_enable_admission_plugins }}"
+  notify: Control plane | Restart apiserver
 
 - name: Kubeadm | Check apiserver.crt SANs
   vars:
@@ -166,22 +171,32 @@
     - not kube_external_ca_mode
 
 - name: Kubeadm | Initialize first control plane node
-  command: >-
-    timeout -k {{ kubeadm_init_timeout }} {{ kubeadm_init_timeout }}
-    {{ bin_dir }}/kubeadm init
-    --config={{ kube_config_dir }}/kubeadm-config.yaml
-    --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
-    --skip-phases={{ kubeadm_init_phases_skip | join(',') }}
-    {{ kube_external_ca_mode | ternary('', '--upload-certs') }}
-  register: kubeadm_init
-  # Retry is because upload config sometimes fails
-  retries: 3
-  until: kubeadm_init is succeeded or "field is immutable" in kubeadm_init.stderr
   when: inventory_hostname == first_kube_control_plane and not kubeadm_already_run.stat.exists
-  failed_when: kubeadm_init.rc != 0 and "field is immutable" not in kubeadm_init.stderr
+  vars:
+    kubeadm_init_first_control_plane_cmd: >-
+      timeout -k {{ kubeadm_init_timeout }} {{ kubeadm_init_timeout }}
+      {{ bin_dir }}/kubeadm init
+      --config={{ kube_config_dir }}/kubeadm-config.yaml
+      --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
+      --skip-phases={{ kubeadm_init_phases_skip | join(',') }}
+      {{ kube_external_ca_mode | ternary('', '--upload-certs') }}
   environment:
     PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}"
   notify: Control plane | restart kubelet
+  block:
+    - name: Kubeadm | Initialize first control plane node (1st try)
+      command: "{{ kubeadm_init_first_control_plane_cmd }}"
+      register: kubeadm_init
+      failed_when: kubeadm_init.rc != 0 and "field is immutable" not in kubeadm_init.stderr
+  rescue:
+    # Retry is because upload config sometimes fails
+    # This retry task is separated from 1st task to show log of failure of 1st task.
+    - name: Kubeadm | Initialize first control plane node (retry)
+      command: "{{ kubeadm_init_first_control_plane_cmd }}"
+      register: kubeadm_init
+      retries: 2
+      until: kubeadm_init is succeeded or "field is immutable" in kubeadm_init.stderr
+      failed_when: kubeadm_init.rc != 0 and "field is immutable" not in kubeadm_init.stderr
 
 - name: Set kubeadm certificate key
   set_fact:

roles/kubespray_defaults/defaults/main/download.yml

@@ -897,7 +897,7 @@ downloads:
       - k8s_cluster
 
   dnsautoscaler:
-    enabled: "{{ dns_mode in ['coredns', 'coredns_dual'] }}"
+    enabled: "{{ dns_mode in ['coredns', 'coredns_dual'] and enable_dns_autoscaler }}"
     container: true
     repo: "{{ dnsautoscaler_image_repo }}"
     tag: "{{ dnsautoscaler_image_tag }}"

tests/files/ubuntu24-ha-separate-etcd.yml

@@ -0,0 +1,13 @@
+---
+cloud_image: ubuntu-2404
+cluster_layout:
+  - node_groups: ['kube_control_plane']
+  - node_groups: ['kube_control_plane']
+  - node_groups: ['kube_control_plane']
+  - node_groups: ['kube_node']
+  - node_groups: ['etcd']
+  - node_groups: ['etcd']
+  - node_groups: ['etcd']
+
+kube_network_plugin: calico
+calico_datastore: etcd