kubespray/roles/kubernetes/control-plane/tasks/main.yml

---
- name: Pre-upgrade control plane
  import_tasks: pre-upgrade.yml
  tags:
    - k8s-pre-upgrade

- name: Create webhook token auth config
  template:
    src: webhook-token-auth-config.yaml.j2
    dest: "{{ kube_config_dir }}/webhook-token-auth-config.yaml"
    mode: "0640"
  when: kube_webhook_token_auth | default(false)

- name: Create webhook authorization config
  template:
    src: webhook-authorization-config.yaml.j2
    dest: "{{ kube_config_dir }}/webhook-authorization-config.yaml"
    mode: "0640"
  when: kube_webhook_authorization | default(false)

- name: Create structured AuthorizationConfiguration file
  copy:
    content: "{{ authz_config | to_nice_yaml(indent=2, sort_keys=false) }}"
    dest: "{{ kube_config_dir }}/apiserver-authorization-config.yaml"
    mode: "0640"
  vars:
    authz_config:
      apiVersion: apiserver.config.k8s.io/{{ 'v1alpha1' if kube_version is version('v1.30.0', '<') else 'v1beta1' if kube_version is version('v1.32.0', '<') else 'v1' }}
      kind: AuthorizationConfiguration
      authorizers: "{{ kube_apiserver_authorization_config_authorizers }}"
  when: kube_apiserver_use_authorization_config_file

- name: Create kube-scheduler config
  template:
    src: kubescheduler-config.yaml.j2
    dest: "{{ kube_config_dir }}/kubescheduler-config.yaml"
    mode: "0644"

- name: Apply Kubernetes encrypt at rest config
  import_tasks: encrypt-at-rest.yml
  when:
    - kube_encrypt_secret_data
  tags:
    - kube-apiserver

- name: Install | Copy kubectl binary from download dir
  copy:
    src: "{{ downloads.kubectl.dest }}"
    dest: "{{ bin_dir }}/kubectl"
    mode: "0755"
    remote_src: true
  tags:
    - kubectl
    - upgrade

- name: Install kubectl bash completion
  shell: "{{ bin_dir }}/kubectl completion bash >/etc/bash_completion.d/kubectl.sh"
  when: ansible_os_family in ["Debian","RedHat", "Suse"]
  tags:
    - kubectl
  ignore_errors: true  # noqa ignore-errors

- name: Set kubectl bash completion file permissions
  file:
    path: /etc/bash_completion.d/kubectl.sh
    owner: root
    group: root
    mode: "0755"
  when: ansible_os_family in ["Debian","RedHat", "Suse"]
  tags:
    - kubectl
    - upgrade
  ignore_errors: true  # noqa ignore-errors

- name: Set bash alias for kubectl
  blockinfile:
    path: /etc/bash_completion.d/kubectl.sh
    block: |-
      alias {{ kubectl_alias }}=kubectl
      if [[ $(type -t compopt) = "builtin" ]]; then
        complete -o default -F __start_kubectl {{ kubectl_alias }}
      else
        complete -o default -o nospace -F __start_kubectl {{ kubectl_alias }}
      fi
    state: present
    marker: "# Ansible entries {mark}"
  when:
    - ansible_os_family in ["Debian","RedHat", "Suse"]
    - kubectl_alias is defined and kubectl_alias != ""
  tags:
    - kubectl
    - upgrade
  ignore_errors: true  # noqa ignore-errors

- name: Define nodes already joined to existing cluster and first_kube_control_plane
  import_tasks: define-first-kube-control.yml

- name: Include kubeadm setup
  import_tasks: kubeadm-setup.yml

- name: Include kubeadm etcd extra tasks
  include_tasks: kubeadm-etcd.yml
  when: etcd_deployment_type == "kubeadm"

- name: Include kubeadm secondary server apiserver fixes
  include_tasks: kubeadm-fix-apiserver.yml

- name: Include kubelet client cert rotation fixes
  include_tasks: kubelet-fix-client-cert-rotation.yml
  when: kubelet_rotate_certificates

- name: Install script to renew K8S control plane certificates
  template:
    src: k8s-certs-renew.sh.j2
    dest: "{{ bin_dir }}/k8s-certs-renew.sh"
    mode: "0755"

- name: Renew K8S control plane certificates monthly 1/2
  template:
    src: "{{ item }}.j2"
    dest: "/etc/systemd/system/{{ item }}"
    mode: "0644"
    validate: "sh -c '[ -f /usr/bin/systemd/system/factory-reset.target ] || exit 0 && systemd-analyze verify %s:{{item}}'"
    # FIXME: check that systemd version >= 250 (factory-reset.target was introduced in that release)
    # Remove once we drop support for systemd < 250
  with_items:
    - k8s-certs-renew.service
    - k8s-certs-renew.timer
  register: k8s_certs_units
  when: auto_renew_certificates

- name: Renew K8S control plane certificates monthly 2/2
  systemd_service:
    name: k8s-certs-renew.timer
    enabled: true
    state: started
    daemon_reload: "{{ k8s_certs_units is changed }}"
  when: auto_renew_certificates