There is an upstream issue in Kubeadm (affecting at least up till
1.24.4) where if the "certSANs" field of the kubeadm configmap contains
unquoted IPv6 addresses starting with colons in "flow style" it will
choke while parsing.
It also works to wrap each IPv6 address in quotes.
It's not clear what causes the certSANs field to be formatted in flow
style, but it was seen in testing after a platform upgrade followed
by a k8s upgrade.
The workaround is to modify the "upgrade first control plane" code
to update the configmap 'certSANs' field to block style if it's in
flow style and contains IPv6 addresses.
We'll hit the same error in _get_kubernetes_join_cmd(), but since that
code is run more frequently rather than reformatting the configmap
we modify the code to explicitly set the certificate key rather than
passing in the whole kubeadm config file. This is arguably how it
should have been done originally.
In StarlingX 7 by default we set the "HugePageStorageMediumSize=true"
feature gate in the kube-apiserver section of the kubeadm configmap.
In k8s 1.24 it's no longer supported. In StarlingX 8 we remove it
from various locations (kubelet config, service parameters, etc.)
but we also need to remove it from the kubeadm configmap.
Test Plan:
PASS: platform upgrade from Starlingx 7 to 8, then K8s upgrade to 1.24
PASS: add "::1" address to certSANS in configmap then upgrade k8s
PASS: set HugePageStorageMediumSize in cm then upgrade k8s to 1.24
Change-Id: I45e9e22585a5b2912a339ad5905d011e3adc29ab
Closes-Bug: 2016041
Signed-off-by: Chris Friesen <email address hidden>
Reviewed: https:/ /review. opendev. org/c/starlingx /config/ +/880240 /opendev. org/starlingx/ config/ commit/ 5c58f00c11732f5 9bb559326659e16 35f58587d5
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 5c58f00c11732f5 9bb559326659e16 35f58587d5
Author: Chris Friesen <email address hidden>
Date: Wed Apr 12 14:04:16 2023 -0600
assorted kubeadm configmap compatibility issues
There is an upstream issue in Kubeadm (affecting at least up till
1.24.4) where if the "certSANs" field of the kubeadm configmap contains
unquoted IPv6 addresses starting with colons in "flow style" it will
choke while parsing.
The problematic formatting looks like this:
While this is fine:
It also works to wrap each IPv6 address in quotes.
It's not clear what causes the certSANs field to be formatted in flow
style, but it was seen in testing after a platform upgrade followed
by a k8s upgrade.
The workaround is to modify the "upgrade first control plane" code
to update the configmap 'certSANs' field to block style if it's in
flow style and contains IPv6 addresses.
I've opened an upstream issue: /github. com/kubernetes/ kubeadm/ issues/ 2858
https:/
We'll hit the same error in _get_kubernetes _join_cmd( ), but since that
code is run more frequently rather than reformatting the configmap
we modify the code to explicitly set the certificate key rather than
passing in the whole kubeadm config file. This is arguably how it
should have been done originally.
In StarlingX 7 by default we set the "HugePageStorag eMediumSize= true"
feature gate in the kube-apiserver section of the kubeadm configmap.
In k8s 1.24 it's no longer supported. In StarlingX 8 we remove it
from various locations (kubelet config, service parameters, etc.)
but we also need to remove it from the kubeadm configmap.
Test Plan: MediumSize in cm then upgrade k8s to 1.24
PASS: platform upgrade from Starlingx 7 to 8, then K8s upgrade to 1.24
PASS: add "::1" address to certSANS in configmap then upgrade k8s
PASS: set HugePageStorage
Change-Id: I45e9e22585a5b2 912a339ad5905d0 11e3adc29ab
Closes-Bug: 2016041
Signed-off-by: Chris Friesen <email address hidden>