StarlingX

Bug #2016041
Comment #2

Comment 2 for bug 2016041

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-04-14: Fix merged to config (master)

Reviewed: https://review.opendev.org/c/starlingx/config/+/880240
Committed: https://opendev.org/starlingx/config/commit/5c58f00c11732f59bb559326659e1635f58587d5
Submitter: "Zuul (22348)"
Branch: master

commit 5c58f00c11732f59bb559326659e1635f58587d5
Author: Chris Friesen <email address hidden>
Date: Wed Apr 12 14:04:16 2023 -0600

assorted kubeadm configmap compatibility issues

    There is an upstream issue in Kubeadm (affecting at least up till
    1.24.4) where if the "certSANs" field of the kubeadm configmap contains
    unquoted IPv6 addresses starting with colons in "flow style" it will
    choke while parsing.

The problematic formatting looks like this:

            ClusterConfiguration: |
                apiServer:
                    certSANs: [::1, 192.168.206.1, 127.0.0.1, 10.20.7.3]

While this is fine:

              ClusterConfiguration: |
                apiServer:
                    certSANs:
                    - ::1
                    - 192.168.206.1
                    - 127.0.0.1
                    - 10.20.7.3

It also works to wrap each IPv6 address in quotes.

    It's not clear what causes the certSANs field to be formatted in flow
    style, but it was seen in testing after a platform upgrade followed
    by a k8s upgrade.

    The workaround is to modify the "upgrade first control plane" code
    to update the configmap 'certSANs' field to block style if it's in
    flow style and contains IPv6 addresses.

I've opened an upstream issue:
https://github.com/kubernetes/kubeadm/issues/2858

    We'll hit the same error in _get_kubernetes_join_cmd(), but since that
    code is run more frequently rather than reformatting the configmap
    we modify the code to explicitly set the certificate key rather than
    passing in the whole kubeadm config file. This is arguably how it
    should have been done originally.

    In StarlingX 7 by default we set the "HugePageStorageMediumSize=true"
    feature gate in the kube-apiserver section of the kubeadm configmap.
    In k8s 1.24 it's no longer supported. In StarlingX 8 we remove it
    from various locations (kubelet config, service parameters, etc.)
    but we also need to remove it from the kubeadm configmap.

    Test Plan:
    PASS: platform upgrade from Starlingx 7 to 8, then K8s upgrade to 1.24
    PASS: add "::1" address to certSANS in configmap then upgrade k8s
    PASS: set HugePageStorageMediumSize in cm then upgrade k8s to 1.24

    Change-Id: I45e9e22585a5b2912a339ad5905d011e3adc29ab
    Closes-Bug: 2016041
    Signed-off-by: Chris Friesen <email address hidden>

Reviewed:  https://review.opendev.org/c/starlingx/config/+/880240
Committed: https://opendev.org/starlingx/config/commit/5c58f00c11732f59bb559326659e1635f58587d5
Submitter: "Zuul (22348)"
Branch:    master

commit 5c58f00c11732f59bb559326659e1635f58587d5
Author: Chris Friesen <chris.friesen@windriver.com>
Date:   Wed Apr 12 14:04:16 2023 -0600

assorted kubeadm configmap compatibility issues
    
    There is an upstream issue in Kubeadm (affecting at least up till
    1.24.4) where if the "certSANs" field of the kubeadm configmap contains
    unquoted IPv6 addresses starting with colons in "flow style" it will
    choke while parsing.
    
    The problematic formatting looks like this:
    
            ClusterConfiguration: |
                apiServer:
                    certSANs: [::1, 192.168.206.1, 127.0.0.1, 10.20.7.3]
    
    While this is fine:
    
              ClusterConfiguration: |
                apiServer:
                    certSANs:
                    - ::1
                    - 192.168.206.1
                    - 127.0.0.1
                    - 10.20.7.3
    
    It also works to wrap each IPv6 address in quotes.
    
    It's not clear what causes the certSANs field to be formatted in flow
    style, but it was seen in testing after a platform upgrade followed
    by a k8s upgrade.
    
    The workaround is to modify the "upgrade first control plane" code
    to update the configmap 'certSANs' field to block style if it's in
    flow style and contains IPv6 addresses.
    
    I've opened an upstream issue:
    https://github.com/kubernetes/kubeadm/issues/2858
    
    We'll hit the same error in _get_kubernetes_join_cmd(), but since that
    code is run more frequently rather than reformatting the configmap
    we modify the code to explicitly set the certificate key rather than
    passing in the whole kubeadm config file.  This is arguably how it
    should have been done originally.
    
    In StarlingX 7 by default we set the "HugePageStorageMediumSize=true"
    feature gate in the kube-apiserver section of the kubeadm configmap.
    In k8s 1.24 it's no longer supported.  In StarlingX 8 we remove it
    from various locations (kubelet config, service parameters, etc.)
    but we also need to remove it from the kubeadm configmap.
    
    Test Plan:
    PASS: platform upgrade from Starlingx 7 to 8, then K8s upgrade to 1.24
    PASS: add "::1" address to certSANS in configmap then upgrade k8s
    PASS: set HugePageStorageMediumSize in cm then upgrade k8s to 1.24
    
    Change-Id: I45e9e22585a5b2912a339ad5905d011e3adc29ab
    Closes-Bug: 2016041
    Signed-off-by: Chris Friesen <chris.friesen@windriver.com>