Allow certificate rotation during cluster upgrade

kishen-v · kishen-v · commit 7836de763162 · 2025-10-10T14:58:12.000+05:30
diff --git a/kubetest2-tf/data/k8s-ansible/docs/update-os.md b/kubetest2-tf/data/k8s-ansible/docs/update-os.md
@@ -21,22 +21,22 @@ as these are generally long-running in nature.
 #### Steps to follow:
 1. From the k8s-ansible directory, generate the hosts.yml file on which the OS updates are to be performed.
    In this case, one can use the hosts.yml file under `examples/containerd-cluster/hosts.yml` to contain the IP(s)
-   of the following nodes - Bastion, Workers and Masters.
+   of the following nodes - Bastion, Workers and Masters. 
+   In case if a bastion is involved in the setup, it is necessary to have a [bastion] section and the associated IP in the `hosts.yml` file
 ```
-[bastion]
-1.2.3.4
 [masters]
 10.20.177.51
 10.20.177.26
 10.20.177.227
 [workers]
 10.20.177.39
 
-[workers:vars]
-ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -i <path-to-private-key> -q root@X" -i <path-to-private-key>'
-
-[masters:vars]
-ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -i <path-to-private-key> -q root@X" -i <path-to-private-key>'
+## The following section is needed if a bastion is involved.
+##[workers:vars]
+##ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -i <path-to-private-key> -q root@X" -i <path-to-private-key>'
+##
+##[masters:vars]
+##ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -i <path-to-private-key> -q root@X" -i <path-to-private-key>'
 ```
 2. Set the path to the `kubeconfig` of the cluster under group_vars/all - under the `kubeconfig_path` variable.
 3. Once the above are set use the following command to update the nodes - 
diff --git a/kubetest2-tf/data/k8s-ansible/roles/update-k8s-patch/tasks/main.yml b/kubetest2-tf/data/k8s-ansible/roles/update-k8s-patch/tasks/main.yml
@@ -10,14 +10,14 @@
   when: node_type == "master"
 
 - name: Perform kubeadm upgrade on the first control-plane node
-  shell: kubeadm upgrade apply v{{ kubernetes_major_minor }}.{{ kubernetes_patch }} --certificate-renewal=false -y
+  shell: kubeadm upgrade apply v{{ kubernetes_major_minor }}.{{ kubernetes_patch }}
   when: groups['masters']|length > 1 and inventory_hostname == groups['masters'][0]
 
 - name: Update the kubelet and the kubectl utilities
   shell: sudo yum install -y kubelet-'{{ kubernetes_major_minor }}.{{ kubernetes_patch }}-*' kubectl-'{{ kubernetes_major_minor }}.{{ kubernetes_patch }}-*' --disableexcludes=kubernetes
 
 - name: Perform kubeadm upgrade on the rest of the nodes
-  shell: kubeadm upgrade node --certificate-renewal=false
+  shell: kubeadm upgrade node
   when: inventory_hostname != groups['masters'][0] and (node_type == "master" or node_type == "worker")
 
 - name: Reload the systemd processes
