23.0.0+1.28.5 (#55)

* upate k8s_release to 1.28.5 / extend enable-admission-plugins list of kube-apiserver * update CHANGELOG and README * Molecule: Change IP addresses
githubixx · Jan 8, 2024 · 48a7477 · 48a7477
1 parent 6875577
commit 48a7477
Show file tree

Hide file tree

Showing 11 changed files with 55 additions and 23 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,19 @@
 # Changelog
 
+## 23.0.0+1.28.5
+
+### UPDATE
+
+- update `k8s_release` to `1.28.5`
+
+### BREAKING
+
+- Extend `enable-admission-plugins` in `k8s_apiserver_settings` by: `PodSecurity,Priority,StorageObjectInUseProtection,RuntimeClass,CertificateApproval,CertificateSigning,ClusterTrustBundleAttest,CertificateSubjectRestriction,DefaultIngressClass`. These are enabled by default if this flag is not specified (see [Admission Controllers Reference](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/) for more information).
+
+### MOLECULE
+
+- Change IP addresses
+
 ## 22.0.0+1.27.8
 
 ### PLEASE READ CAREFULLY

diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@ This role is used in [Kubernetes the not so hard way with Ansible - Control plan
 
 ## Versions
 
-I tag every release and try to stay with [semantic versioning](http://semver.org). If you want to use the role I recommend to checkout the latest tag. The master branch is basically development while the tags mark stable releases. But in general I try to keep master in good shape too. A tag `21.0.0+1.27.8` means this is release `21.0.0` of this role and it's meant to be used with Kubernetes version `1.27.8` (but should work with any K8s 1.27.x release of course). If the role itself changes `X.Y.Z` before `+` will increase. If the Kubernetes version changes `X.Y.Z` after `+` will increase too. This allows to tag bugfixes and new major versions of the role while it's still developed for a specific Kubernetes release. That's especially useful for Kubernetes major releases with breaking changes.
+I tag every release and try to stay with [semantic versioning](http://semver.org). If you want to use the role I recommend to checkout the latest tag. The master branch is basically development while the tags mark stable releases. But in general I try to keep master in good shape too. A tag `23.0.0+1.28.5` means this is release `23.0.0` of this role and it's meant to be used with Kubernetes version `1.28.5` (but should work with any K8s 1.27.x release of course). If the role itself changes `X.Y.Z` before `+` will increase. If the Kubernetes version changes `X.Y.Z` after `+` will increase too. This allows to tag bugfixes and new major versions of the role while it's still developed for a specific Kubernetes release. That's especially useful for Kubernetes major releases with breaking changes.
 
 ## Requirements
 
@@ -21,7 +21,25 @@ This role requires that you already created some certificates for Kubernetes API
 
 See full [CHANGELOG.md](https://github.com/githubixx/ansible-role-kubernetes-controller/blob/master/CHANGELOG.md)
 
-**Changes in the last two versions:**
+**Recent changes:**
+
+## 23.0.0+1.28.5
+
+### GENERAL
+
+If you upgrade from a release < `22.0.0+1.27.8` please read the [CHANGELOG.md](https://github.com/githubixx/ansible-role-kubernetes-controller/blob/master/CHANGELOG.md) carefully! Version `22.0.0+1.27.8` had quite a few breaking changes!
+
+### UPDATE
+
+- update `k8s_release` to `1.28.5`
+
+### BREAKING
+
+- Extend `enable-admission-plugins` in `k8s_apiserver_settings` by: `PodSecurity,Priority,StorageObjectInUseProtection,RuntimeClass,CertificateApproval,CertificateSigning,ClusterTrustBundleAttest,CertificateSubjectRestriction,DefaultIngressClass`. These are enabled by default if this flag is not specified (see [Admission Controllers Reference](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/) for more information).
+
+### MOLECULE
+
+- Change IP addresses
 
 ## 22.0.0+1.27.8
 
@@ -117,7 +135,7 @@ er on the Ansible controller host. Previously it was needed to prepare these fil
 - Add tasks to install [ansible-role-cni](https://github.com/githubixx/ansible-role-cni) and [ansible-role-runc](https://github.com/githubixx/ansible-role-runc)
 - Use `kubernetes.core.k8s_info` module instead of calling `kubectl` binary
 
-21.1.3+1.27.5
+## 21.1.3+1.27.5
 
 - rename `githubixx.harden-linux` to `githubixx.harden_linux`
 
@@ -137,7 +155,7 @@ er on the Ansible controller host. Previously it was needed to prepare these fil
 roles:
   - name: githubixx.kubernetes_controller
     src: https://github.com/githubixx/ansible-role-kubernetes-controller.git
-    version: 22.0.0+1.27.8
+    version: 23.0.0+1.28.5
 ```
 
 ## Role (default) variables
@@ -167,7 +185,7 @@ k8s_ctl_pki_dir: "{{ k8s_ctl_conf_dir }}/pki"
 k8s_ctl_bin_dir: "/usr/local/bin"
 
 # The Kubernetes release.
-k8s_ctl_release: "1.27.8"
+k8s_ctl_release: "1.28.5"
 
 # The interface on which the Kubernetes services should listen on. As all cluster
 # communication should use a VPN interface the interface name is
@@ -341,7 +359,7 @@ k8s_apiserver_settings:
   "advertise-address": "{{ hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address }}"
   "bind-address": "{{ hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address }}"
   "secure-port": "6443"
-  "enable-admission-plugins": "NodeRestriction,NamespaceLifecycle,LimitRanger,ServiceAccount,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota"
+  "enable-admission-plugins": "NodeRestriction,NamespaceLifecycle,LimitRanger,ServiceAccount,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PodSecurity,Priority,StorageObjectInUseProtection,RuntimeClass,CertificateApproval,CertificateSigning,ClusterTrustBundleAttest,CertificateSubjectRestriction,DefaultIngressClass"
   "allow-privileged": "true"
   "authorization-mode": "Node,RBAC"
   "audit-log-maxage": "30"

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -23,7 +23,7 @@ k8s_ctl_pki_dir: "{{ k8s_ctl_conf_dir }}/pki"
 k8s_ctl_bin_dir: "/usr/local/bin"
 
 # The Kubernetes release.
-k8s_ctl_release: "1.27.8"
+k8s_ctl_release: "1.28.5"
 
 # The interface on which the Kubernetes services should listen on. As all cluster
 # communication should use a VPN interface the interface name is
@@ -197,7 +197,7 @@ k8s_apiserver_settings:
   "advertise-address": "{{ hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address }}"
   "bind-address": "{{ hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address }}"
   "secure-port": "6443"
-  "enable-admission-plugins": "NodeRestriction,NamespaceLifecycle,LimitRanger,ServiceAccount,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota"
+  "enable-admission-plugins": "NodeRestriction,NamespaceLifecycle,LimitRanger,ServiceAccount,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PodSecurity,Priority,StorageObjectInUseProtection,RuntimeClass,CertificateApproval,CertificateSigning,ClusterTrustBundleAttest,CertificateSubjectRestriction,DefaultIngressClass"
   "allow-privileged": "true"
   "authorization-mode": "Node,RBAC"
   "audit-log-maxage": "30"

diff --git a/molecule/default/group_vars/all.yml b/molecule/default/group_vars/all.yml
@@ -84,9 +84,9 @@ etcd_settings_user:
 etcd_cert_hosts:
   - localhost
   - 127.0.0.1
-  - 192.168.10.10
-  - 192.168.10.20
-  - 192.168.10.30
+  - 172.16.10.10
+  - 172.16.10.20
+  - 172.16.10.30
   - 10.10.10.10
   - 10.10.10.20
   - 10.10.10.30

diff --git a/molecule/default/host_vars/test-assets.yml b/molecule/default/host_vars/test-assets.yml
@@ -5,4 +5,4 @@
 wireguard_address: "10.10.10.5/24"
 wireguard_port: 51820
 wireguard_persistent_keepalive: "30"
-wireguard_endpoint: "192.168.10.5"
+wireguard_endpoint: "172.16.10.5"
diff --git a/molecule/default/host_vars/test-controller1.yml b/molecule/default/host_vars/test-controller1.yml
@@ -5,7 +5,7 @@
 wireguard_address: "10.10.10.10/24"
 wireguard_port: 51820
 wireguard_persistent_keepalive: "30"
-wireguard_endpoint: "192.168.10.10"
+wireguard_endpoint: "172.16.10.10"
 
 k8s_ctl_api_endpoint_host: "127.0.0.1"
 k8s_ctl_api_endpoint_port: "16443"
diff --git a/molecule/default/host_vars/test-controller2.yml b/molecule/default/host_vars/test-controller2.yml
@@ -5,7 +5,7 @@
 wireguard_address: "10.10.10.20/24"
 wireguard_port: 51820
 wireguard_persistent_keepalive: "30"
-wireguard_endpoint: "192.168.10.20"
+wireguard_endpoint: "172.16.10.20"
 
 k8s_ctl_api_endpoint_host: "127.0.0.1"
 k8s_ctl_api_endpoint_port: "16443"
diff --git a/molecule/default/host_vars/test-controller3.yml b/molecule/default/host_vars/test-controller3.yml
@@ -5,4 +5,4 @@
 wireguard_address: "10.10.10.30/24"
 wireguard_port: 51820
 wireguard_persistent_keepalive: "30"
-wireguard_endpoint: "192.168.10.30"
+wireguard_endpoint: "172.16.10.30"
diff --git a/molecule/default/host_vars/test-worker1.yml b/molecule/default/host_vars/test-worker1.yml
@@ -5,7 +5,7 @@
 wireguard_address: "10.10.10.100/24"
 wireguard_port: 51820
 wireguard_persistent_keepalive: "30"
-wireguard_endpoint: "192.168.10.100"
+wireguard_endpoint: "172.16.10.100"
 
 ha_proxy_frontend_bind_address: "127.0.0.1"
 ha_proxy_frontend_port: "16443"

diff --git a/molecule/default/host_vars/test-worker2.yml b/molecule/default/host_vars/test-worker2.yml
@@ -5,4 +5,4 @@
 wireguard_address: "10.10.10.110/24"
 wireguard_port: 51820
 wireguard_persistent_keepalive: "30"
-wireguard_endpoint: "192.168.10.110"
+wireguard_endpoint: "172.16.10.110"
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
@@ -24,7 +24,7 @@ platforms:
       - auto_config: true
         network_name: private_network
         type: static
-        ip: 192.168.10.5
+        ip: 172.16.10.5
   - name: test-controller1
     box: generic/ubuntu2204
     memory: 2048
@@ -40,7 +40,7 @@ platforms:
       - auto_config: true
         network_name: private_network
         type: static
-        ip: 192.168.10.10
+        ip: 172.16.10.10
   - name: test-controller2
     box: generic/ubuntu2204
     memory: 2048
@@ -56,7 +56,7 @@ platforms:
       - auto_config: true
         network_name: private_network
         type: static
-        ip: 192.168.10.20
+        ip: 172.16.10.20
   - name: test-controller3
     box: generic/ubuntu2004
     memory: 2048
@@ -72,7 +72,7 @@ platforms:
       - auto_config: true
         network_name: private_network
         type: static
-        ip: 192.168.10.30
+        ip: 172.16.10.30
   - name: test-worker1
     box: generic/ubuntu2204
     memory: 2048
@@ -86,7 +86,7 @@ platforms:
       - auto_config: true
         network_name: private_network
         type: static
-        ip: 192.168.10.100
+        ip: 172.16.10.100
   - name: test-worker2
     box: generic/ubuntu2004
     memory: 2048
@@ -100,7 +100,7 @@ platforms:
       - auto_config: true
         network_name: private_network
         type: static
-        ip: 192.168.10.110
+        ip: 172.16.10.110
 
 provisioner:
   name: ansible