ansible/playbooks/roles/upgrade/tasks/kubernetes/patch-kubeadm-apiserver.yml

---
# Since usage of the --config flag for reconfiguring the cluster during upgrade is not recommended
# (warning added in v1.17), we patch kubeadm-config ConfigMap directly.

# kube-apiserver uses --encryption-provider-config parameter to control how data is encrypted in etcd.
# If this parameter is absent the encryption is not enabled.
- name: K8s/master | Check if encryption of secret data is enabled
  command: >-
    grep -- '--encryption-provider-config' /etc/kubernetes/manifests/kube-apiserver.yaml
  register: command_grep_encryption_flag
  changed_when: false
  failed_when: command_grep_encryption_flag.rc > 1

- name: K8s/master | Patch kubeadm-config ConfigMap if needed
  when:
    - command_grep_encryption_flag.rc == 0 # encryption enabled
  run_once: true  # makes no sense to execute it more than once (would be redundant)
  block:
    - name: K8s | Load defaults from kubernetes_master role
      include_vars:
        file: roles/kubernetes_master/defaults/main.yml
        name: kubernetes_master_defaults
      when:
        - kubernetes_master_defaults.pki.location is undefined

    - name: K8s/master | Get kubeadm-config configmap
      command: |
        kubectl get configmap kubeadm-config \
          --namespace kube-system \
          --output yaml
      register: command_kubeadm_configmap
      changed_when: false

    # The following procedure ensures that:
    #   - etcd encryption is always enabled during subsequent kubeadm executions
    #   - DenyEscalatingExec admission plugin is not used as unsupported (it was specified in Epiphany's default values before v1.3)
    #   - apiserver audit logging is enabled
    #   - apiserver certSANs are configured the same way as for apply (GitHub issue #1520)
    - name: K8s/master | Patch kubeadm-config configmap (patch-kubeadm-apiserver.yml)
      command: |
        kubectl patch configmap kubeadm-config \
          --namespace kube-system \
          --patch "$KUBEADM_CONFIGMAP_DOCUMENT"
      environment:
        # Render an altered kubeadm-config configmap document
        KUBEADM_CONFIGMAP_DOCUMENT: >-
          {{ _document | combine(_update2, recursive=true) | to_nice_yaml(indent=2) }}
      vars:
        # Parse yaml payload
        _document: >-
          {{ command_kubeadm_configmap.stdout | from_yaml }}

        # Extract cluster config
        _cluster_config: >-
          {{ _document.data.ClusterConfiguration | from_yaml }}

        _kubeadm_api_server_extra_args: >-
          {{ _cluster_config.apiServer.extraArgs }}

        _kubeadm_supported_admission_plugins: >-
          {{ _kubeadm_api_server_extra_args['enable-admission-plugins'].split(',')
              | difference(['DenyEscalatingExec'])
              | join(',') }}

        # Prepare the cluster config patch
        _update1: |-
          apiServer:
            certSANs:
          {% set address_list = ['127.0.0.1', 'localhost'] %}
          {% for host in groups['kubernetes_master'] %}
          {%   set _ = address_list.extend([ hostvars[host]['ansible_default_ipv4']['address'], hostvars[host]['ansible_host'] ]) %}
          {% endfor %}
          {% for address in address_list|unique %}
              - {{ address }}
          {% endfor %}
            extraArgs:
              encryption-provider-config: {{ kubernetes_master_defaults.pki.location }}/etcd/etc-encryption.conf
          {% if version is version('1.21', '>=') and version is version('1.22', '<') %}
              enable-admission-plugins: {{ _kubeadm_supported_admission_plugins }}
          {% endif %}
              audit-log-path: "/var/log/kubernetes/audit/audit.log"
            extraVolumes:
              - name: apiserver-audit-log
                hostPath: /var/log/kubernetes/audit/
                mountPath: /var/log/kubernetes/audit/
                readOnly: false
                pathType: DirectoryOrCreate

        _cluster_config_updated: >-
          {{ _cluster_config | combine(_update1|from_yaml, recursive=true) }}

        # Prepare the final update for the whole document
        _update2:
          data:
            ClusterConfiguration: >-
              {{ _cluster_config_updated | to_nice_yaml(indent=2) }}