K8s improvements

[atsikham]

• Please create an issue for removing (or adding comment about) --ignore-preflight-errors all and add the issue number here as a comment.

  Originally posted by @to-bar in Fix 'Join to Kubernetes cluster' task #2805 (comment)

• We re-generate apiserver certificates here for issue [BUG] Kubectl client outside of HA/multi-master Epiphany cluster fails to connect to server with invalid certificate #1520. But in fact cert SANs patching should be moved to patching apiserver configuration in upgrade and executed here only after promotion to ha. Check kubeadm configuration.

  To summarize:

  • in apply apiserver cert SANs could be checked and if there is not all necessary addresses, re-generate
  • in upgrade kubeadm config should be patched

  Following cases will be covered:

  • changing the number of control plane nodes (downscale is not supported)
  • idempotence in applying the same configuration
  • upgrade from previous versions

  Example of check: openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout | grep DNS:

• Condider adding block/rescue for certificates generation to handle failures:

  • doc
  • tasks

---

DoD checklist

• Changelog updated (if affected version was released)
• COMPONENTS.md updated / doesn't need to be updated
• Automated tests passed (QA pipelines)
  • apply
  • upgrade
• Case covered by automated test (if possible)
• Idempotency tested
• Documentation updated / doesn't need to be updated
• All conversations in PR resolved
• Backport tasks created / doesn't need to be backported

[przemyslavic]

Tested:

• single master + x nodes, promote to HA, HA cluster, single machine
• upgrades
• certificates renewal
• kubeadm reset + re-apply

However, it is not recommended to renew certificates after executing kubeadm reset command as it may fail in some edge cases - documentation updated.