Add system-upgrade to upgrade-cluster playbook (kubernetes-sigs#10184)

pedro-peter · May 8, 2024 · e8ff1d2 · e8ff1d2
1 parent 1a25f0f
commit e8ff1d2
Show file tree

Hide file tree

Showing 6 changed files with 62 additions and 0 deletions.
diff --git a/docs/upgrades.md b/docs/upgrades.md
@@ -403,3 +403,16 @@ Please note that **migrating container engines is not officially supported by Ku
 As of Kubespray 2.18.0, containerd is already the default container engine. If you have the chance, it is advisable and safer to reset and redeploy the entire cluster with a new container engine.
 
 * [Migrating from Docker to Containerd](upgrades/migrate_docker2containerd.md)
+
+## System upgrade
+
+If you want to upgrade the APT or YUM packages while the nodes are cordoned, you can use:
+
+```ShellSession
+ansible-playbook upgrade-cluster.yml -b -i inventory/sample/hosts.ini -e system_upgrade=true
+```
+
+Nodes will be rebooted when there are package upgrades (`system_upgrade_reboot: on-upgrade`).
+This can be changed to `always` or `never`.
+
+Note: Downloads will happen twice unless `system_upgrade_reboot` is `never`.
diff --git a/playbooks/upgrade_cluster.yml b/playbooks/upgrade_cluster.yml
@@ -84,6 +84,8 @@
   roles:
     - { role: kubespray-defaults }
     - { role: upgrade/pre-upgrade, tags: pre-upgrade }
+    - { role: upgrade/system-upgrade, tags: system-upgrade }
+    - { role: download, tags: download, when: "system_upgrade and system_upgrade_reboot != 'never' and not skip_downloads" }
     - { role: kubernetes-apps/kubelet-csr-approver, tags: kubelet-csr-approver }
     - { role: container-engine, tags: "container-engine", when: deploy_container_engine }
     - { role: kubernetes/node, tags: node }
@@ -116,6 +118,8 @@
   roles:
     - { role: kubespray-defaults }
     - { role: upgrade/pre-upgrade, tags: pre-upgrade }
+    - { role: upgrade/system-upgrade, tags: system-upgrade }
+    - { role: download, tags: download, when: "system_upgrade and system_upgrade_reboot != 'never' and not skip_downloads" }
     - { role: container-engine, tags: "container-engine", when: deploy_container_engine }
     - { role: kubernetes/node, tags: node }
     - { role: kubernetes/kubeadm, tags: kubeadm }

diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
@@ -681,3 +681,6 @@ krew_root_dir: "/usr/local/krew"
 
 # sysctl_file_path to add sysctl conf to
 sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf"
+
+system_upgrade: false
+system_upgrade_reboot: on-upgrade  # never, always
diff --git a/roles/upgrade/system-upgrade/tasks/apt.yml b/roles/upgrade/system-upgrade/tasks/apt.yml
@@ -0,0 +1,13 @@
+---
+- name: APT Dist-Upgrade
+  apt:
+    upgrade: dist
+    autoremove: true
+    dpkg_options: force-confold,force-confdef
+  register: apt_upgrade
+
+- name: Reboot after APT Dist-Upgrade  # noqa no-handler
+  when:
+  - apt_upgrade.changed or system_upgrade_reboot == 'always'
+  - system_upgrade_reboot != 'never'
+  reboot:
diff --git a/roles/upgrade/system-upgrade/tasks/main.yml b/roles/upgrade/system-upgrade/tasks/main.yml
@@ -0,0 +1,17 @@
+---
+- name: APT upgrade
+  when:
+  - system_upgrade
+  - ansible_os_family == "Debian"
+  include_tasks: apt.yml
+  tags:
+  - system-upgrade-apt
+
+- name: YUM upgrade
+  when:
+  - system_upgrade
+  - ansible_os_family == "RedHat"
+  - not is_fedora_coreos
+  include_tasks: yum.yml
+  tags:
+  - system-upgrade-yum
diff --git a/roles/upgrade/system-upgrade/tasks/yum.yml b/roles/upgrade/system-upgrade/tasks/yum.yml
@@ -0,0 +1,12 @@
+---
+- name: YUM upgrade all packages  # noqa package-latest
+  yum:
+    name: '*'
+    state: latest
+  register: yum_upgrade
+
+- name: Reboot after YUM upgrade  # noqa no-handler
+  when:
+  - yum_upgrade.changed or system_upgrade_reboot == 'always'
+  - system_upgrade_reboot != 'never'
+  reboot: