From 1f4a3a1b4fb39e632f84b8391449664dc4358a6c Mon Sep 17 00:00:00 2001
From: harihud <hudharibhau@gmail.com>
Date: Thu, 16 Sep 2021 15:30:35 +0000
Subject: [PATCH 1/2] Add option to kubeadm upgrade command to control
 certificates renewal during control plane upgrade

---
 roles/kubernetes/control-plane/defaults/main/main.yml    | 5 +++++
 roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml
index f83133cbed3..7c393ff66a7 100644
--- a/roles/kubernetes/control-plane/defaults/main/main.yml
+++ b/roles/kubernetes/control-plane/defaults/main/main.yml
@@ -193,3 +193,8 @@ event_ttl_duration: "1h0m0s"
 auto_renew_certificates: false
 # First Monday of each month
 auto_renew_certificates_systemd_calendar: "Mon *-*-1,2,3,4,5,6,7 03:{{ groups['kube_control_plane'].index(inventory_hostname) }}0:00"
+
+# kubeadm renews all the certificates during control plane upgrade. 
+# If we have requirement like without renewing certs upgrade the cluster,
+# we can opt out from the default behavior by setting kubeadm_upgrade_auto_cert_renewal to false
+kubeadm_upgrade_auto_cert_renewal: true
diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml b/roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml
index 0570ee9d093..a809f0ee143 100644
--- a/roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml
@@ -14,6 +14,7 @@
     timeout -k 600s 600s
     {{ bin_dir }}/kubeadm
     upgrade apply -y {{ kube_version }}
+    --certificate-renewal={{ kubeadm_upgrade_auto_cert_renewal }}
     --config={{ kube_config_dir }}/kubeadm-config.yaml
     --ignore-preflight-errors=all
     --allow-experimental-upgrades
@@ -34,6 +35,7 @@
     timeout -k 600s 600s
     {{ bin_dir }}/kubeadm
     upgrade apply -y {{ kube_version }}
+    --certificate-renewal={{ kubeadm_upgrade_auto_cert_renewal }}
     --config={{ kube_config_dir }}/kubeadm-config.yaml
     --ignore-preflight-errors=all
     --allow-experimental-upgrades

From 88cbd460bf9e96854d7fb0294c82f67181adad9d Mon Sep 17 00:00:00 2001
From: Hari Hud <51223100+harihud@users.noreply.github.com>
Date: Thu, 16 Sep 2021 21:59:37 +0530
Subject: [PATCH 2/2] Remove training whitespace

---
 roles/kubernetes/control-plane/defaults/main/main.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml
index 7c393ff66a7..dbd2961f02e 100644
--- a/roles/kubernetes/control-plane/defaults/main/main.yml
+++ b/roles/kubernetes/control-plane/defaults/main/main.yml
@@ -193,8 +193,7 @@ event_ttl_duration: "1h0m0s"
 auto_renew_certificates: false
 # First Monday of each month
 auto_renew_certificates_systemd_calendar: "Mon *-*-1,2,3,4,5,6,7 03:{{ groups['kube_control_plane'].index(inventory_hostname) }}0:00"
-
-# kubeadm renews all the certificates during control plane upgrade. 
+# kubeadm renews all the certificates during control plane upgrade.
 # If we have requirement like without renewing certs upgrade the cluster,
 # we can opt out from the default behavior by setting kubeadm_upgrade_auto_cert_renewal to false
 kubeadm_upgrade_auto_cert_renewal: true