29.0.0+1.34.4 (#79)

* Molecule: Added a new verify play targeting k8s_controller

* Molecule: use own githubixx Vagrant boxes

* update k8s_ctl_release to 1.34.4

* Molecule: Added listener-port verification play

* Molecule: add API health checks via admin kubeconfig: query /livez and /readyz and assert etcd, poststarthooks, and informer sync checks are healthy.

* Molecule verify: Artifact integrity: assert binaries, required cert sets, and kubeconfig files exist with expected ownership/mode.

* Molecule verify: RBAC verification: assert ClusterRole system:kube-apiserver-to-kubelet and its binding exist and binding subject matches expected API server CN.

* Molecule verify: Kubeconfig functional checks

* Molecule: add idempotence and verify to test_seqence

* Molecule verify: Dependency readiness: assert etcd endpoints are healthy before/after converge and API server remains ready across all controllers

* Molecule: fix linter warning

* Molecule: fix linter warnings

* replace injected ansible_* facts usage with ansible_facts[...] (prepares for ansible-core 2.24 where INJECT_FACTS_AS_VARS default changes)

* update README/CHANGELOG

* update year

Author: githubixx

CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## 29.0.0+1.34.4
+
+- **UPDATE**
+  - update `k8s_ctl_release` to `1.34.4`
+
+- **OTHER**
+  - replace injected `ansible_*` facts usage with `ansible_facts[...]` (prepares for ansible-core 2.24 where `INJECT_FACTS_AS_VARS` default changes)
+
+- **MOLECULE**
+  - use own [githubixx Vagrant boxes](https://portal.cloud.hashicorp.com/vagrant/discover/githubixx)
+  - fix linter warnings
+  - add more checks in `verify.yml`
+
 ## 28.0.0+1.33.6
 
 - **UPDATE**

README.md

@@ -4,7 +4,7 @@ This role is used in [Kubernetes the not so hard way with Ansible - Control plan
 
 ## Versions
 
-I tag every release and try to stay with [semantic versioning](http://semver.org). If you want to use the role I recommend to checkout the latest tag. The master branch is basically development while the tags mark stable releases. But in general I try to keep master in good shape too. A tag `28.0.0+1.33.6` means this is release `28.0.0` of this role and it's meant to be used with Kubernetes version `1.33.6` (but should work with any K8s 1.33.x release of course). If the role itself changes `X.Y.Z` before `+` will increase. If the Kubernetes version changes `X.Y.Z` after `+` will increase too. This allows to tag bugfixes and new major versions of the role while it's still developed for a specific Kubernetes release. That's especially useful for Kubernetes major releases with breaking changes.
+I tag every release and try to stay with [semantic versioning](http://semver.org). If you want to use the role I recommend to checkout the latest tag. The master branch is basically development while the tags mark stable releases. But in general I try to keep master in good shape too. A tag `29.0.0+1.34.4` means this is release `29.0.0` of this role and it's meant to be used with Kubernetes version `1.34.4` (but should work with any K8s 1.34.x release of course). If the role itself changes `X.Y.Z` before `+` will increase. If the Kubernetes version changes `X.Y.Z` after `+` will increase too. This allows to tag bugfixes and new major versions of the role while it's still developed for a specific Kubernetes release. That's especially useful for Kubernetes major releases with breaking changes.
 
 ## Requirements
 
@@ -27,6 +27,19 @@ See full [CHANGELOG.md](https://github.com/githubixx/ansible-role-kubernetes-con
 
 **Recent changes:**
 
+## 29.0.0+1.34.4
+
+- **UPDATE**
+  - update `k8s_ctl_release` to `1.34.4`
+
+- **OTHER**
+  - replace injected `ansible_*` facts usage with `ansible_facts[...]` (prepares for ansible-core 2.24 where `INJECT_FACTS_AS_VARS` default changes)
+
+- **MOLECULE**
+  - use own [githubixx Vagrant boxes](https://portal.cloud.hashicorp.com/vagrant/discover/githubixx)
+  - fix linter warnings
+  - add more checks in `verify.yml`
+
 ## 28.0.0+1.33.6
 
 - **UPDATE**
@@ -78,7 +91,7 @@ See full [CHANGELOG.md](https://github.com/githubixx/ansible-role-kubernetes-con
 roles:
   - name: githubixx.kubernetes_controller
     src: https://github.com/githubixx/ansible-role-kubernetes-controller.git
-    version: 28.0.0+1.33.6
+    version: 29.0.0+1.34.4
 ```
 
 ## Role (default) variables
@@ -108,7 +121,7 @@ k8s_ctl_pki_dir: "{{ k8s_ctl_conf_dir }}/pki"
 k8s_ctl_bin_dir: "/usr/local/bin"
 
 # The Kubernetes release.
-k8s_ctl_release: "1.33.6"
+k8s_ctl_release: "1.34.4"
 
 # The interface on which the Kubernetes services should listen on. As all cluster
 # communication should use a VPN interface the interface name is
@@ -198,7 +211,7 @@ k8s_ctl_delegate_to: "127.0.0.1"
 # variable of https://github.com/githubixx/ansible-role-kubernetes-ca
 # role). If it's not specified you'll get certificate errors in the
 # logs of the services mentioned above.
-k8s_ctl_api_endpoint_host: "{% set controller_host = groups['k8s_controller'][0] %}{{ hostvars[controller_host]['ansible_' + hostvars[controller_host]['k8s_interface']].ipv4.address }}"
+k8s_ctl_api_endpoint_host: "{% set controller_host = groups['k8s_controller'][0] %}{{ hostvars[controller_host].ansible_facts.get(hostvars[controller_host]['k8s_interface'] | default('eth0'), {}).get('ipv4', {}).get('address', hostvars[controller_host].ansible_facts.get('default_ipv4', {}).get('address')) }}"
 
 # As above just for the port. It specifies on which port the
 # Kubernetes API servers are listening. Again if there is a loadbalancer
@@ -263,7 +276,7 @@ k8s_admin_conf_group: "root"
 #
 # Besides that basically the same comments as for "k8s_ctl_api_endpoint_host"
 # variable apply.
-k8s_admin_api_endpoint_host: "{% set controller_host = groups['k8s_controller'][0] %}{{ hostvars[controller_host]['ansible_' + hostvars[controller_host]['k8s_interface']].ipv4.address }}"
+k8s_admin_api_endpoint_host: "{% set controller_host = groups['k8s_controller'][0] %}{{ hostvars[controller_host].ansible_facts.get(hostvars[controller_host]['k8s_interface'] | default('eth0'), {}).get('ipv4', {}).get('address', hostvars[controller_host].ansible_facts.get('default_ipv4', {}).get('address')) }}"
 
 # As above just for the port.
 k8s_admin_api_endpoint_port: "6443"
@@ -279,8 +292,8 @@ k8s_apiserver_conf_dir: "{{ k8s_ctl_conf_dir }}/kube-apiserver"
 # "kube-apiserver" daemon settings (can be overridden or additional added by defining
 # "k8s_apiserver_settings_user")
 k8s_apiserver_settings:
-  "advertise-address": "{{ hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address }}"
-  "bind-address": "{{ hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address }}"
+  "advertise-address": "{{ hostvars[inventory_hostname].ansible_facts.get(k8s_interface | default('eth0'), {}).get('ipv4', {}).get('address', hostvars[inventory_hostname].ansible_facts.get('default_ipv4', {}).get('address')) }}"
+  "bind-address": "{{ hostvars[inventory_hostname].ansible_facts.get(k8s_interface | default('eth0'), {}).get('ipv4', {}).get('address', hostvars[inventory_hostname].ansible_facts.get('default_ipv4', {}).get('address')) }}"
   "secure-port": "6443"
   "enable-admission-plugins": "{{ k8s_apiserver_admission_plugins | join(',') }}"
   "allow-privileged": "true"
@@ -381,7 +394,7 @@ k8s_controller_manager_conf_dir: "{{ k8s_ctl_conf_dir }}/kube-controller-manager
 # K8s controller manager settings (can be overridden or additional added by defining
 # "k8s_controller_manager_settings_user")
 k8s_controller_manager_settings:
-  "bind-address": "{{ hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address }}"
+  "bind-address": "{{ hostvars[inventory_hostname].ansible_facts.get(k8s_interface | default('eth0'), {}).get('ipv4', {}).get('address', hostvars[inventory_hostname].ansible_facts.get('default_ipv4', {}).get('address')) }}"
   "secure-port": "10257"
   "cluster-cidr": "10.200.0.0/16"
   "allocate-node-cidrs": "true"
@@ -406,7 +419,7 @@ k8s_scheduler_conf_dir: "{{ k8s_ctl_conf_dir }}/kube-scheduler"
 
 # kube-scheduler settings
 k8s_scheduler_settings:
-  "bind-address": "{{ hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address }}"
+  "bind-address": "{{ hostvars[inventory_hostname].ansible_facts.get(k8s_interface | default('eth0'), {}).get('ipv4', {}).get('address', hostvars[inventory_hostname].ansible_facts.get('default_ipv4', {}).get('address')) }}"
   "config": "{{ k8s_scheduler_conf_dir }}/kube-scheduler.yaml"
   "authentication-kubeconfig": "{{ k8s_scheduler_conf_dir }}/kubeconfig"
   "authorization-kubeconfig": "{{ k8s_scheduler_conf_dir }}/kubeconfig"

defaults/main.yml

@@ -23,7 +23,7 @@ k8s_ctl_pki_dir: "{{ k8s_ctl_conf_dir }}/pki"
 k8s_ctl_bin_dir: "/usr/local/bin"
 
 # The Kubernetes release.
-k8s_ctl_release: "1.33.6"
+k8s_ctl_release: "1.34.4"
 
 # The interface on which the Kubernetes services should listen on. As all cluster
 # communication should use a VPN interface the interface name is
@@ -113,7 +113,10 @@ k8s_ctl_delegate_to: "127.0.0.1"
 # variable of https://github.com/githubixx/ansible-role-kubernetes-ca
 # role). If it's not specified you'll get certificate errors in the
 # logs of the services mentioned above.
-k8s_ctl_api_endpoint_host: "{{ hostvars[groups['k8s_controller'] | first]['ansible_' + hostvars[groups['k8s_controller'] | first]['k8s_interface']].ipv4.address }}"
+k8s_ctl_api_endpoint_host: >-
+  {%- set controller_host = groups['k8s_controller'] | first -%}
+  {%- set controller_interface = hostvars[controller_host]['k8s_interface'] | default('eth0') -%}
+  {{- hostvars[controller_host].ansible_facts.get(controller_interface, {}).get('ipv4', {}).get('address', hostvars[controller_host].ansible_facts.get('default_ipv4', {}).get('address')) -}}
 
 # As above just for the port. It specifies on which port the
 # Kubernetes API servers are listening. Again if there is a loadbalancer
@@ -178,7 +181,10 @@ k8s_admin_conf_group: "root"
 #
 # Besides that basically the same comments as for "k8s_ctl_api_endpoint_host"
 # variable apply.
-k8s_admin_api_endpoint_host: "{{ hostvars[groups['k8s_controller'] | first]['ansible_' + hostvars[groups['k8s_controller'] | first]['k8s_interface']].ipv4.address }}"
+k8s_admin_api_endpoint_host: >-
+  {%- set controller_host = groups['k8s_controller'] | first -%}
+  {%- set controller_interface = hostvars[controller_host]['k8s_interface'] | default('eth0') -%}
+  {{- hostvars[controller_host].ansible_facts.get(controller_interface, {}).get('ipv4', {}).get('address', hostvars[controller_host].ansible_facts.get('default_ipv4', {}).get('address')) -}}
 
 # As above just for the port.
 k8s_admin_api_endpoint_port: "6443"
@@ -194,8 +200,8 @@ k8s_apiserver_conf_dir: "{{ k8s_ctl_conf_dir }}/kube-apiserver"
 # "kube-apiserver" daemon settings (can be overridden or additional added by defining
 # "k8s_apiserver_settings_user")
 k8s_apiserver_settings:
-  "advertise-address": "{{ hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address }}"
-  "bind-address": "{{ hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address }}"
+  "advertise-address": "{{ hostvars[inventory_hostname].ansible_facts.get(k8s_interface | default('eth0'), {}).get('ipv4', {}).get('address', hostvars[inventory_hostname].ansible_facts.get('default_ipv4', {}).get('address')) }}"
+  "bind-address": "{{ hostvars[inventory_hostname].ansible_facts.get(k8s_interface | default('eth0'), {}).get('ipv4', {}).get('address', hostvars[inventory_hostname].ansible_facts.get('default_ipv4', {}).get('address')) }}"
   "secure-port": "6443"
   "enable-admission-plugins": "{{ k8s_apiserver_admission_plugins | join(',') }}"
   "allow-privileged": "true"
@@ -296,7 +302,7 @@ k8s_controller_manager_conf_dir: "{{ k8s_ctl_conf_dir }}/kube-controller-manager
 # K8s controller manager settings (can be overridden or additional added by defining
 # "k8s_controller_manager_settings_user")
 k8s_controller_manager_settings:
-  "bind-address": "{{ hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address }}"
+  "bind-address": "{{ hostvars[inventory_hostname].ansible_facts.get(k8s_interface | default('eth0'), {}).get('ipv4', {}).get('address', hostvars[inventory_hostname].ansible_facts.get('default_ipv4', {}).get('address')) }}"
   "secure-port": "10257"
   "cluster-cidr": "10.200.0.0/16"
   "allocate-node-cidrs": "true"
@@ -321,7 +327,7 @@ k8s_scheduler_conf_dir: "{{ k8s_ctl_conf_dir }}/kube-scheduler"
 
 # kube-scheduler settings
 k8s_scheduler_settings:
-  "bind-address": "{{ hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address }}"
+  "bind-address": "{{ hostvars[inventory_hostname].ansible_facts.get(k8s_interface | default('eth0'), {}).get('ipv4', {}).get('address', hostvars[inventory_hostname].ansible_facts.get('default_ipv4', {}).get('address')) }}"
   "config": "{{ k8s_scheduler_conf_dir }}/kube-scheduler.yaml"
   "authentication-kubeconfig": "{{ k8s_scheduler_conf_dir }}/kubeconfig"
   "authorization-kubeconfig": "{{ k8s_scheduler_conf_dir }}/kubeconfig"

molecule/default/molecule.yml

@@ -1,5 +1,5 @@
 ---
-# Copyright (C) 2023 Robert Wimmer
+# Copyright (C) 2023-2026 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 dependency:
@@ -13,7 +13,7 @@ driver:
 
 platforms:
   - name: test-assets
-    box: alvistack/ubuntu-24.04
+    box: githubixx/ubuntu-24.04
     memory: 2048
     cpus: 2
     groups:
@@ -26,7 +26,7 @@ platforms:
         type: static
         ip: 172.16.10.5
   - name: test-controller1
-    box: alvistack/ubuntu-22.04
+    box: githubixx/ubuntu-22.04
     memory: 2048
     cpus: 2
     groups:
@@ -42,7 +42,7 @@ platforms:
         type: static
         ip: 172.16.10.10
   - name: test-controller2
-    box: alvistack/ubuntu-22.04
+    box: githubixx/ubuntu-24.04
     memory: 2048
     cpus: 2
     groups:
@@ -58,7 +58,7 @@ platforms:
         type: static
         ip: 172.16.10.20
   - name: test-controller3
-    box: alvistack/ubuntu-24.04
+    box: githubixx/ubuntu-24.04
     memory: 2048
     cpus: 2
     groups:
@@ -74,7 +74,7 @@ platforms:
         type: static
         ip: 172.16.10.30
   - name: test-worker1
-    box: alvistack/ubuntu-22.04
+    box: githubixx/ubuntu-22.04
     memory: 2048
     cpus: 2
     groups:
@@ -88,7 +88,7 @@ platforms:
         type: static
         ip: 172.16.10.100
   - name: test-worker2
-    box: alvistack/ubuntu-24.04
+    box: githubixx/ubuntu-24.04
     memory: 2048
     cpus: 2
     groups:
@@ -115,6 +115,8 @@ scenario:
   test_sequence:
     - prepare
     - converge
+    - idempotence
+    - verify
 
 verifier:
   name: ansible

molecule/default/prepare.yml

@@ -1,5 +1,5 @@
 ---
-# Copyright (C) 2023 Robert Wimmer
+# Copyright (C) 2023-2026 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 - name: Update cache
@@ -112,3 +112,26 @@
     - name: Include CNI role
       ansible.builtin.include_role:
         name: githubixx.cni
+
+- name: Verify etcd readiness before control plane converge
+  hosts: k8s_etcd
+  remote_user: vagrant
+  become: true
+  gather_facts: false
+  tasks:
+    - name: Gather service facts
+      ansible.builtin.service_facts:
+
+    - name: Assert etcd service is active
+      ansible.builtin.assert:
+        that:
+          - "'etcd.service' in ansible_facts.services"
+          - "ansible_facts.services['etcd.service'].state == 'running'"
+
+    - name: Check etcd endpoint port is listening
+      ansible.builtin.shell: set -o pipefail && ss -H -ltn "sport = :2379" | grep -q "LISTEN"
+      args:
+        executable: /bin/bash
+      register: k8s_ctl__etcd_listener_before_converge
+      changed_when: false
+      failed_when: k8s_ctl__etcd_listener_before_converge.rc != 0