refactor: unify inconsistent variables in apiserver endpoint

[kajal-jotwani]

What type of PR is this?
/kind cleanup

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespaces from that line:

/kind api-change
/kind bug
/kind cleanup
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

What this PR does / why we need it:
This PR replaces several overlapping and inconsistently named API server
load balancer variables with two clear endpoint variables.

It updates defaults, templates, and documentation to consistently use these
endpoints, making it easier to understand which address is used externally and
which is used internally within the cluster, while keeping existing setups
working.

• kube_apiserver_endpoint (external access)
• kube_apiserver_cluster_internal_endpoint (internal cluster access)

Which issue(s) this PR fixes:

Fixes #12883

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: kajal-jotwani
Once this PR has been reviewed and has the lgtm label, please assign yankay for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: kajal-jotwani / name: Kajal Jotwani (17a6a0b, 1da232e, 463a157, 4995162, 4e461ba, 6fd3191, 80fb7b6, 8448a3e, 8f30867, 97326cd, e62fc93, f01689c, f8c845b, ff949d3)

[k8s-ci-robot]

Hi @kajal-jotwani. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[VannTen]

Thanks for your work !
/ok-to-test

Lots of comments but it's just because the current code is messy (not yours, the current kubespray codebase I mean), it's easier to elaborate how we want to do it with proposed changes 👍

[VannTen]

Won't be necessary after #12870

[kajal-jotwani]

Got it! So should I remove this task entirely?

[VannTen]

You can leave it, if the other PR merge before that will need a rebase, no big deal.

[VannTen]

Sorry I was confused regarding the other PR. We can delete both theses tasks ("Update server field"), with the correct variables into kubeadm configuration this should not be needed anymore.

[VannTen]

This won't be necessary because kubeadm does it by itself see #12870

[kajal-jotwani]

Thanks a lot for the detailed review!
I’ve addressed most of the comments and I’m currently validating the changes to make sure everything is consistent.
I’ll push any remaining fixes and ping once it’s ready for final review.

[VannTen]

I've been of the impression this whole section was a bit too much complicated to be clear (way too much variables).
Also, since we're going towards more alignement with kubeadm (see #12870 ) it will be wrong for control plane (always using localhost).

I would maybe simplify this and just mention both variables (kube_**endpoint) and maybe link to the defaults file where we would put comment explaining the computed default ?

@tico88612 what do you think ? I kinda struggle to know what's the right amount of details ?

(It's kinda out of scope of the PR though so it's okay if we don't fix this here).

[VannTen]

You can leave it, if the other PR merge before that will need a rebase, no big deal.

[VannTen]

This is kinda tricky to get right if we want to keep the current behavior, roughly.
(aka, defaulting to LB localhost if we don't explicitely define a LB) 🤔 .

Possible solution:
Use an internal var (in /vars, which can't be overriden from inventory.) for the actual value, with something like kube_apiserver_endpoint | d(first_master_endpoint).
This then means we can check if the user level variable is defined with is defined.

Wdyt ?

[kajal-jotwani]

Yep, that makes sense. I considered a true/false user option, but that would lose the distinction between explicit intent and defaults. Keeping the user var optional and resolving an internal effective value preserves current behavior and lets us detect explicit LB config via is defined. should I go ahead and implement this?

[VannTen]

Yeah, I think so. We should still have the variable in defaults but with "{{ undef() }}" which should have the same effect as not defining it but be more explicit.

[VannTen]

Incomplete review of some stuff:
But the test failure might be related to the parenthese stuff, not sure.

[VannTen]

Now that #12942 landed you can use it directly 👍

[VannTen]

I think you need some

Suggested change

	kube_apiserver_cluster_internal_endpoint: "{{ 'https://127.0.0.1:' ~ loadbalancer_apiserver_port if loadbalancer_apiserver_localhost else kube_apiserver_endpoint }}"
	kube_apiserver_cluster_internal_endpoint: "{{ ('https://127.0.0.1:' ~ loadbalancer_apiserver_port) if loadbalancer_apiserver_localhost else kube_apiserver_endpoint }}"

I'm not sure but the if else might be more closely binding than ~ which would probably not work.

[kajal-jotwani]

/test pull-kubespray-yamllint

[VannTen]

This should be the _kube_apiserver_endpoint here, not the internal one.
The reason for this is that this is used for discovery, aka, for the control plane, before there is a local apiserver. I suspect this causes the CI failures.

[kajal-jotwani]

Changed this to _kube_apiserver_endpoint, thanks for pointing that!!

I tried to fix the CI failures as well but I’m still not able to resolve them. I’m working on it and trying to figure out what’s breaking.

[VannTen]

I don't think we need this at all, that variable should just go and we'll use _kube_apiserver_endpoint instead.
There could be an argument to expose it to the user for a endpoint only for discovery, but that's out of scope.

[VannTen]

Let's delete the kubeadm_discovery_address variable.
From my reading, it's replaceable with _kube_apiserver_endpoint without issue.

[kajal-jotwani]

@VannTen CI is now passing after the latest fixes and I have also incorporated the suggested changes!!

[VannTen]

Let's delete the kubeadm_discovery_address variable.
From my reading, it's replaceable with _kube_apiserver_endpoint without issue.

[VannTen]

I think these ones should still use _kube_apiserver_cluster_internal_endpoint, or did that break CI ?
This is different from the JoinConfiguration (which is used when adding a node/control plane), as it should be for normal operations, so for example the localhost loadbalancer should be there (which should only be internal)

If that doesn't work it probably means we have and ordering problems somewhere 🤔

[kajal-jotwani]

Yes CI was failing when using _kube_apiserver_cluster_internal_endpoint, which is why I changed it to _kube_apiserver_endpoint. I'll dig into it to understand what’s causing the issue

[VannTen]

Idem

[VannTen]

Sorry I was confused regarding the other PR. We can delete both theses tasks ("Update server field"), with the correct variables into kubeadm configuration this should not be needed anymore.

[VannTen]

See #13012 , this template isn't used anywhere.

[kajal-jotwani]

Noted, thanks! I’ll rebase once #13012 is merged.