k8s-upgrade: preflight kubeadm-plan gate must pass explicit target (minor-upgrade fix)
All checks were successful
ci/woodpecker/push/default Pipeline was successful

Last night's 1.34.9->1.35.6 run passed the ESO/kyverno compat gate (the migration
worked!) but ABORTED at the kubeadm-plan-target gate: it ran `kubeadm upgrade plan`
with NO version, so master's old 1.34.9 kubeadm auto-proposed only the current
minor (Loki: "falling back to stable-1.34") and plan_target != 1.35.6 -> abort.
That gate worked for patch upgrades but never for minors. Fix: pass the explicit
`v$TARGET_VERSION` (verified on master: `kubeadm upgrade plan v1.35.6` emits
"kubeadm upgrade apply v1.35.6"). Works for patches too. Applied live to the
ConfigMap before tonight's run; deleted the failed preflight-1-35-6 job.

Also: ESO 2.x took SSA ownership of .spec.refreshInterval, so terraform's apply of
the k8s-upgrade-creds ExternalSecret hit a field-manager conflict. Added
field_manager.force_conflicts=true (benign — interval is semantically identical).
This pattern affects all 104 migrated ESs fleet-wide (follow-up).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-24 06:06:14 +00:00
parent 98d2b89614
commit 566447a698
2 changed files with 18 additions and 1 deletions

View file

@ -131,6 +131,15 @@ resource "kubernetes_manifest" "external_secret" {
]
}
}
# ESO 2.x took SSA ownership of .spec.refreshInterval (it normalizes the value),
# which conflicts with terraform's apply of this ExternalSecret. force_conflicts
# lets terraform reassert its spec the interval is semantically identical, so
# this is benign. Surfaced after the ESO 0.12->2.6 migration (2026-06-24); the
# same pattern affects all migrated ExternalSecrets fleet-wide.
field_manager {
force_conflicts = true
}
}
# --- Unified ServiceAccount + RBAC ---