-
Notifications
You must be signed in to change notification settings - Fork 350
fix: kubectl binary copy works through bastion and cross-platform #1339
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||
|---|---|---|---|---|---|---|---|---|
|
|
@@ -182,71 +182,82 @@ | |||||||
| gpu_operator_preinstalled_nvidia_software|default(true) | ||||||||
| - container_manager is defined and container_manager == "docker" | ||||||||
|
|
||||||||
| # Manage kubectl binary | ||||||||
| # Manage kubectl binary — handles cross-platform (e.g., Linux cluster → macOS controller) | ||||||||
| - hosts: kube_control_plane | ||||||||
| gather_facts: false | ||||||||
| vars: | ||||||||
| ansible_become: no | ||||||||
| tasks: | ||||||||
| - name: copy kubectl binary to ansible host | ||||||||
| synchronize: | ||||||||
| mode: pull | ||||||||
| - name: detect ansible host platform | ||||||||
| command: uname -sm | ||||||||
| register: local_uname | ||||||||
| delegate_to: localhost | ||||||||
| run_once: true | ||||||||
| changed_when: false | ||||||||
|
|
||||||||
| - name: detect remote platform | ||||||||
| command: uname -sm | ||||||||
| register: remote_uname | ||||||||
| run_once: true | ||||||||
| changed_when: false | ||||||||
|
|
||||||||
| - name: copy kubectl binary to ansible host (matching platform) | ||||||||
| fetch: | ||||||||
| src: "/usr/local/bin/kubectl" | ||||||||
| dest: "{{ artifacts_dir }}/kubectl" | ||||||||
| flat: yes | ||||||||
| run_once: true | ||||||||
| when: local_uname.stdout == remote_uname.stdout | ||||||||
|
|
||||||||
| - name: get kubectl version for cross-platform download | ||||||||
| command: /usr/local/bin/kubectl version --client -o json | ||||||||
| register: kubectl_ver_json | ||||||||
| run_once: true | ||||||||
|
||||||||
| run_once: true | |
| run_once: true | |
| changed_when: false |
Copilot
AI
Feb 20, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The cross-platform get_url download runs on localhost but doesn't pass proxy_env. If this repo is configured to run behind an HTTP(S) proxy (as many other tasks do), this download will fail; consider adding environment: "{{ proxy_env if proxy_env is defined else {} }}" to this task.
| force: yes | |
| force: yes | |
| environment: "{{ proxy_env if proxy_env is defined else {} }}" |
Copilot
AI
Feb 20, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This downloads an executable kubectl binary but doesn't verify integrity (no checksum). Consider fetching the published SHA256 for the selected version/arch and using get_url's checksum parameter to reduce supply-chain risk.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fetchdoesn't guarantee the fetched file is executable on the controller. Since later tasks execute{{ artifacts_dir }}/kubectl, ensure you set mode0755on the fetched file (e.g., follow the existing pattern used afterfetchinroles/netapp-trident/tasks/main.yml).