From cd76fa05a736e2f0b046e742d133143e4e6d4edb Mon Sep 17 00:00:00 2001 From: Ioannis Angelakopoulos Date: Sun, 25 Sep 2022 04:12:24 +0300 Subject: [PATCH] fix master taint implementation - linting problems (#95) * add virtual-ip to certificate SAN entries Adds the kube-vip IP as a Subject Alternative Name in the TLS cert. It is needed otherwise you cannot access the cluster. * fixes bug with master taints (#1) - improves taint logic * fixes typo * fixes formatting * fixes undefined group['node'] if missing from hosts.ini (#2) * fixes undefined group['node'] if missing from hosts.ini - improves application of master taint by centralizing code * improves molecule testing, fixes linting * hacking at linter problems, small tweaks - increases the metallb timeout error due to intermittent testing errors in GitHub actions * improves context by renaming taint variable - makes variable boolean * fix bug * removes linting hacks Co-authored-by: Ioannis Angelakopoulos --- inventory/sample/group_vars/all.yml | 7 +++++-- molecule/ipv6/overrides.yml | 2 ++ roles/k3s/master/tasks/main.yml | 3 +-- roles/k3s/master/templates/k3s.service.j2 | 2 +- roles/k3s/master/templates/metallb.crds.j2 | 2 -- roles/k3s/master/templates/vip.yaml.j2 | 2 -- roles/k3s/post/tasks/main.yml | 6 +++--- 7 files changed, 12 insertions(+), 12 deletions(-) diff --git a/inventory/sample/group_vars/all.yml b/inventory/sample/group_vars/all.yml index ea99993..40ff3e7 100644 --- a/inventory/sample/group_vars/all.yml +++ b/inventory/sample/group_vars/all.yml @@ -22,16 +22,19 @@ k3s_token: "some-SUPER-DEDEUPER-secret-password" # it for each of your hosts, though. k3s_node_ip: '{{ ansible_facts[flannel_iface]["ipv4"]["address"] }}' -k3s_single_node: "{{ 'true' if groups['k3s_cluster'] | length == 1 else 'false' }}" +# Disable the taint manually by setting: k3s_master_taint = false +k3s_master_taint: "{{ true if groups['node'] | default([]) | length >= 1 else false }}" # these arguments are recommended for servers as well as agents: extra_args: >- --flannel-iface={{ flannel_iface }} --node-ip={{ k3s_node_ip }} -# change these to your liking, the only required one is --disable servicelb +# change these to your liking, the only required are: --disable servicelb, --tls-san {{ apiserver_endpoint }} extra_server_args: >- {{ extra_args }} + {{ '--node-taint node-role.kubernetes.io/master=true:NoSchedule' if k3s_master_taint else '' }} + --tls-san {{ apiserver_endpoint }} --disable servicelb --disable traefik extra_agent_args: >- diff --git a/molecule/ipv6/overrides.yml b/molecule/ipv6/overrides.yml index ae1717a..fea629e 100644 --- a/molecule/ipv6/overrides.yml +++ b/molecule/ipv6/overrides.yml @@ -36,6 +36,8 @@ # the default has IPv4 ranges only. extra_server_args: >- {{ extra_args }} + --tls-san {{ apiserver_endpoint }} + {{ '--node-taint node-role.kubernetes.io/master=true:NoSchedule' if k3s_master_taint else '' }} --disable servicelb --disable traefik --disable-network-policy diff --git a/roles/k3s/master/tasks/main.yml b/roles/k3s/master/tasks/main.yml index 6a40a98..44d4201 100644 --- a/roles/k3s/master/tasks/main.yml +++ b/roles/k3s/master/tasks/main.yml @@ -64,8 +64,7 @@ cmd: "systemd-run -p RestartSec=2 \ -p Restart=on-failure \ --unit=k3s-init \ - k3s server {{ server_init_args }} \ - {{ '--node-taint CriticalAddonsOnly=true:NoExecute' if k3s_single_node|bool == false else ''}}" + k3s server {{ server_init_args }}" creates: "{{ systemd_dir }}/k3s.service" args: warn: false # The ansible systemd module does not support transient units diff --git a/roles/k3s/master/templates/k3s.service.j2 b/roles/k3s/master/templates/k3s.service.j2 index 33dd0e8..ae5cb48 100644 --- a/roles/k3s/master/templates/k3s.service.j2 +++ b/roles/k3s/master/templates/k3s.service.j2 @@ -7,7 +7,7 @@ After=network-online.target Type=notify ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe overlay -ExecStart=/usr/local/bin/k3s server {{ extra_server_args | default("") }} {{ '--node-taint CriticalAddonsOnly=true:NoExecute' if k3s_single_node|bool == false else ''}} +ExecStart=/usr/local/bin/k3s server {{ extra_server_args | default("") }} KillMode=process Delegate=yes # Having non-zero Limit*s causes performance problems due to accounting overhead diff --git a/roles/k3s/master/templates/metallb.crds.j2 b/roles/k3s/master/templates/metallb.crds.j2 index 1bdda5a..809733b 100644 --- a/roles/k3s/master/templates/metallb.crds.j2 +++ b/roles/k3s/master/templates/metallb.crds.j2 @@ -1648,8 +1648,6 @@ spec: - effect: NoSchedule key: node-role.kubernetes.io/control-plane operator: Exists - - key: CriticalAddonsOnly - operator: Exists --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration diff --git a/roles/k3s/master/templates/vip.yaml.j2 b/roles/k3s/master/templates/vip.yaml.j2 index e964046..2629398 100644 --- a/roles/k3s/master/templates/vip.yaml.j2 +++ b/roles/k3s/master/templates/vip.yaml.j2 @@ -69,8 +69,6 @@ spec: operator: Exists - effect: NoExecute operator: Exists - - key: CriticalAddonsOnly - operator: Exists updateStrategy: {} status: currentNumberScheduled: 0 diff --git a/roles/k3s/post/tasks/main.yml b/roles/k3s/post/tasks/main.yml index 0b296d9..a838885 100644 --- a/roles/k3s/post/tasks/main.yml +++ b/roles/k3s/post/tasks/main.yml @@ -28,9 +28,9 @@ command: >- k3s kubectl wait {{ item.resource }} --namespace='metallb-system' - {% if item.name | default(False) -%} {{ item.name }} {%- endif %} - {% if item.selector | default(False) -%} --selector='{{ item.selector }}' {%- endif %} - {% if item.condition | default(False) -%} {{ item.condition }} {%- endif %} + {% if item.name | default(False) -%}{{ item.name }}{%- endif %} + {% if item.selector | default(False) -%}--selector='{{ item.selector }}'{%- endif %} + {% if item.condition | default(False) -%}{{ item.condition }}{%- endif %} --timeout='{{ metal_lb_available_timeout }}' changed_when: false run_once: true