celoman/abril
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix master taint implementation - linting problems (#95)

Browse Source 
* add virtual-ip to certificate SAN entries

Adds the kube-vip IP as a Subject Alternative Name in the TLS cert. It is needed otherwise you cannot access the cluster.

* fixes bug with master taints (#1)

- improves taint logic

* fixes typo

* fixes formatting

* fixes undefined group['node'] if missing from hosts.ini (#2)

* fixes undefined group['node'] if missing from hosts.ini

- improves application of master taint by centralizing code

* improves molecule testing, fixes linting

* hacking at linter problems, small tweaks

- increases the metallb timeout error due to intermittent testing errors in GitHub actions

* improves context by renaming taint variable

- makes variable boolean

* fix bug

* removes linting hacks

Co-authored-by: Ioannis Angelakopoulos <ioangel@gmail.com>
This commit is contained in:
Ioannis Angelakopoulos 2022-09-25 04:12:24 +03:00 committed by GitHub
parent d5b37acd8a
commit cd76fa05a7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
inventory/sample/group_vars/all.yml
View File

@ -22,16 +22,19 @@ k3s_token: "some-SUPER-DEDEUPER-secret-password"
# it for each of your hosts, though. # it for each of your hosts, though.
k3s_node_ip: '{{ ansible_facts[flannel_iface]["ipv4"]["address"] }}' k3s_node_ip: '{{ ansible_facts[flannel_iface]["ipv4"]["address"] }}'
k3s_single_node: "{{ 'true' if groups['k3s_cluster'] | length == 1 else 'false' }}" # Disable the taint manually by setting: k3s_master_taint = false
k3s_master_taint: "{{ true if groups['node'] | default([]) | length >= 1 else false }}"
# these arguments are recommended for servers as well as agents: # these arguments are recommended for servers as well as agents:
extra_args: >- extra_args: >-
--flannel-iface={{ flannel_iface }} --flannel-iface={{ flannel_iface }}
--node-ip={{ k3s_node_ip }} --node-ip={{ k3s_node_ip }}
# change these to your liking, the only required one is --disable servicelb # change these to your liking, the only required are: --disable servicelb, --tls-san {{ apiserver_endpoint }}
extra_server_args: >- extra_server_args: >-
{{ extra_args }} {{ extra_args }}
{{ '--node-taint node-role.kubernetes.io/master=true:NoSchedule' if k3s_master_taint else '' }}
--tls-san {{ apiserver_endpoint }}
--disable servicelb --disable servicelb
--disable traefik --disable traefik
extra_agent_args: >- extra_agent_args: >-

2
molecule/ipv6/overrides.yml
View File

@ -36,6 +36,8 @@
# the default has IPv4 ranges only. # the default has IPv4 ranges only.
extra_server_args: >- extra_server_args: >-
{{ extra_args }} {{ extra_args }}
--tls-san {{ apiserver_endpoint }}
{{ '--node-taint node-role.kubernetes.io/master=true:NoSchedule' if k3s_master_taint else '' }}
--disable servicelb --disable servicelb
--disable traefik --disable traefik
--disable-network-policy --disable-network-policy

3
roles/k3s/master/tasks/main.yml
View File

@ -64,8 +64,7 @@
cmd: "systemd-run -p RestartSec=2 \ cmd: "systemd-run -p RestartSec=2 \
-p Restart=on-failure \ -p Restart=on-failure \
--unit=k3s-init \ --unit=k3s-init \
k3s server {{ server_init_args }} \ k3s server {{ server_init_args }}"
{{ '--node-taint CriticalAddonsOnly=true:NoExecute' if k3s_single_node|bool == false else ''}}"
creates: "{{ systemd_dir }}/k3s.service" creates: "{{ systemd_dir }}/k3s.service"
args: args:
warn: false # The ansible systemd module does not support transient units warn: false # The ansible systemd module does not support transient units

2
roles/k3s/master/templates/k3s.service.j2
View File

@ -7,7 +7,7 @@ After=network-online.target
Type=notify Type=notify
ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe br_netfilter
ExecStartPre=-/sbin/modprobe overlay ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/k3s server {{ extra_server_args | default("") }} {{ '--node-taint CriticalAddonsOnly=true:NoExecute' if k3s_single_node|bool == false else ''}} ExecStart=/usr/local/bin/k3s server {{ extra_server_args | default("") }}
KillMode=process KillMode=process
Delegate=yes Delegate=yes
# Having non-zero Limit*s causes performance problems due to accounting overhead # Having non-zero Limit*s causes performance problems due to accounting overhead

2
roles/k3s/master/templates/metallb.crds.j2
View File

@ -1648,8 +1648,6 @@ spec:
- effect: NoSchedule - effect: NoSchedule
key: node-role.kubernetes.io/control-plane key: node-role.kubernetes.io/control-plane
operator: Exists operator: Exists
- key: CriticalAddonsOnly
operator: Exists
--- ---
apiVersion: admissionregistration.k8s.io/v1 apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration kind: ValidatingWebhookConfiguration

2
roles/k3s/master/templates/vip.yaml.j2
View File

@ -69,8 +69,6 @@ spec:
operator: Exists operator: Exists
- effect: NoExecute - effect: NoExecute
operator: Exists operator: Exists
- key: CriticalAddonsOnly
operator: Exists
updateStrategy: {} updateStrategy: {}
status: status:
currentNumberScheduled: 0 currentNumberScheduled: 0

6
roles/k3s/post/tasks/main.yml
View File

@ -28,9 +28,9 @@
command: >- command: >-
k3s kubectl wait {{ item.resource }} k3s kubectl wait {{ item.resource }}
--namespace='metallb-system' --namespace='metallb-system'
{% if item.name | default(False) -%} {{ item.name }} {%- endif %} {% if item.name | default(False) -%}{{ item.name }}{%- endif %}
{% if item.selector | default(False) -%} --selector='{{ item.selector }}' {%- endif %} {% if item.selector | default(False) -%}--selector='{{ item.selector }}'{%- endif %}
{% if item.condition | default(False) -%} {{ item.condition }} {%- endif %} {% if item.condition | default(False) -%}{{ item.condition }}{%- endif %}
--timeout='{{ metal_lb_available_timeout }}' --timeout='{{ metal_lb_available_timeout }}'
changed_when: false changed_when: false
run_once: true run_once: true