From 990d2a1358c46a06ce31aa69690ba21bb6163f56 Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Sat, 9 Nov 2024 15:21:20 +0100 Subject: [PATCH 1/7] Define a standard commandline for applying manifests This is expected to be used in the command module this way: command: cmd: "{{ kubectl_apply_stdin }}" stdin: <... rendered manifests > -> using the 'template' lookup plugin in most cases. The advantages over the kube plugin module integrated in kubespray (which this should replace eventually): - way easier to modify to take advantage of new features (server-side apply for instance) - no need for a separate template tasks + checking the result (which can introduce problem if the first playbook runs encounters an error). --- roles/kubernetes-apps/defaults/main.yml | 2 ++ roles/kubernetes-apps/vars/main.yml | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 roles/kubernetes-apps/defaults/main.yml create mode 100644 roles/kubernetes-apps/vars/main.yml diff --git a/roles/kubernetes-apps/defaults/main.yml b/roles/kubernetes-apps/defaults/main.yml new file mode 100644 index 00000000000..b794a98f422 --- /dev/null +++ b/roles/kubernetes-apps/defaults/main.yml @@ -0,0 +1,2 @@ +--- +namespace: kube-system diff --git a/roles/kubernetes-apps/vars/main.yml b/roles/kubernetes-apps/vars/main.yml new file mode 100644 index 00000000000..88f4a306800 --- /dev/null +++ b/roles/kubernetes-apps/vars/main.yml @@ -0,0 +1,2 @@ +--- +kubectl_apply_stdin: "{{ kubectl }} apply -f - -n {{ namespace }}" From 27ccfc7c6669a25ff07082d82480581874c716bc Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Sat, 9 Nov 2024 15:21:04 +0100 Subject: [PATCH 2/7] Convert dashboard to kubectl_apply_stdin --- .../ansible/tasks/dashboard.yml | 21 ---------------- roles/kubernetes-apps/ansible/tasks/main.yml | 8 ++++++- .../ansible/templates/dashboard.yml.j2 | 24 +++++-------------- 3 files changed, 13 insertions(+), 40 deletions(-) delete mode 100644 roles/kubernetes-apps/ansible/tasks/dashboard.yml diff --git a/roles/kubernetes-apps/ansible/tasks/dashboard.yml b/roles/kubernetes-apps/ansible/tasks/dashboard.yml deleted file mode 100644 index 5872674775a..00000000000 --- a/roles/kubernetes-apps/ansible/tasks/dashboard.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- name: Kubernetes Apps | Lay down dashboard template - template: - src: "{{ item.file }}.j2" - dest: "{{ kube_config_dir }}/{{ item.file }}" - mode: "0644" - with_items: - - { file: dashboard.yml, type: deploy, name: kubernetes-dashboard } - register: manifests - when: inventory_hostname == groups['kube_control_plane'][0] - -- name: Kubernetes Apps | Start dashboard - kube: - name: "{{ item.item.name }}" - namespace: "{{ dashboard_namespace }}" - kubectl: "{{ bin_dir }}/kubectl" - resource: "{{ item.item.type }}" - filename: "{{ kube_config_dir }}/{{ item.item.file }}" - state: "latest" - with_items: "{{ manifests.results }}" - when: inventory_hostname == groups['kube_control_plane'][0] diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml index 18deee8053e..b88b8d89791 100644 --- a/roles/kubernetes-apps/ansible/tasks/main.yml +++ b/roles/kubernetes-apps/ansible/tasks/main.yml @@ -67,7 +67,13 @@ - netchecker - name: Kubernetes Apps | Dashboard - import_tasks: dashboard.yml + command: + cmd: "{{ kubectl_apply_stdin }}" + stdin: "{{ lookup('template', 'dashboard.yml.j2') }}" + delegate_to: "{{ groups['kube_control_plane'][0] }}" + run_once: true + vars: + namespace: "{{ dashboard_namespace }}" when: dashboard_enabled tags: - dashboard diff --git a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 index e0b60e75141..3a88010d105 100644 --- a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 @@ -17,16 +17,15 @@ # # Example usage: kubectl create -f -{% if dashboard_namespace != "kube-system" %} +{% if namespace != 'kube-system' %} --- apiVersion: v1 kind: Namespace metadata: - name: {{ dashboard_namespace }} + name: {{ namespace }} labels: - name: {{ dashboard_namespace }} + name: {{ namespace }} {% endif %} - --- # ------------------- Dashboard Secrets ------------------- # apiVersion: v1 @@ -35,7 +34,6 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-certs - namespace: {{ dashboard_namespace }} type: Opaque --- @@ -45,7 +43,6 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-csrf - namespace: {{ dashboard_namespace }} type: Opaque data: csrf: "" @@ -57,7 +54,6 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-key-holder - namespace: {{ dashboard_namespace }} type: Opaque --- @@ -68,7 +64,6 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-settings - namespace: {{ dashboard_namespace }} --- # ------------------- Dashboard Service Account ------------------- # @@ -79,7 +74,6 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard - namespace: {{ dashboard_namespace }} --- # ------------------- Dashboard Role & Role Binding ------------------- # @@ -89,7 +83,6 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard - namespace: {{ dashboard_namespace }} rules: # Allow Dashboard to get, update and delete Dashboard exclusive secrets. - apiGroups: [""] @@ -118,7 +111,6 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard - namespace: {{ dashboard_namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -126,7 +118,7 @@ roleRef: subjects: - kind: ServiceAccount name: kubernetes-dashboard - namespace: {{ dashboard_namespace }} + namespace: {{ namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 @@ -140,7 +132,7 @@ roleRef: subjects: - kind: ServiceAccount name: kubernetes-dashboard - namespace: {{ dashboard_namespace }} + namespace: {{ namespace }} --- # ------------------- Dashboard Deployment ------------------- # @@ -151,7 +143,6 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard - namespace: {{ dashboard_namespace }} spec: replicas: {{ dashboard_replicas }} revisionHistoryLimit: 10 @@ -182,7 +173,7 @@ spec: - containerPort: 8443 protocol: TCP args: - - --namespace={{ dashboard_namespace }} + - --namespace={{ namespace }} {% if dashboard_use_custom_certs %} - --tls-key-file={{ dashboard_tls_key_file }} - --tls-cert-file={{ dashboard_tls_cert_file }} @@ -238,7 +229,6 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard - namespace: {{ dashboard_namespace }} spec: ports: - port: 443 @@ -270,7 +260,6 @@ metadata: labels: k8s-app: kubernetes-metrics-scraper name: dashboard-metrics-scraper - namespace: {{ dashboard_namespace }} spec: ports: - port: 8000 @@ -287,7 +276,6 @@ metadata: labels: k8s-app: kubernetes-metrics-scraper name: kubernetes-metrics-scraper - namespace: {{ dashboard_namespace }} spec: replicas: 1 revisionHistoryLimit: 10 From 63adac831412886e10e5895c83de46c8f971be71 Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Sat, 9 Nov 2024 15:29:05 +0100 Subject: [PATCH 3/7] Convert etcd_metrics to kubectl_apply_stdin --- .../ansible/tasks/etcd_metrics.yml | 22 ------------------- roles/kubernetes-apps/ansible/tasks/main.yml | 9 +++++++- 2 files changed, 8 insertions(+), 23 deletions(-) delete mode 100644 roles/kubernetes-apps/ansible/tasks/etcd_metrics.yml diff --git a/roles/kubernetes-apps/ansible/tasks/etcd_metrics.yml b/roles/kubernetes-apps/ansible/tasks/etcd_metrics.yml deleted file mode 100644 index 580ab66db36..00000000000 --- a/roles/kubernetes-apps/ansible/tasks/etcd_metrics.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -- name: Kubernetes Apps | Lay down etcd_metrics templates - template: - src: "{{ item.file }}.j2" - dest: "{{ kube_config_dir }}/{{ item.file }}" - mode: "0644" - with_items: - - { file: etcd_metrics-endpoints.yml, type: endpoints, name: etcd-metrics } - - { file: etcd_metrics-service.yml, type: service, name: etcd-metrics } - register: manifests - when: inventory_hostname == groups['kube_control_plane'][0] - -- name: Kubernetes Apps | Start etcd_metrics - kube: - name: "{{ item.item.name }}" - namespace: kube-system - kubectl: "{{ bin_dir }}/kubectl" - resource: "{{ item.item.type }}" - filename: "{{ kube_config_dir }}/{{ item.item.file }}" - state: "latest" - with_items: "{{ manifests.results }}" - when: inventory_hostname == groups['kube_control_plane'][0] diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml index b88b8d89791..75df86a25bc 100644 --- a/roles/kubernetes-apps/ansible/tasks/main.yml +++ b/roles/kubernetes-apps/ansible/tasks/main.yml @@ -55,7 +55,14 @@ label: "{{ item.item.file }}" - name: Kubernetes Apps | Etcd metrics endpoints - import_tasks: etcd_metrics.yml + command: + cmd: "{{ kubectl_apply_stdin }}" + stdin: "{{ lookup('template', item) }}" + delegate_to: "{{ groups['kube_control_plane'][0] }}" + run_once: true + loop: + - etcd_metrics-endpoints.yml.j2 + - etcd_metrics-service.yml.j2 when: etcd_metrics_port is defined and etcd_metrics_service_labels is defined tags: - etcd_metrics From e0c9152bd4cc39a552cde7badef9b9cc87417ff7 Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Sat, 9 Nov 2024 15:55:34 +0100 Subject: [PATCH 4/7] Convert CoreDNS primary to kubectl_apply_stdin --- .../kubernetes-apps/ansible/tasks/coredns.yml | 28 ------------------- roles/kubernetes-apps/ansible/tasks/main.yml | 22 +++++++++------ roles/kubernetes-apps/ansible/vars/main.yml | 16 +++++++++++ 3 files changed, 29 insertions(+), 37 deletions(-) create mode 100644 roles/kubernetes-apps/ansible/vars/main.yml diff --git a/roles/kubernetes-apps/ansible/tasks/coredns.yml b/roles/kubernetes-apps/ansible/tasks/coredns.yml index 46e2006b999..1f73dabf1cb 100644 --- a/roles/kubernetes-apps/ansible/tasks/coredns.yml +++ b/roles/kubernetes-apps/ansible/tasks/coredns.yml @@ -1,32 +1,4 @@ --- -- name: Kubernetes Apps | Lay Down CoreDNS templates - template: - src: "{{ item.file }}.j2" - dest: "{{ kube_config_dir }}/{{ item.file }}" - mode: "0644" - loop: - - { name: coredns, file: coredns-clusterrole.yml, type: clusterrole } - - { name: coredns, file: coredns-clusterrolebinding.yml, type: clusterrolebinding } - - { name: coredns, file: coredns-config.yml, type: configmap } - - { name: coredns, file: coredns-deployment.yml, type: deployment } - - { name: coredns, file: coredns-sa.yml, type: sa } - - { name: coredns, file: coredns-svc.yml, type: svc } - - { name: dns-autoscaler, file: dns-autoscaler.yml, type: deployment } - - { name: dns-autoscaler, file: dns-autoscaler-clusterrole.yml, type: clusterrole } - - { name: dns-autoscaler, file: dns-autoscaler-clusterrolebinding.yml, type: clusterrolebinding } - - { name: coredns, file: coredns-poddisruptionbudget.yml, type: poddisruptionbudget, condition: coredns_pod_disruption_budget } - - { name: dns-autoscaler, file: dns-autoscaler-sa.yml, type: sa } - register: coredns_manifests - vars: - clusterIP: "{{ skydns_server }}" - when: - - dns_mode in ['coredns', 'coredns_dual'] - - inventory_hostname == groups['kube_control_plane'][0] - - enable_dns_autoscaler or item.name != 'dns-autoscaler' - - item.condition | default(True) - tags: - - coredns - - name: Kubernetes Apps | Lay Down Secondary CoreDNS Template template: src: "{{ item.src }}.j2" diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml index 75df86a25bc..02c44c7e368 100644 --- a/roles/kubernetes-apps/ansible/tasks/main.yml +++ b/roles/kubernetes-apps/ansible/tasks/main.yml @@ -11,14 +11,6 @@ delay: 1 when: inventory_hostname == groups['kube_control_plane'][0] -- name: Kubernetes Apps | CoreDNS - import_tasks: "coredns.yml" - when: - - dns_mode in ['coredns', 'coredns_dual'] - - inventory_hostname == groups['kube_control_plane'][0] - tags: - - coredns - - name: Kubernetes Apps | nodelocalDNS import_tasks: "nodelocaldns.yml" when: @@ -27,6 +19,19 @@ tags: - nodelocaldns +- name: Kubernetes Apps | CoreDNS + command: + cmd: "{{ kubectl_apply_stdin }}" + stdin: "{{ lookup('template', item) }}" + delegate_to: "{{ groups['kube_control_plane'][0] }}" + run_once: true + loop: "{{ coredns_manifests | flatten }}" + tags: + - coredns + vars: + clusterIP: "{{ skydns_server }}" + when: dns_mode in ['coredns', 'coredns_dual'] + - name: Kubernetes Apps | Start Resources kube: name: "{{ item.item.name }}" @@ -36,7 +41,6 @@ filename: "{{ kube_config_dir }}/{{ item.item.file }}" state: "latest" with_items: - - "{{ coredns_manifests.results | default({}) }}" - "{{ coredns_secondary_manifests.results | default({}) }}" - "{{ nodelocaldns_manifests.results | default({}) }}" - "{{ nodelocaldns_second_manifests.results | default({}) }}" diff --git a/roles/kubernetes-apps/ansible/vars/main.yml b/roles/kubernetes-apps/ansible/vars/main.yml new file mode 100644 index 00000000000..80eeaaad9b3 --- /dev/null +++ b/roles/kubernetes-apps/ansible/vars/main.yml @@ -0,0 +1,16 @@ +--- +dns_autoscaler_manifests: +- dns-autoscaler-sa.yml.j2 +- dns-autoscaler.yml.j2 +- dns-autoscaler-clusterrole.yml.j2 +- dns-autoscaler-clusterrolebinding.yml.j2 + +coredns_manifests: +- coredns-clusterrole.yml.j2 +- coredns-clusterrolebinding.yml.j2 +- coredns-config.yml.j2 +- coredns-deployment.yml.j2 +- coredns-sa.yml.j2 +- coredns-svc.yml.j2 +- "{{ dns_autoscaler_manifests if enable_dns_autoscaler else [] }}" +- "{{ coredns-poddisruptionbudget.yml.j2 if coredns_pod_disruption_budget else [] }}" From 4b7125f5be75687e13ef653c673a599b544399ec Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Sat, 9 Nov 2024 16:03:51 +0100 Subject: [PATCH 5/7] Convert CoreDNS Secondary to kubectl_apply_stdin Note that we're reapplying the RBAC/Sa/Config from coredns which is not strictly necessary, but harmless, when the secondary is enabled. --- .../kubernetes-apps/ansible/tasks/coredns.yml | 22 ------------------- roles/kubernetes-apps/ansible/tasks/main.yml | 16 +++++++++++++- 2 files changed, 15 insertions(+), 23 deletions(-) delete mode 100644 roles/kubernetes-apps/ansible/tasks/coredns.yml diff --git a/roles/kubernetes-apps/ansible/tasks/coredns.yml b/roles/kubernetes-apps/ansible/tasks/coredns.yml deleted file mode 100644 index 1f73dabf1cb..00000000000 --- a/roles/kubernetes-apps/ansible/tasks/coredns.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -- name: Kubernetes Apps | Lay Down Secondary CoreDNS Template - template: - src: "{{ item.src }}.j2" - dest: "{{ kube_config_dir }}/{{ item.file }}" - mode: "0644" - with_items: - - { name: coredns, src: coredns-deployment.yml, file: coredns-deployment-secondary.yml, type: deployment } - - { name: coredns, src: coredns-svc.yml, file: coredns-svc-secondary.yml, type: svc } - - { name: dns-autoscaler, src: dns-autoscaler.yml, file: coredns-autoscaler-secondary.yml, type: deployment } - - { name: coredns, src: coredns-poddisruptionbudget.yml, file: coredns-poddisruptionbudget-secondary.yml, type: poddisruptionbudget, condition: coredns_pod_disruption_budget } - register: coredns_secondary_manifests - vars: - clusterIP: "{{ skydns_server_secondary }}" - coredns_ordinal_suffix: "-secondary" - when: - - dns_mode == 'coredns_dual' - - inventory_hostname == groups['kube_control_plane'][0] - - enable_dns_autoscaler or item.name != 'dns-autoscaler' - - item.condition | default(True) - tags: - - coredns diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml index 02c44c7e368..ea766305b4c 100644 --- a/roles/kubernetes-apps/ansible/tasks/main.yml +++ b/roles/kubernetes-apps/ansible/tasks/main.yml @@ -32,6 +32,21 @@ clusterIP: "{{ skydns_server }}" when: dns_mode in ['coredns', 'coredns_dual'] +- name: Kubernetes Apps | CoreDNS Secondary + command: + cmd: "{{ kubectl_apply_stdin }}" + stdin: "{{ lookup('template', item) }}" + delegate_to: "{{ groups['kube_control_plane'][0] }}" + run_once: true + loop: "{{ coredns_manifests | flatten }}" + tags: + - coredns + vars: + clusterIP: "{{ skydns_server_secondary }}" + coredns_ordinal_suffix: "-secondary" + when: + - dns_mode == 'coredns_dual' + - name: Kubernetes Apps | Start Resources kube: name: "{{ item.item.name }}" @@ -41,7 +56,6 @@ filename: "{{ kube_config_dir }}/{{ item.item.file }}" state: "latest" with_items: - - "{{ coredns_secondary_manifests.results | default({}) }}" - "{{ nodelocaldns_manifests.results | default({}) }}" - "{{ nodelocaldns_second_manifests.results | default({}) }}" when: From 31e56ab76d6e1d68a917ec9c376e3c3c7777561c Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Sat, 9 Nov 2024 16:21:59 +0100 Subject: [PATCH 6/7] Convert nodelocaldns to kubectl_apply_stdin --- roles/kubernetes-apps/ansible/tasks/main.yml | 58 +++++++------- .../ansible/tasks/nodelocaldns.yml | 79 ------------------- roles/kubernetes-apps/ansible/vars/main.yml | 6 ++ 3 files changed, 35 insertions(+), 108 deletions(-) delete mode 100644 roles/kubernetes-apps/ansible/tasks/nodelocaldns.yml diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml index ea766305b4c..8121a7a5857 100644 --- a/roles/kubernetes-apps/ansible/tasks/main.yml +++ b/roles/kubernetes-apps/ansible/tasks/main.yml @@ -11,14 +11,6 @@ delay: 1 when: inventory_hostname == groups['kube_control_plane'][0] -- name: Kubernetes Apps | nodelocalDNS - import_tasks: "nodelocaldns.yml" - when: - - enable_nodelocaldns - - inventory_hostname == groups['kube_control_plane'] | first - tags: - - nodelocaldns - - name: Kubernetes Apps | CoreDNS command: cmd: "{{ kubectl_apply_stdin }}" @@ -47,30 +39,38 @@ when: - dns_mode == 'coredns_dual' -- name: Kubernetes Apps | Start Resources - kube: - name: "{{ item.item.name }}" - namespace: "kube-system" - kubectl: "{{ bin_dir }}/kubectl" - resource: "{{ item.item.type }}" - filename: "{{ kube_config_dir }}/{{ item.item.file }}" - state: "latest" - with_items: - - "{{ nodelocaldns_manifests.results | default({}) }}" - - "{{ nodelocaldns_second_manifests.results | default({}) }}" +- name: Kubernetes Apps | nodelocalDNS + command: + cmd: "{{ kubectl_apply_stdin }}" + stdin: "{{ lookup('template', item) }}" + delegate_to: "{{ groups['kube_control_plane'][0] }}" + run_once: true + loop: "{{ nodelocaldns_manifests | flatten }}" when: - - dns_mode != 'none' - - inventory_hostname == groups['kube_control_plane'][0] - - not item is skipped - register: resource_result - until: resource_result is succeeded - retries: 4 - delay: 5 + - enable_nodelocaldns tags: - - coredns - nodelocaldns - loop_control: - label: "{{ item.item.file }}" + - coredns + vars: + primaryClusterIP: >- + {%- if dns_mode in ['coredns', 'coredns_dual'] -%} + {{ skydns_server }} + {%- elif dns_mode == 'manual' -%} + {{ manual_dns_server }} + {%- endif -%} + secondaryclusterIP: "{{ skydns_server_secondary }}" + forwardTarget: >- + {%- if secondaryclusterIP is defined and dns_mode == 'coredns_dual' -%} + {{ primaryClusterIP }} {{ secondaryclusterIP }} + {%- else -%} + {{ primaryClusterIP }} + {%- endif -%} + upstreamForwardTarget: >- + {%- if upstream_dns_servers is defined and upstream_dns_servers | length > 0 -%} + {{ upstream_dns_servers | join(' ') }} + {%- else -%} + /etc/resolv.conf + {%- endif -%} - name: Kubernetes Apps | Etcd metrics endpoints command: diff --git a/roles/kubernetes-apps/ansible/tasks/nodelocaldns.yml b/roles/kubernetes-apps/ansible/tasks/nodelocaldns.yml deleted file mode 100644 index 7e522e29ec0..00000000000 --- a/roles/kubernetes-apps/ansible/tasks/nodelocaldns.yml +++ /dev/null @@ -1,79 +0,0 @@ ---- -- name: Kubernetes Apps | set up necessary nodelocaldns parameters - set_fact: - # noqa: jinja[spacing] - primaryClusterIP: >- - {%- if dns_mode in ['coredns', 'coredns_dual'] -%} - {{ skydns_server }} - {%- elif dns_mode == 'manual' -%} - {{ manual_dns_server }} - {%- endif -%} - secondaryclusterIP: "{{ skydns_server_secondary }}" - when: - - enable_nodelocaldns - - inventory_hostname == groups['kube_control_plane'] | first - tags: - - nodelocaldns - - coredns - -- name: Kubernetes Apps | Lay Down nodelocaldns Template - template: - src: "{{ item.file }}.j2" - dest: "{{ kube_config_dir }}/{{ item.file }}" - mode: "0644" - with_items: - - { name: nodelocaldns, file: nodelocaldns-config.yml, type: configmap } - - { name: nodelocaldns, file: nodelocaldns-sa.yml, type: sa } - - { name: nodelocaldns, file: nodelocaldns-daemonset.yml, type: daemonset } - register: nodelocaldns_manifests - vars: - # noqa: jinja[spacing] - forwardTarget: >- - {%- if secondaryclusterIP is defined and dns_mode == 'coredns_dual' -%} - {{ primaryClusterIP }} {{ secondaryclusterIP }} - {%- else -%} - {{ primaryClusterIP }} - {%- endif -%} - upstreamForwardTarget: >- - {%- if upstream_dns_servers is defined and upstream_dns_servers | length > 0 -%} - {{ upstream_dns_servers | join(' ') }} - {%- else -%} - /etc/resolv.conf - {%- endif -%} - when: - - enable_nodelocaldns - - inventory_hostname == groups['kube_control_plane'] | first - tags: - - nodelocaldns - - coredns - -- name: Kubernetes Apps | Lay Down nodelocaldns-secondary Template - template: - src: "{{ item.file }}.j2" - dest: "{{ kube_config_dir }}/{{ item.file }}" - mode: "0644" - with_items: - - { name: nodelocaldns, file: nodelocaldns-second-daemonset.yml, type: daemonset } - register: nodelocaldns_second_manifests - vars: - # noqa: jinja[spacing] - forwardTarget: >- - {%- if secondaryclusterIP is defined and dns_mode == 'coredns_dual' -%} - {{ primaryClusterIP }} {{ secondaryclusterIP }} - {%- else -%} - {{ primaryClusterIP }} - {%- endif -%} - # noqa: jinja[spacing] - upstreamForwardTarget: >- - {%- if upstream_dns_servers is defined and upstream_dns_servers | length > 0 -%} - {{ upstream_dns_servers | join(' ') }} - {%- else -%} - /etc/resolv.conf - {%- endif -%} - when: - - enable_nodelocaldns - - enable_nodelocaldns_secondary - - inventory_hostname == groups['kube_control_plane'] | first - tags: - - nodelocaldns - - coredns diff --git a/roles/kubernetes-apps/ansible/vars/main.yml b/roles/kubernetes-apps/ansible/vars/main.yml index 80eeaaad9b3..9cf56070c56 100644 --- a/roles/kubernetes-apps/ansible/vars/main.yml +++ b/roles/kubernetes-apps/ansible/vars/main.yml @@ -14,3 +14,9 @@ coredns_manifests: - coredns-svc.yml.j2 - "{{ dns_autoscaler_manifests if enable_dns_autoscaler else [] }}" - "{{ coredns-poddisruptionbudget.yml.j2 if coredns_pod_disruption_budget else [] }}" + +nodelocaldns_manifests: +- nodelocaldns-config.yml.j2 +- nodelocaldns-daemonset.yml.j2 +- nodelocaldns-sa.yml.j2 +- "{{ nodelocaldns-second-daemonset.yml.j2 if enable_nodelocaldns_secondary else [] }}" From 7c71f257b4e0611c1fe9a280818d1380c4bc4d2c Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Sat, 9 Nov 2024 23:38:10 +0100 Subject: [PATCH 7/7] Convert netchecker to kubectl_apply_stdin Not that the Apparmor check result is no longer used since the PSP removal. --- roles/kubernetes-apps/ansible/tasks/main.yml | 18 ++++++- .../ansible/tasks/netchecker.yml | 47 ------------------- 2 files changed, 17 insertions(+), 48 deletions(-) delete mode 100644 roles/kubernetes-apps/ansible/tasks/netchecker.yml diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml index 8121a7a5857..5622f3b89f5 100644 --- a/roles/kubernetes-apps/ansible/tasks/main.yml +++ b/roles/kubernetes-apps/ansible/tasks/main.yml @@ -86,10 +86,26 @@ - etcd_metrics - name: Kubernetes Apps | Netchecker - import_tasks: netchecker.yml + command: + cmd: "{{ kubectl_apply_stdin }}" + stdin: "{{ lookup('template', item) }}" + delegate_to: "{{ groups['kube_control_plane'][0] }}" + run_once: true + vars: + namespace: "{{ netcheck_namespace }}" when: deploy_netchecker tags: - netchecker + loop: + - netchecker-ns.yml.j2 + - netchecker-agent-sa.yml.j2 + - netchecker-agent-ds.yml.j2 + - netchecker-agent-hostnet-ds.yml.j2 + - netchecker-server-sa.yml.j2 + - netchecker-server-clusterrole.yml.j2 + - netchecker-server-clusterrolebinding.yml.j2 + - netchecker-server-deployment.yml.j2 + - netchecker-server-svc.yml.j2 - name: Kubernetes Apps | Dashboard command: diff --git a/roles/kubernetes-apps/ansible/tasks/netchecker.yml b/roles/kubernetes-apps/ansible/tasks/netchecker.yml deleted file mode 100644 index 2cf4b5dc9c0..00000000000 --- a/roles/kubernetes-apps/ansible/tasks/netchecker.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -- name: Kubernetes Apps | Check AppArmor status - command: which apparmor_parser - register: apparmor_status - when: - - inventory_hostname == groups['kube_control_plane'][0] - failed_when: false - -- name: Kubernetes Apps | Set apparmor_enabled - set_fact: - apparmor_enabled: "{{ apparmor_status.rc == 0 }}" - when: - - inventory_hostname == groups['kube_control_plane'][0] - -- name: Kubernetes Apps | Netchecker Templates list - set_fact: - netchecker_templates: - - {file: netchecker-ns.yml, type: ns, name: netchecker-namespace} - - {file: netchecker-agent-sa.yml, type: sa, name: netchecker-agent} - - {file: netchecker-agent-ds.yml, type: ds, name: netchecker-agent} - - {file: netchecker-agent-hostnet-ds.yml, type: ds, name: netchecker-agent-hostnet} - - {file: netchecker-server-sa.yml, type: sa, name: netchecker-server} - - {file: netchecker-server-clusterrole.yml, type: clusterrole, name: netchecker-server} - - {file: netchecker-server-clusterrolebinding.yml, type: clusterrolebinding, name: netchecker-server} - - {file: netchecker-server-deployment.yml, type: deployment, name: netchecker-server} - - {file: netchecker-server-svc.yml, type: svc, name: netchecker-service} - -- name: Kubernetes Apps | Lay Down Netchecker Template - template: - src: "{{ item.file }}.j2" - dest: "{{ kube_config_dir }}/{{ item.file }}" - mode: "0644" - with_items: "{{ netchecker_templates }}" - register: manifests - when: - - inventory_hostname == groups['kube_control_plane'][0] - -- name: Kubernetes Apps | Start Netchecker Resources - kube: - name: "{{ item.item.name }}" - namespace: "{{ netcheck_namespace }}" - kubectl: "{{ bin_dir }}/kubectl" - resource: "{{ item.item.type }}" - filename: "{{ kube_config_dir }}/{{ item.item.file }}" - state: "latest" - with_items: "{{ manifests.results }}" - when: inventory_hostname == groups['kube_control_plane'][0] and not item is skipped