C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

MetalLB: update to v0.10.2 (#7925)

Browse source 
Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>
This commit is contained in:
Maciej Wereski 2021-09-01 12:00:59 +02:00 committed by GitHub
parent 0171c71de0
commit 48ceca4919
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 74 additions and 48 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
inventory/sample/group_vars/k8s_cluster/addons.yml
View file

@ -157,11 +157,10 @@ metallb_speaker_enabled: true
# operator: "Equal"
# value: ""
# effect: "NoSchedule"
# metallb_version: v0.9.6
# metallb_version: v0.10.2
# metallb_protocol: "layer2"
# metallb_port: "7472"
# metallb_limits_cpu: "100m"
# metallb_limits_mem: "100Mi"
# metallb_memberlist_port: "7946"
# metallb_additional_address_pools:
# kube_service_pool:
# ip_range:

7
roles/kubernetes-apps/metallb/defaults/main.yml
View file

@ -1,10 +1,9 @@
---
metallb_enabled: false
metallb_version: v0.9.6
metallb_version: v0.10.2
metallb_protocol: "layer2"
metallb_port: "7472"
metallb_limits_cpu: "100m"
metallb_limits_mem: "100Mi"
metallb_memberlist_port: "7946"
metallb_peers: []
metallb_speaker_enabled: true
metallb_speaker_nodeselector: {}
@ -12,6 +11,8 @@ metallb_controller_nodeselector: {}
metallb_speaker_tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
metallb_controller_tolerations: []

22
roles/kubernetes-apps/metallb/tasks/main.yml
View file

@ -50,25 +50,3 @@
with_items: "{{ rendering.results }}"
when:
- "inventory_hostname == groups['kube_control_plane'][0]"
- name: Kubernetes Apps | Check existing secret of MetalLB
command: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf -n metallb-system get secret memberlist"
register: metallb_secret
become: true
ignore_errors: true # noqa ignore-errors
when:
- inventory_hostname == groups['kube_control_plane'][0]
- name: Kubernetes Apps | Create random bytes for MetalLB
command: "openssl rand -base64 32"
register: metallb_rand
when:
- inventory_hostname == groups['kube_control_plane'][0]
- metallb_secret.rc != 0
- name: Kubernetes Apps | Install secret of MetalLB if not existing
command: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf -n metallb-system create secret generic memberlist --from-literal=secretkey={{ metallb_rand.stdout }}"
become: true
when:
- inventory_hostname == groups['kube_control_plane'][0]
- metallb_secret.rc != 0

88
roles/kubernetes-apps/metallb/templates/metallb.yml.j2
View file

@ -58,9 +58,7 @@ metadata:
spec:
allowPrivilegeEscalation: false
allowedCapabilities:
- NET_ADMIN
- NET_RAW
- SYS_ADMIN
allowedHostPaths: []
defaultAddCapabilities: []
defaultAllowPrivilegeEscalation: false
@ -72,6 +70,8 @@ spec:
hostPorts:
- max: {{ metallb_port }}
min: {{ metallb_port }}
- max: {{ metallb_memberlist_port }}
min: {{ metallb_memberlist_port }}
privileged: true
readOnlyRootFilesystem: true
requiredDropCapabilities:
@ -121,7 +121,6 @@ rules:
- get
- list
- watch
- update
- apiGroups:
- ''
resources:
@ -162,6 +161,13 @@ rules:
- get
- list
- watch
- apiGroups: ["discovery.k8s.io"]
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
@ -212,6 +218,37 @@ rules:
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: metallb
name: controller
namespace: metallb-system
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- create
- apiGroups:
- ''
resources:
- secrets
resourceNames:
- memberlist
verbs:
- list
- apiGroups:
- apps
resources:
- deployments
resourceNames:
- controller
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
@ -275,6 +312,21 @@ subjects:
- kind: ServiceAccount
name: speaker
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: metallb
name: controller
namespace: metallb-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: controller
subjects:
- kind: ServiceAccount
name: controller
---
{% if metallb_speaker_enabled %}
apiVersion: apps/v1
kind: DaemonSet
@ -316,36 +368,32 @@ spec:
fieldRef:
fieldPath: status.podIP
# needed when another software is also using memberlist / port 7946
# when changing this default you also need to update the container ports definition
# and the PodSecurityPolicy hostPorts definition
#- name: METALLB_ML_BIND_PORT
# value: "7946"
# value: "{{ metallb_memberlist_port }}"
- name: METALLB_ML_LABELS
value: "app=metallb,component=speaker"
- name: METALLB_ML_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: METALLB_ML_SECRET_KEY
valueFrom:
secretKeyRef:
name: memberlist
key: secretkey
image: {{ metallb_speaker_image_repo }}:{{ metallb_version }}
imagePullPolicy: {{ k8s_image_pull_policy }}
name: speaker
ports:
- containerPort: {{ metallb_port }}
name: monitoring
resources:
limits:
cpu: {{ metallb_limits_cpu }}
memory: {{ metallb_limits_mem }}
- containerPort: {{ metallb_memberlist_port }}
name: memberlist-tcp
- containerPort: {{ metallb_memberlist_port }}
name: memberlist-udp
protocol: UDP
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
- SYS_ADMIN
drop:
- ALL
readOnlyRootFilesystem: true
@ -399,16 +447,16 @@ spec:
- args:
- --port={{ metallb_port }}
- --config=config
env:
- name: METALLB_ML_SECRET_NAME
value: memberlist
- name: METALLB_DEPLOYMENT
value: controller
image: {{ metallb_controller_image_repo }}:{{ metallb_version }}
imagePullPolicy: {{ k8s_image_pull_policy }}
name: controller
ports:
- containerPort: {{ metallb_port }}
name: monitoring
resources:
limits:
cpu: {{ metallb_limits_cpu }}
memory: {{ metallb_limits_mem }}
securityContext:
allowPrivilegeEscalation: false
capabilities: