From 86953b2ac4eec87ff38fa07466c6741328d40389 Mon Sep 17 00:00:00 2001 From: cyril-corbon Date: Tue, 11 Jan 2022 18:14:26 +0100 Subject: [PATCH] fix: add tolerations / affinity to cert-manager (#8389) Signed-off-by: Cyril Corbon --- .../sample/group_vars/k8s_cluster/addons.yml | 18 ++++++++++ .../cert_manager/defaults/main.yml | 3 ++ .../templates/cert-manager.yml.j2 | 36 +++++++++++++++++++ 3 files changed, 57 insertions(+) diff --git a/inventory/sample/group_vars/k8s_cluster/addons.yml b/inventory/sample/group_vars/k8s_cluster/addons.yml index 8ae1df7e5..d43c90e2d 100644 --- a/inventory/sample/group_vars/k8s_cluster/addons.yml +++ b/inventory/sample/group_vars/k8s_cluster/addons.yml @@ -130,6 +130,24 @@ ingress_alb_enabled: false # Cert manager deployment cert_manager_enabled: false # cert_manager_namespace: "cert-manager" +# cert_manager_tolerations: +# - key: node-role.kubernetes.io/master +# effect: NoSchedule +# - key: node-role.kubernetes.io/control-plane +# effect: NoSchedule +# cert_manager_affinity: +# nodeAffinity: +# preferredDuringSchedulingIgnoredDuringExecution: +# - weight: 100 +# preference: +# matchExpressions: +# - key: node-role.kubernetes.io/control-plane +# operator: In +# values: +# - "" +# cert_manager_nodeselector: +# kubernetes.io/os: "linux" + # cert_manager_trusted_internal_ca: | # -----BEGIN CERTIFICATE----- # [REPLACE with your CA certificate] diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml b/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml index 58c09e6a9..74fbb52d7 100644 --- a/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml +++ b/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml @@ -1,3 +1,6 @@ --- cert_manager_namespace: "cert-manager" cert_manager_user: 1001 +cert_manager_tolerations: [] +cert_manager_affinity: {} +cert_manager_nodeselector: {} diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 index 96cfccf26..011042230 100644 --- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 @@ -874,6 +874,18 @@ spec: fieldPath: metadata.namespace resources: {} +{% if cert_manager_tolerations %} + tolerations: + {{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }} +{% endif %} +{% if cert_manager_nodeselector %} + nodeSelector: + {{ cert_manager_nodeselector | to_nice_yaml | indent(width=8) }} +{% endif %} +{% if cert_manager_affinity %} + affinity: + {{ cert_manager_affinity | to_nice_yaml | indent(width=8) }} +{% endif %} --- {% if cert_manager_trusted_internal_ca is defined %} apiVersion: v1 @@ -939,6 +951,18 @@ spec: fieldPath: metadata.namespace resources: {} +{% if cert_manager_tolerations %} + tolerations: + {{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }} +{% endif %} +{% if cert_manager_nodeselector %} + nodeSelector: + {{ cert_manager_nodeselector | to_nice_yaml | indent(width=8) }} +{% endif %} +{% if cert_manager_affinity %} + affinity: + {{ cert_manager_affinity | to_nice_yaml | indent(width=8) }} +{% endif %} {% if cert_manager_trusted_internal_ca is defined %} volumeMounts: - mountPath: /etc/ssl/certs/internal-ca.pem @@ -1023,6 +1047,18 @@ spec: fieldPath: metadata.namespace resources: {} +{% if cert_manager_tolerations %} + tolerations: + {{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }} +{% endif %} +{% if cert_manager_nodeselector %} + nodeSelector: + {{ cert_manager_nodeselector | to_nice_yaml | indent(width=8) }} +{% endif %} +{% if cert_manager_affinity %} + affinity: + {{ cert_manager_affinity | to_nice_yaml | indent(width=8) }} +{% endif %} --- # Source: cert-manager/templates/webhook-mutating-webhook.yaml apiVersion: admissionregistration.k8s.io/v1