feat: switch to kube-vip (#90)

* feat: switch to kube-vip * fix role defaults * convert to kube-vip * fix handler * fix: handle missing apiserver case * add conversion code * remove bindIP fixes
vexxhost · Dec 8, 2023 · 551188d · 551188d
1 parent c649e18
commit 551188d
Show file tree

Hide file tree

Showing 8 changed files with 189 additions and 8 deletions.
diff --git a/playbooks/site.yml b/playbooks/site.yml
@@ -16,13 +16,9 @@
   hosts: "{{ kubernetes_control_plane_group | default('controllers') }}"
   become: true
   roles:
-    - role: keepalived
+    - role: kube_vip
       tags:
-        - keepalived
-
-    - role: haproxy
-      tags:
-        - haproxy
+        - kube-vip
 
 - name: Install Kubernetes
   hosts: "{{ kubernetes_group | default('all') }}"

diff --git a/roles/kube_vip/README.md b/roles/kube_vip/README.md
@@ -0,0 +1 @@
+# `kube_vip`
diff --git a/roles/kube_vip/defaults/main.yml b/roles/kube_vip/defaults/main.yml
@@ -0,0 +1,22 @@
+# Copyright (c) 2023 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# Image to use for kube-vip
+kube_vip_image: ghcr.io/kube-vip/kube-vip:v0.6.4
+
+# Interface to use for kube-vip
+kube_vip_interface: "{{ keepalived_interface | default(kubernetes_keepalived_interface) }}"
+
+# IP address to use for kube-vip
+kube_vip_address: "{{ keepalived_vip | default(kubernetes_keepalived_vip) }}"
diff --git a/roles/kube_vip/handlers/main.yml b/roles/kube_vip/handlers/main.yml
@@ -0,0 +1,18 @@
+# Copyright (c) 2023 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Restart "kubelet" service
+  ansible.builtin.service:
+    name: kubelet
+    state: restarted
diff --git a/roles/kube_vip/meta/main.yml b/roles/kube_vip/meta/main.yml
@@ -0,0 +1,33 @@
+# Copyright (c) 2023 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+galaxy_info:
+  author: VEXXHOST, Inc.
+  description: kube-vip for kubeadm
+  license: Apache-2.0
+  min_ansible_version: 5.5.0
+  standalone: false
+  platforms:
+    - name: EL
+      versions:
+        - "8"
+        - "9"
+    - name: Ubuntu
+      versions:
+        - focal
+        - jammy
+
+dependencies:
+  - role: vexxhost.containers.directory
+    directory_path: /etc/kubernetes/manifests
diff --git a/roles/kube_vip/tasks/main.yml b/roles/kube_vip/tasks/main.yml
@@ -0,0 +1,48 @@
+# Copyright (c) 2023 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Uninstall legacy HA stack
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/keepalived/keepalived.conf
+    - /etc/keepalived/check_apiserver.sh
+    - /etc/kubernetes/manifests/keepalived.yaml
+    - /etc/haproxy/haproxy.cfg
+    - /etc/kubernetes/manifests/haproxy.yaml
+  notify:
+    - Restart "kubelet" service
+
+- name: Switch API server to run on port 6443
+  ignore_errors: true
+  ansible.builtin.replace:
+    path: /etc/kubernetes/manifests/kube-apiserver.yaml
+    regexp: "16443"
+    replace: "6443"
+  register: kube_vip_port_change
+  failed_when: kube_vip_port_change.rc != 0 and kube_vip_port_change.rc != 257
+  notify:
+    - Restart "kubelet" service
+
+- name: Upload Kubernetes manifest
+  ansible.builtin.template:
+    src: kube-vip.yaml.j2
+    dest: /etc/kubernetes/manifests/kube-vip.yaml
+    owner: root
+    group: root
+    mode: "0644"
+
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers
diff --git a/roles/kube_vip/templates/kube-vip.yaml.j2 b/roles/kube_vip/templates/kube-vip.yaml.j2
@@ -0,0 +1,65 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  creationTimestamp: null
+  name: kube-vip
+  namespace: kube-system
+spec:
+  containers:
+  - args:
+    - manager
+    env:
+    - name: vip_arp
+      value: "true"
+    - name: port
+      value: "6443"
+    - name: vip_interface
+      value: "{{ kube_vip_interface }}"
+    - name: vip_cidr
+      value: "32"
+    - name: cp_enable
+      value: "true"
+    - name: cp_namespace
+      value: kube-system
+    - name: vip_ddns
+      value: "false"
+    - name: svc_enable
+      value: "true"
+    - name: svc_leasename
+      value: plndr-svcs-lock
+    - name: vip_leaderelection
+      value: "true"
+    - name: vip_leasename
+      value: plndr-cp-lock
+    - name: vip_leaseduration
+      value: "5"
+    - name: vip_renewdeadline
+      value: "3"
+    - name: vip_retryperiod
+      value: "1"
+    - name: address
+      value: "{{ kube_vip_address }}"
+    - name: prometheus_server
+      value: :2112
+    image: "{{ kube_vip_image | vexxhost.kubernetes.docker_image('ref') }}"
+    imagePullPolicy: Always
+    name: kube-vip
+    resources: {}
+    securityContext:
+      capabilities:
+        add:
+        - NET_ADMIN
+        - NET_RAW
+    volumeMounts:
+    - mountPath: /etc/kubernetes/admin.conf
+      name: kubeconfig
+  hostAliases:
+  - hostnames:
+    - kubernetes
+    ip: 127.0.0.1
+  hostNetwork: true
+  volumes:
+  - hostPath:
+      path: /etc/kubernetes/admin.conf
+    name: kubeconfig
+status: {}
diff --git a/roles/kubernetes/templates/kubeadm.yaml.j2 b/roles/kubernetes/templates/kubeadm.yaml.j2
@@ -3,7 +3,6 @@ apiVersion: kubeadm.k8s.io/v1beta2
 kind: InitConfiguration
 localAPIEndpoint:
   advertiseAddress: "{{ kubernetes_node_ip }}"
-  bindPort: 16443
 nodeRegistration:
   kubeletExtraArgs:
 {% if kubernetes_allow_unsafe_swap %}
@@ -37,7 +36,6 @@ discovery:
 controlPlane:
   localAPIEndpoint:
     advertiseAddress: "{{ kubernetes_node_ip }}"
-    bindPort: 16443
   certificateKey: {{ kubernetes_kubeadm_init_upload_certs.stdout_lines[-1] | trim }}
 {% endif %}
 {% endif %}