techno-tim · timothystewart6 · Sep 25, 2022 · Sep 18, 2022 · Sep 19, 2022 · Sep 19, 2022
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -21,7 +21,7 @@ jobs:
  python-version: '3.x'
 
  - name: Install test dependencies
- run: pip3 install yamllint ansible-lint ansible
+ run: pip3 install yamllint ansible-lint ansible netaddr jmespath
 
  - name: Run yamllint
  run: yamllint .

diff --git a/inventory/sample/group_vars/all.yml b/inventory/sample/group_vars/all.yml
@@ -22,16 +22,18 @@ k3s_token: "some-SUPER-DEDEUPER-secret-password"
 # it for each of your hosts, though.
 k3s_node_ip: '{{ ansible_facts[flannel_iface]["ipv4"]["address"] }}'
 
-k3s_single_node: "{{ 'true' if groups['k3s_cluster'] | length == 1 else 'false' }}"
+k3s_node_exists: "{{ 'true' if groups['node'] | default([]) | length >= 1 else 'false' }}"
 
 # these arguments are recommended for servers as well as agents:
 extra_args: >-
  --flannel-iface={{ flannel_iface }}
  --node-ip={{ k3s_node_ip }}
 
-# change these to your liking, the only required one is --disable servicelb
+# change these to your liking, the only required are: --disable servicelb, --tls-san {{ apiserver_endpoint }}
 extra_server_args: >-
  {{ extra_args }}
+ {{ '--node-taint node-role.kubernetes.io/master=true:NoSchedule' if k3s_node_exists | bool else '' }}
+ --tls-san {{ apiserver_endpoint }}
  --disable servicelb
  --disable traefik
 extra_agent_args: >-

diff --git a/molecule/ipv6/overrides.yml b/molecule/ipv6/overrides.yml
@@ -36,6 +36,8 @@
  # the default has IPv4 ranges only.
  extra_server_args: >-
  {{ extra_args }}
+ --tls-san {{ apiserver_endpoint }}
+ {{ '--node-taint node-role.kubernetes.io/master=true:NoSchedule' if k3s_node_exists | bool else '' }}
  --disable servicelb
  --disable traefik
  --disable-network-policy

diff --git a/molecule/resources/verify/from_outside/tasks/test/deploy-example.yml b/molecule/resources/verify/from_outside/tasks/test/deploy-example.yml
@@ -34,7 +34,10 @@
 
  - name: Assert that the nginx welcome page is available
  ansible.builtin.uri:
- url: http:https://{{ ip | ansible.utils.ipwrap }}:{{ port }}/
+ # The default value here fixes ansible-lint error:
+ # 'jinja:Unrecognized type <<class 'ansible.template.AnsibleUndefined'>> for ipwrap filter <value>'
+ # If by any chanche we reach the default case, we have already failed, so it will not save the task!
+ url: http:https://{{ ip | default([]) | ansible.utils.ipwrap }}:{{ port }}/
  return_content: yes
  register: result
  failed_when: "'Welcome to nginx!' not in result.content"

diff --git a/molecule/resources/verify/from_outside/tasks/test/get-nodes.yml b/molecule/resources/verify/from_outside/tasks/test/get-nodes.yml
@@ -11,8 +11,10 @@
  success_msg: "Found nodes as expected: {{ found_nodes }}"
  fail_msg: "Expected nodes {{ expected_nodes }}, but found nodes {{ found_nodes }}"
  vars:
+ # The check if variable is 'defined' fixes linting error:
+ # jinja: Error in jmespath.search in json_query filter plugin: 'cluster_nodes' is undefined
  found_nodes: >-
- {{ cluster_nodes | json_query('resources[*].metadata.name') | unique | sort }}
+ {{ cluster_nodes is defined and cluster_nodes | json_query('resources[*].metadata.name') | unique | sort }}
  expected_nodes: |-
  {{
  (

diff --git a/roles/k3s/master/tasks/main.yml b/roles/k3s/master/tasks/main.yml
@@ -64,8 +64,7 @@
  cmd: "systemd-run -p RestartSec=2 \
  -p Restart=on-failure \
  --unit=k3s-init \
- k3s server {{ server_init_args }} \
- {{ '--node-taint CriticalAddonsOnly=true:NoExecute' if k3s_single_node|bool == false else ''}}"
+ k3s server {{ server_init_args }}"
  creates: "{{ systemd_dir }}/k3s.service"
  args:
  warn: false # The ansible systemd module does not support transient units
@@ -153,10 +152,13 @@
  owner: "{{ ansible_user }}"
  mode: "u=rw,g=,o="
 
-- name: Configure kubectl cluster to https://{{ apiserver_endpoint | ansible.utils.ipwrap }}:6443
+# The default value here fixes ansible-lint error:
+# 'jinja:Unrecognized type <<class 'ansible.template.AnsibleUndefined'>> for ipwrap filter <value>'
+# If by any chanche we reach the default case, we have already failed, so it will not save the task!
+- name: Configure kubectl cluster to https://{{ apiserver_endpoint | default([]) | ansible.utils.ipwrap }}:6443
  command: >-
  k3s kubectl config set-cluster default
- --server=https://{{ apiserver_endpoint | ansible.utils.ipwrap }}:6443
+ --server=https://{{ apiserver_endpoint | default([]) | ansible.utils.ipwrap }}:6443
  --kubeconfig ~{{ ansible_user }}/.kube/config
  changed_when: true
 

diff --git a/roles/k3s/master/templates/k3s.service.j2 b/roles/k3s/master/templates/k3s.service.j2
@@ -7,7 +7,7 @@ After=network-online.target
 Type=notify
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s server {{ extra_server_args | default("") }} {{ '--node-taint CriticalAddonsOnly=true:NoExecute' if k3s_single_node|bool == false else ''}}
+ExecStart=/usr/local/bin/k3s server {{ extra_server_args | default("") }}
 KillMode=process
 Delegate=yes
 # Having non-zero Limit*s causes performance problems due to accounting overhead

diff --git a/roles/k3s/master/templates/metallb.crds.j2 b/roles/k3s/master/templates/metallb.crds.j2
@@ -1648,8 +1648,6 @@ spec:
  - effect: NoSchedule
  key: node-role.kubernetes.io/control-plane
  operator: Exists
- - key: CriticalAddonsOnly
- operator: Exists
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration

diff --git a/roles/k3s/master/templates/vip.yaml.j2 b/roles/k3s/master/templates/vip.yaml.j2
@@ -69,8 +69,6 @@ spec:
  operator: Exists
  - effect: NoExecute
  operator: Exists
- - key: CriticalAddonsOnly
- operator: Exists
  updateStrategy: {}
 status:
  currentNumberScheduled: 0

diff --git a/roles/k3s/post/defaults/main.yml b/roles/k3s/post/defaults/main.yml
@@ -1,3 +1,3 @@
 ---
 # Timeout to wait for MetalLB services to come up
-metal_lb_available_timeout: 60s
+metal_lb_available_timeout: 120s
diff --git a/roles/k3s/post/tasks/main.yml b/roles/k3s/post/tasks/main.yml
@@ -28,9 +28,9 @@
  command: >-
  k3s kubectl wait {{ item.resource }}
  --namespace='metallb-system'
- {% if item.name | default(False) -%} {{ item.name }} {%- endif %}
- {% if item.selector | default(False) -%} --selector='{{ item.selector }}' {%- endif %}
- {% if item.condition | default(False) -%} {{ item.condition }} {%- endif %}
+ {% if item.name | default(False) -%}{{ item.name }}{%- endif %}
+ {% if item.selector | default(False) -%}--selector='{{ item.selector }}'{%- endif %}
+ {% if item.condition | default(False) -%}{{ item.condition }}{%- endif %}
  --timeout='{{ metal_lb_available_timeout }}'
  changed_when: false
  run_once: true