Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MetalLB: update to v0.10.2 #7925

Merged
merged 1 commit into from
Sep 1, 2021
Merged

MetalLB: update to v0.10.2 #7925

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions inventory/sample/group_vars/k8s_cluster/addons.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,11 +157,10 @@ metallb_speaker_enabled: true
# operator: "Equal"
# value: ""
# effect: "NoSchedule"
# metallb_version: v0.9.6
# metallb_version: v0.10.2
# metallb_protocol: "layer2"
# metallb_port: "7472"
# metallb_limits_cpu: "100m"
# metallb_limits_mem: "100Mi"
# metallb_memberlist_port: "7946"
# metallb_additional_address_pools:
# kube_service_pool:
# ip_range:
Expand Down
7 changes: 4 additions & 3 deletions roles/kubernetes-apps/metallb/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,18 @@
---
metallb_enabled: false
metallb_version: v0.9.6
metallb_version: v0.10.2
metallb_protocol: "layer2"
metallb_port: "7472"
metallb_limits_cpu: "100m"
metallb_limits_mem: "100Mi"
metallb_memberlist_port: "7946"
metallb_peers: []
metallb_speaker_enabled: true
metallb_speaker_nodeselector: {}
metallb_controller_nodeselector: {}
metallb_speaker_tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
metallb_controller_tolerations: []
22 changes: 0 additions & 22 deletions roles/kubernetes-apps/metallb/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,25 +50,3 @@
with_items: "{{ rendering.results }}"
when:
- "inventory_hostname == groups['kube_control_plane'][0]"

- name: Kubernetes Apps | Check existing secret of MetalLB
command: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf -n metallb-system get secret memberlist"
register: metallb_secret
become: true
ignore_errors: true # noqa ignore-errors
when:
- inventory_hostname == groups['kube_control_plane'][0]

- name: Kubernetes Apps | Create random bytes for MetalLB
command: "openssl rand -base64 32"
register: metallb_rand
when:
- inventory_hostname == groups['kube_control_plane'][0]
- metallb_secret.rc != 0

- name: Kubernetes Apps | Install secret of MetalLB if not existing
command: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf -n metallb-system create secret generic memberlist --from-literal=secretkey={{ metallb_rand.stdout }}"
become: true
when:
- inventory_hostname == groups['kube_control_plane'][0]
- metallb_secret.rc != 0
88 changes: 68 additions & 20 deletions roles/kubernetes-apps/metallb/templates/metallb.yml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,9 +58,7 @@ metadata:
spec:
allowPrivilegeEscalation: false
allowedCapabilities:
- NET_ADMIN
- NET_RAW
- SYS_ADMIN
allowedHostPaths: []
defaultAddCapabilities: []
defaultAllowPrivilegeEscalation: false
Expand All @@ -72,6 +70,8 @@ spec:
hostPorts:
- max: {{ metallb_port }}
min: {{ metallb_port }}
- max: {{ metallb_memberlist_port }}
min: {{ metallb_memberlist_port }}
privileged: true
readOnlyRootFilesystem: true
requiredDropCapabilities:
Expand Down Expand Up @@ -121,7 +121,6 @@ rules:
- get
- list
- watch
- update
- apiGroups:
- ''
resources:
Expand Down Expand Up @@ -162,6 +161,13 @@ rules:
- get
- list
- watch
- apiGroups: ["discovery.k8s.io"]
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
Expand Down Expand Up @@ -212,6 +218,37 @@ rules:
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: metallb
name: controller
namespace: metallb-system
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- create
- apiGroups:
- ''
resources:
- secrets
resourceNames:
- memberlist
verbs:
- list
- apiGroups:
- apps
resources:
- deployments
resourceNames:
- controller
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
Expand Down Expand Up @@ -275,6 +312,21 @@ subjects:
- kind: ServiceAccount
name: speaker
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: metallb
name: controller
namespace: metallb-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: controller
subjects:
- kind: ServiceAccount
name: controller
---
{% if metallb_speaker_enabled %}
apiVersion: apps/v1
kind: DaemonSet
Expand Down Expand Up @@ -316,36 +368,32 @@ spec:
fieldRef:
fieldPath: status.podIP
# needed when another software is also using memberlist / port 7946
# when changing this default you also need to update the container ports definition
# and the PodSecurityPolicy hostPorts definition
#- name: METALLB_ML_BIND_PORT
# value: "7946"
# value: "{{ metallb_memberlist_port }}"
- name: METALLB_ML_LABELS
value: "app=metallb,component=speaker"
- name: METALLB_ML_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: METALLB_ML_SECRET_KEY
valueFrom:
secretKeyRef:
name: memberlist
key: secretkey
image: {{ metallb_speaker_image_repo }}:{{ metallb_version }}
imagePullPolicy: {{ k8s_image_pull_policy }}
name: speaker
ports:
- containerPort: {{ metallb_port }}
name: monitoring
resources:
limits:
cpu: {{ metallb_limits_cpu }}
memory: {{ metallb_limits_mem }}
- containerPort: {{ metallb_memberlist_port }}
name: memberlist-tcp
- containerPort: {{ metallb_memberlist_port }}
name: memberlist-udp
protocol: UDP
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
- SYS_ADMIN
drop:
- ALL
readOnlyRootFilesystem: true
Expand Down Expand Up @@ -399,16 +447,16 @@ spec:
- args:
- --port={{ metallb_port }}
- --config=config
env:
- name: METALLB_ML_SECRET_NAME
value: memberlist
- name: METALLB_DEPLOYMENT
value: controller
image: {{ metallb_controller_image_repo }}:{{ metallb_version }}
imagePullPolicy: {{ k8s_image_pull_policy }}
name: controller
ports:
- containerPort: {{ metallb_port }}
name: monitoring
resources:
limits:
cpu: {{ metallb_limits_cpu }}
memory: {{ metallb_limits_mem }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
Expand Down