diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2023-05-14 04:10:08 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2023-05-14 04:10:08 +0200 |
| commit | 3f2eae6e3d167c231805b88f9ec624c2f8d5b88c (patch) | |
| tree | 3c0a014cd20b919e77c0c6bf4ea141dcaef0c8c3 | |
| parent | kubernetes: fix sanity checks (diff) | |
kubernetes/kubeadm: nuke all bootstrap tokens on cluster-cleanup
| -rw-r--r-- | common/kubernetes-cluster-cleanup.yml | 10 | ||||
| -rw-r--r-- | inventory/group_vars/k8s-chtest/vars.yml | 75 | ||||
| -rw-r--r-- | roles/kubernetes/kubeadm/control-plane/templates/kubeadm-init.config.j2 | 4 |
3 files changed, 46 insertions, 43 deletions
diff --git a/common/kubernetes-cluster-cleanup.yml b/common/kubernetes-cluster-cleanup.yml index 69a9fc7e..5c2fac45 100644 --- a/common/kubernetes-cluster-cleanup.yml +++ b/common/kubernetes-cluster-cleanup.yml @@ -19,6 +19,16 @@ kubernetes_node_name: "{{ item[0] }}" changed_when: False + - name: get list of bootstrap-tokens + command: "kubeadm token list --show-managed-fields -o jsonpath='{.token};'" + changed_when: False + check_mode: no + register: kubeadm_token_list_json + + - name: delete all bootstrap tokens + loop: "{{ kubeadm_token_list_json.stdout | split(';') | reject('==', '') }}" + command: "kubeadm token delete {{ item }}" + - name: prune superflous nodes from cluster hosts: _kubernetes_nodes_ roles: diff --git a/inventory/group_vars/k8s-chtest/vars.yml b/inventory/group_vars/k8s-chtest/vars.yml index 2aa63de7..8ffa66b8 100644 --- a/inventory/group_vars/k8s-chtest/vars.yml +++ b/inventory/group_vars/k8s-chtest/vars.yml @@ -6,54 +6,51 @@ kubernetes_cri_tools_pkg_version: 1.26.0-00 kubernetes_container_runtime: containerd containerd_pkg_provider: docker-com + ### Kube-Router # -#kubernetes_network_plugin: kube-router -#kubernetes_network_plugin_version: 1.5.1 -#kubernetes_network_plugin_replaces_kube_proxy: yes -#kubernetes_enable_nodelocal_dnscache: yes - +kubernetes_network_plugin: kube-router +kubernetes_network_plugin_version: 1.5.1 +kubernetes_network_plugin_replaces_kube_proxy: yes +kubernetes_enable_nodelocal_dnscache: yes ### kubeguard # -kubernetes_network_plugin: kubeguard -kubernetes_network_plugin_replaces_kube_proxy: no -kubernetes_enable_nodelocal_dnscache: yes -kubeguard: - ## node_index must be in the range between 1 and 190 -> 189 hosts possible - ## - ## hardcoded hostnames are not nice but if we do this via host_vars - ## the info is spread over multiple files and this makes it more diffcult - ## to find mistakes, so it is nicer to keep it in one place... - node_index: - ch-calypso: 125 - ch-thetys: 126 - ch-k8s-ctrl: 127 -kubernetes_overlay_node_ip: "{{ kubernetes.pod_ip_range | ansible.utils.ipsubnet(kubernetes.pod_ip_range_size, kubeguard.node_index[inventory_hostname]) | ansible.utils.ipaddr(1) | ansible.utils.ipaddr('address') }}" - +#kubernetes_network_plugin: kubeguard +#kubernetes_network_plugin_replaces_kube_proxy: no +#kubernetes_enable_nodelocal_dnscache: yes +#kubeguard: +# ## node_index must be in the range between 1 and 190 -> 189 hosts possible +# ## +# ## hardcoded hostnames are not nice but if we do this via host_vars +# ## the info is spread over multiple files and this makes it more diffcult +# ## to find mistakes, so it is nicer to keep it in one place... +# node_index: +# ch-calypso: 125 +# ch-thetys: 126 +# ch-k8s-ctrl: 127 +#kubernetes_overlay_node_ip: "{{ kubernetes.pod_ip_range | ansible.utils.ipsubnet(kubernetes.pod_ip_range_size, kubeguard.node_index[inventory_hostname]) | ansible.utils.ipaddr(1) | ansible.utils.ipaddr('address') }}" ### Cilium # -# kubernetes_network_plugin: cilium -# kubernetes_network_plugin_version: 1.13.2 -# kubernetes_network_plugin_replaces_kube_proxy: yes -# kubernetes_enable_nodelocal_dnscache: no -# kubernetes_cilium_config: -# ipam: kubernetes -# tunnel: disabled -# ipv4-native-routing-cidr: 192.168.28.0/24 -# auto-direct-node-routes: yes -# base_sysctl_config_user: -# net.ipv4.conf.all.rp_filter: 0 -# net.ipv4.conf.default.rp_filter: 0 - - -#### None +#kubernetes_network_plugin: cilium +#kubernetes_network_plugin_version: 1.13.2 +#kubernetes_network_plugin_replaces_kube_proxy: yes +#kubernetes_enable_nodelocal_dnscache: no +#kubernetes_cilium_config: +# ipam: kubernetes +# tunnel: disabled +# ipv4-native-routing-cidr: 192.168.28.0/24 +# auto-direct-node-routes: yes +#base_sysctl_config_user: +# net.ipv4.conf.all.rp_filter: 0 +# net.ipv4.conf.default.rp_filter: 0 + +### None # -# kubernetes_network_plugin: none -# kubernetes_network_plugin_replaces_kube_proxy: yes -# kubernetes_enable_nodelocal_dnscache: no - +#kubernetes_network_plugin: none +#kubernetes_network_plugin_replaces_kube_proxy: yes +#kubernetes_enable_nodelocal_dnscache: no kubernetes: diff --git a/roles/kubernetes/kubeadm/control-plane/templates/kubeadm-init.config.j2 b/roles/kubernetes/kubeadm/control-plane/templates/kubeadm-init.config.j2 index b58c4d02..9aba276c 100644 --- a/roles/kubernetes/kubeadm/control-plane/templates/kubeadm-init.config.j2 +++ b/roles/kubernetes/kubeadm/control-plane/templates/kubeadm-init.config.j2 @@ -2,10 +2,6 @@ {# #} apiVersion: kubeadm.k8s.io/v1beta3 kind: InitConfiguration -{# it's easier to extract the bootstap token from separate `kubeadm token create` call #} -{# so make sure the token created by init expires fast #} -bootstrapTokens: -- ttl: "1s" localAPIEndpoint: bindPort: 6442 {% if kubernetes_overlay_node_ip is defined %} |