diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2020-06-20 05:20:46 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2020-06-20 05:20:46 +0200 |
| commit | b39c3b91269a8482207863234acc298f623deae6 (patch) | |
| tree | 21e70e6746bb11bdf8e49a8a125271ed8149a894 | |
| parent | kubernetes: move kubeguard/reset to kubeadm/reset (diff) | |
kubernetes: add node pruning role
10 files changed, 40 insertions, 38 deletions
diff --git a/common/kubernetes-cluster-cleanup.yml b/common/kubernetes-cluster-cleanup.yml index 7c10d17c..5647e3d6 100644 --- a/common/kubernetes-cluster-cleanup.yml +++ b/common/kubernetes-cluster-cleanup.yml @@ -13,28 +13,19 @@ add_host: name: "{{ item }}" inventory_dir: "{{ hostvars[item].inventory_dir }}" - group: _kubernetes_nodes_remove_ + group: _kubernetes_nodes_prune_ changed_when: False - name: drain superflous nodes - loop: "{{ groups['_kubernetes_nodes_remove_'] | default([]) }}" + loop: "{{ groups['_kubernetes_nodes_prune_'] | default([]) }}" command: "kubectl drain {{ item }} --delete-local-data --force --ignore-daemonsets" - -- name: remove nodes from api server - hosts: _kubernetes_primary_master_ - tasks: - - name: remove superflous nodes - loop: "{{ groups['_kubernetes_nodes_remove_'] | default([]) }}" - command: "kubectl delete node {{ item }}" - -- name: cleanup kubeguard connections +- name: prune superflous nodes from cluster hosts: _kubernetes_nodes_ roles: - - role: kubernetes/net/kubeguard/cleanup - when: hostvars[groups['_kubernetes_primary_master_'][0]].kubernetes_network_plugin == 'kubeguard' + - role: kubernetes/kubeadm/prune -- name: try to clean superflous nodes - hosts: _kubernetes_nodes_remove_ +- name: wipe superflous nodes + hosts: _kubernetes_nodes_prune_ roles: - role: kubernetes/kubeadm/reset diff --git a/roles/kubernetes/kubeadm/base/tasks/net_kubeguard.yml b/roles/kubernetes/kubeadm/base/tasks/net_kubeguard.yml index 8c5f5065..37b5030d 100644 --- a/roles/kubernetes/kubeadm/base/tasks/net_kubeguard.yml +++ b/roles/kubernetes/kubeadm/base/tasks/net_kubeguard.yml @@ -25,26 +25,26 @@ # it must probably be brought down by the old version of the script - name: generate wireguard private key - shell: "umask 077; wg genkey > /var/lib/kubeguard/kube-wg0.privatekey" + shell: "umask 077; wg genkey > /var/lib/kubeguard/kubeguard-wg0.privatekey" args: - creates: /var/lib/kubeguard/kube-wg0.privatekey + creates: /var/lib/kubeguard/kubeguard-wg0.privatekey - name: fetch wireguard public key - shell: "wg pubkey < /var/lib/kubeguard/kube-wg0.privatekey" + shell: "wg pubkey < /var/lib/kubeguard/kubeguard-wg0.privatekey" register: kubeguard_wireguard_pubkey changed_when: false check_mode: no -- name: install systemd service unit for network interfaces +- name: install systemd service unit for network interface template: - src: net_kubeguard/kubeguard-interfaces.service.j2 - dest: /etc/systemd/system/kubeguard-interfaces.service + src: net_kubeguard/interface.service.j2 + dest: /etc/systemd/system/kubeguard-interface.service # TODO: notify: reload??? -- name: make sure kubeguard interfaces service is started and enabled +- name: make sure kubeguard interface service is started and enabled systemd: daemon_reload: yes - name: kubeguard-interfaces.service + name: kubeguard-interface.service state: started enabled: yes @@ -53,7 +53,7 @@ loop_control: loop_var: peer template: - src: net_kubeguard/kubeguard-peer.service.j2 + src: net_kubeguard/peer.service.j2 dest: "/etc/systemd/system/kubeguard-peer-{{ peer }}.service" # TODO: notify restart for peers that change... @@ -80,5 +80,5 @@ - name: install cni config template: - src: net_kubeguard/k8s.json.j2 + src: net_kubeguard/cni.json.j2 dest: /etc/cni/net.d/kubeguard.json diff --git a/roles/kubernetes/kubeadm/base/templates/net_kubeguard/k8s.json.j2 b/roles/kubernetes/kubeadm/base/templates/net_kubeguard/cni.json.j2 index 65b1357a..eb9e3d61 100644 --- a/roles/kubernetes/kubeadm/base/templates/net_kubeguard/k8s.json.j2 +++ b/roles/kubernetes/kubeadm/base/templates/net_kubeguard/cni.json.j2 @@ -1,8 +1,8 @@ { "cniVersion": "0.3.1", - "name": "k8s", + "name": "kubeguard", "type": "bridge", - "bridge": "kube-br0", + "bridge": "kubeguard-br0", "isDefaultGateway": true, "hairpinMode": true, "ipam": { diff --git a/roles/kubernetes/kubeadm/base/templates/net_kubeguard/ifupdown.sh.j2 b/roles/kubernetes/kubeadm/base/templates/net_kubeguard/ifupdown.sh.j2 index d8153102..f940d413 100644 --- a/roles/kubernetes/kubeadm/base/templates/net_kubeguard/ifupdown.sh.j2 +++ b/roles/kubernetes/kubeadm/base/templates/net_kubeguard/ifupdown.sh.j2 @@ -9,12 +9,12 @@ INET_IF="{{ ansible_default_ipv4.interface }}" POD_NET_CIDR="{{ kubernetes.pod_ip_range }}" {% set br_net = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubeguard.node_index[inventory_hostname]) -%} -BR_IF="kube-br0" +BR_IF="kubeguard-br0" BR_IP="{{ br_net | ipaddr(1) | ipaddr('address') }}" BR_IP_CIDR="{{ br_net | ipaddr(1) }}" BR_NET_CIDR="{{ br_net }}" -TUN_IF="kube-wg0" +TUN_IF="kubeguard-wg0" TUN_IP_CIDR="{{ kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, 0) | ipaddr(kubeguard.node_index[inventory_hostname]) }}" diff --git a/roles/kubernetes/kubeadm/base/templates/net_kubeguard/kubeguard-interfaces.service.j2 b/roles/kubernetes/kubeadm/base/templates/net_kubeguard/interface.service.j2 index 35fc8f90..35fc8f90 100644 --- a/roles/kubernetes/kubeadm/base/templates/net_kubeguard/kubeguard-interfaces.service.j2 +++ b/roles/kubernetes/kubeadm/base/templates/net_kubeguard/interface.service.j2 diff --git a/roles/kubernetes/kubeadm/base/templates/net_kubeguard/kubeguard-peer.service.j2 b/roles/kubernetes/kubeadm/base/templates/net_kubeguard/peer.service.j2 index 92300253..c9d96a5a 100644 --- a/roles/kubernetes/kubeadm/base/templates/net_kubeguard/kubeguard-peer.service.j2 +++ b/roles/kubernetes/kubeadm/base/templates/net_kubeguard/peer.service.j2 @@ -1,8 +1,8 @@ [Unit] Description=Kubernetes Network Peer {{ peer }} After=network.target -Requires=kubeguard-interfaces.service -After=kubeguard-interfaces.service +Requires=kubeguard-interface.service +After=kubeguard-interface.service {% set pod_ip_self = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubeguard.node_index[inventory_hostname]) | ipaddr(1) | ipaddr('address') -%} {% set pod_net_peer = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubeguard.node_index[peer]) -%} @@ -28,8 +28,8 @@ ExecStop=/sbin/ip route del {{ pod_net_peer }} ExecStop=/sbin/ip link set down dev {{ direct_interface }} ExecStop=/sbin/ip addr del {{ direct_ip }} dev {{ direct_interface }} {% else %} -ExecStart=/usr/bin/wg set kube-wg0 peer {{ wg_pubkey }} allowed-ips {{ wg_allowedips }} endpoint {{ wg_host }}:{{ wg_port }} persistent-keepalive 10 -ExecStop=/usr/bin/wg set kube-wg0 peer {{ wg_pubkey }} remove +ExecStart=/usr/bin/wg set kubeguard-wg0 peer {{ wg_pubkey }} allowed-ips {{ wg_allowedips }} endpoint {{ wg_host }}:{{ wg_port }} persistent-keepalive 10 +ExecStop=/usr/bin/wg set kubeguard-wg0 peer {{ wg_pubkey }} remove {% endif %} RemainAfterExit=yes diff --git a/roles/kubernetes/kubeadm/prune/tasks/main.yml b/roles/kubernetes/kubeadm/prune/tasks/main.yml new file mode 100644 index 00000000..71ed0d04 --- /dev/null +++ b/roles/kubernetes/kubeadm/prune/tasks/main.yml @@ -0,0 +1,9 @@ +--- +- name: remove nodes from api server + run_once: true + delegate_to: "{{ groups['_kubernetes_primary_master_'] | first }}" + loop: "{{ groups['_kubernetes_nodes_prune_'] | default([]) }}" + command: "kubectl delete node {{ item }}" + +- name: prune network plugin + include_tasks: "net_{{ kubernetes_network_plugin }}.yml" diff --git a/roles/kubernetes/net/kubeguard/cleanup/tasks/main.yml b/roles/kubernetes/kubeadm/prune/tasks/net_kubeguard.yml index f15058d2..8a8c7752 100644 --- a/roles/kubernetes/net/kubeguard/cleanup/tasks/main.yml +++ b/roles/kubernetes/kubeadm/prune/tasks/net_kubeguard.yml @@ -1,6 +1,6 @@ --- - name: stop/disable systemd units for stale kubeguard peers - loop: "{{ groups['_kubernetes_nodes_remove_'] | default([]) }}" + loop: "{{ groups['_kubernetes_nodes_prune_'] | default([]) }}" systemd: name: "kubeguard-peer-{{ item }}.service" state: stopped @@ -8,7 +8,7 @@ failed_when: false - name: remove systemd units for stale kubeguard peers - loop: "{{ groups['_kubernetes_nodes_remove_'] | default([]) }}" + loop: "{{ groups['_kubernetes_nodes_prune_'] | default([]) }}" file: name: "/etc/systemd/system/kubeguard-peer-{{ item }}.service" state: absent diff --git a/roles/kubernetes/kubeadm/prune/tasks/net_none.yml b/roles/kubernetes/kubeadm/prune/tasks/net_none.yml new file mode 100644 index 00000000..94832c38 --- /dev/null +++ b/roles/kubernetes/kubeadm/prune/tasks/net_none.yml @@ -0,0 +1,2 @@ +--- +## nothing to do here diff --git a/roles/kubernetes/kubeadm/reset/tasks/net_kubeguard.yml b/roles/kubernetes/kubeadm/reset/tasks/net_kubeguard.yml index 03b3f205..bcb48960 100644 --- a/roles/kubernetes/kubeadm/reset/tasks/net_kubeguard.yml +++ b/roles/kubernetes/kubeadm/reset/tasks/net_kubeguard.yml @@ -1,13 +1,13 @@ --- - name: check if kubeguard interface service unit exists stat: - path: /etc/systemd/system/kubeguard-interfaces.service + path: /etc/systemd/system/kubeguard-interface.service register: kubeguard_interface_unit - name: bring down kubeguard interface when: kubeguard_interface_unit.stat.exists systemd: - name: kubeguard-interfaces.service + name: kubeguard-interface.service state: stopped - name: gather list of all kubeguard related service units @@ -15,7 +15,7 @@ path: /etc/systemd/system/ patterns: - "kubeguard-peer-*.service" - - kubeguard-interfaces.service + - kubeguard-interface.service register: kubeguard_units_installed - name: remove all kubeguard related files and directories |