From 823c9dff3b9b89bd6a8be0186c8302286e743ae1 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Tue, 16 May 2023 20:44:28 +0200
Subject: kubernetes: implement kube-proxy in ipvs mode

---
 inventory/group_vars/k8s-chtest/vars.yml                      |  3 ++-
 inventory/group_vars/kubernetes-cluster/vars.yml              |  1 +
 roles/kubernetes/kubeadm/base/tasks/main.yml                  | 11 +++++++++++
 .../kubeadm/control-plane/templates/kubeadm-init.config.j2    |  6 ++++++
 4 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/inventory/group_vars/k8s-chtest/vars.yml b/inventory/group_vars/k8s-chtest/vars.yml
index edc7e232..3ab3fe7a 100644
--- a/inventory/group_vars/k8s-chtest/vars.yml
+++ b/inventory/group_vars/k8s-chtest/vars.yml
@@ -35,11 +35,12 @@ kubernetes_secrets:
 #
 kubernetes_network_plugin: kubeguard
 kubernetes_network_plugin_replaces_kube_proxy: no
+kubernetes_kube_proxy_mode: ipvs
 kubernetes_enable_nodelocal_dnscache: yes
 kubeguard:
   ## Mind that pod_ip_range and service_ip_range overlap and kubeguard
   ## needs a /24 for addresses assigned to tunnel devices. This means that
-  ## node_indeces must be in the range between 1 and 191 -> 189 hosts possible
+  ## node_indeces must be in the range between 1 and 191 -> 190 hosts possible
   ##
   ## hardcoded hostnames are not nice but if we do this via host_vars
   ## the info is spread over multiple files and this makes it more diffcult
diff --git a/inventory/group_vars/kubernetes-cluster/vars.yml b/inventory/group_vars/kubernetes-cluster/vars.yml
index 5cc246ec..868dc1ab 100644
--- a/inventory/group_vars/kubernetes-cluster/vars.yml
+++ b/inventory/group_vars/kubernetes-cluster/vars.yml
@@ -3,3 +3,4 @@ kubernetes_node_name: "{{ inventory_hostname }}"
 
 kubernetes_network_plugin_replaces_kube_proxy: no
 kubernetes_enable_nodelocal_dnscache: yes
+# kubernetes_kube_proxy_mode: ipvs
diff --git a/roles/kubernetes/kubeadm/base/tasks/main.yml b/roles/kubernetes/kubeadm/base/tasks/main.yml
index 75c1187a..e339fbcb 100644
--- a/roles/kubernetes/kubeadm/base/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/base/tasks/main.yml
@@ -72,3 +72,14 @@
 
 - name: prepare network plugin
   include_tasks: "net_{{ kubernetes_network_plugin }}.yml"
+
+- name: install extra packages for kube-proxy ipvs mode
+  when:
+  - not kubernetes_network_plugin_replaces_kube_proxy
+  - kubernetes_kube_proxy_mode is defined
+  - kubernetes_kube_proxy_mode == 'ipvs'
+  apt:
+    name:
+    - ipvsadm
+    - ipset
+    state: present
diff --git a/roles/kubernetes/kubeadm/control-plane/templates/kubeadm-init.config.j2 b/roles/kubernetes/kubeadm/control-plane/templates/kubeadm-init.config.j2
index 9aba276c..3f6794dc 100644
--- a/roles/kubernetes/kubeadm/control-plane/templates/kubeadm-init.config.j2
+++ b/roles/kubernetes/kubeadm/control-plane/templates/kubeadm-init.config.j2
@@ -58,3 +58,9 @@ cgroupDriver: systemd
 clusterDNS:
 - "{{ kubernetes_nodelocal_dnscache_ip }}"
 {% endif %}
+{% if not kubernetes_network_plugin_replaces_kube_proxy and kubernetes_kube_proxy_mode is defined %}
+---
+apiVersion: kubeproxy.config.k8s.io/v1alpha1
+kind: KubeProxyConfiguration
+mode: {{ kubernetes_kube_proxy_mode }}
+{% endif %}
-- 
cgit v1.2.3