Add option to [not] install coredns via Kubespray

2025-12-14 13:54:37 +03:00 · 2025-05-15 14:38:55 +02:00
8 changed files with 67 additions and 66 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -59,6 +59,33 @@ before_script:
    - pre-commit            # lint
    - vagrant-validate      # lint

+# For failfast, at least 1 job must be defined in .gitlab-ci.yml
+# Premoderated with manual actions
+ci-not-authorized:
+  stage: build
+  before_script: []
+  after_script: []
+  rules:
+    # LGTM or ok-to-test labels
+    - if: $PR_LABELS =~ /.*,(lgtm|approved|ok-to-test).*|^(lgtm|approved|ok-to-test).*/i
+      variables:
+        CI_OK_TO_TEST: '0'
+      when: always
+    - if: $CI_PIPELINE_SOURCE == "schedule" || $CI_PIPELINE_SOURCE == "trigger"
+      variables:
+        CI_OK_TO_TEST: '0'
+    - if: $CI_COMMIT_BRANCH == "master"
+      variables:
+        CI_OK_TO_TEST: '0'
+    - when: always
+      variables:
+        CI_OK_TO_TEST: '1'
+  script:
+    - exit $CI_OK_TO_TEST
+  tags:
+    - ffci
+  needs: []
+
 include:
  - .gitlab-ci/build.yml
  - .gitlab-ci/lint.yml
--- a/.gitlab-ci/kubevirt.yml
+++ b/.gitlab-ci/kubevirt.yml
@@ -55,7 +55,6 @@ pr:
          - ubuntu22-calico-all-in-one
          - ubuntu22-calico-all-in-one-upgrade
          - ubuntu24-calico-etcd-datastore
-          - ubuntu24-ha-separate-etcd

 # The ubuntu20-calico-all-in-one jobs are meant as early stages to prevent running the full CI if something is horribly broken
 ubuntu20-calico-all-in-one:
--- a/roles/etcd/tasks/gen_certs_script.yml
+++ b/roles/etcd/tasks/gen_certs_script.yml
@@ -98,6 +98,28 @@
  loop_control:
    label: "{{ item.item }}"

+# This is a hack around the fact kubeadm expect the same certs path on all kube_control_plane
+# TODO: fix certs generation to have the same file everywhere
+# OR work with kubeadm on node-specific config
+- name: Gen_certs | Pretend all control plane have all certs (with symlinks)
+  file:
+    state: link
+    src: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}{{ item[0] }}.pem"
+    dest: "{{ etcd_cert_dir }}/node-{{ item[1] }}{{ item[0] }}.pem"
+    mode: "0640"
+  loop: "{{ suffixes | product(groups['kube_control_plane']) }}"
+  vars:
+    suffixes:
+      - ''
+      - '-key'
+  when:
+    - ('kube_control_plane' in group_names)
+    - item[1] != inventory_hostname
+  register: symlink_created
+  failed_when:
+    - symlink_created is failed
+    - ('refusing to convert from file to symlink' not in symlink_created.msg)
+
 - name: Gen_certs | Gather node certs from first etcd node
  slurp:
    src: "{{ item }}"
@@ -153,25 +175,3 @@
    owner: "{{ etcd_owner }}"
    mode: "{{ etcd_cert_dir_mode }}"
    recurse: true
-
-# This is a hack around the fact kubeadm expect the same certs path on all kube_control_plane
-# TODO: fix certs generation to have the same file everywhere
-# OR work with kubeadm on node-specific config
- name: Gen_certs | Pretend all control plane have all certs (with symlinks)
-  file:
-    state: link
-    src: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}{{ item[0] }}.pem"
-    dest: "{{ etcd_cert_dir }}/node-{{ item[1] }}{{ item[0] }}.pem"
-    mode: "0640"
-  loop: "{{ suffixes | product(groups['kube_control_plane']) }}"
-  vars:
-    suffixes:
-      - ''
-      - '-key'
-  when:
-    - ('kube_control_plane' in group_names)
-    - item[1] != inventory_hostname
-  register: symlink_created
-  failed_when:
-    - symlink_created is failed
-    - ('refusing to convert from file to symlink' not in symlink_created.msg)
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -20,7 +20,7 @@ coredns_default_zone_cache_block: |
 coredns_pod_disruption_budget: false
 # value for coredns pdb
 coredns_pod_disruption_budget_max_unavailable: "30%"
-
+deploy_coredns: true
 # coredns_additional_configs adds any extra configuration to coredns
 # coredns_additional_configs: |
 #   whoami
--- a/roles/kubernetes-apps/ansible/tasks/main.yml
+++ b/roles/kubernetes-apps/ansible/tasks/main.yml
@@ -22,7 +22,9 @@
    - coredns
  vars:
    clusterIP: "{{ skydns_server }}"
-  when: dns_mode in ['coredns', 'coredns_dual']
+  when:
+    - dns_mode in ['coredns', 'coredns_dual']
+    - deploy_coredns

 - name: Kubernetes Apps | CoreDNS Secondary
  command:
@@ -38,6 +40,7 @@
    coredns_ordinal_suffix: "-secondary"
  when:
    - dns_mode == 'coredns_dual'
+    - deploy_coredns

 - name: Kubernetes Apps | nodelocalDNS
  command:
--- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
@@ -61,7 +61,6 @@
    dest: "{{ audit_policy_file }}"
    mode: "0640"
  when: kubernetes_audit or kubernetes_audit_webhook
-  notify: Control plane | Restart apiserver

 - name: Write api audit webhook config yaml
  template:
@@ -69,7 +68,6 @@
    dest: "{{ audit_webhook_config_file }}"
    mode: "0640"
  when: kubernetes_audit_webhook
-  notify: Control plane | Restart apiserver

 - name: Create apiserver tracing config directory
  file:
@@ -84,7 +82,6 @@
    dest: "{{ kube_config_dir }}/tracing/apiserver-tracing.yaml"
    mode: "0640"
  when: kube_apiserver_tracing
-  notify: Control plane | Restart apiserver

 # Nginx LB(default), If kubeadm_config_api_fqdn is defined, use other LB by kubeadm controlPlaneEndpoint.
 - name: Set kubeadm_config_api_fqdn define
@@ -112,7 +109,6 @@
    dest: "{{ kube_config_dir }}/admission-controls/admission-controls.yaml"
    mode: "0640"
  when: kube_apiserver_admission_control_config_file
-  notify: Control plane | Restart apiserver

 - name: Kubeadm | Push admission control config files
  template:
@@ -123,7 +119,6 @@
    - kube_apiserver_admission_control_config_file
    - item in kube_apiserver_admission_plugins_needs_configuration
  loop: "{{ kube_apiserver_enable_admission_plugins }}"
-  notify: Control plane | Restart apiserver

 - name: Kubeadm | Check apiserver.crt SANs
  vars:
@@ -171,32 +166,22 @@
    - not kube_external_ca_mode

 - name: Kubeadm | Initialize first control plane node
+  command: >-
+    timeout -k {{ kubeadm_init_timeout }} {{ kubeadm_init_timeout }}
+    {{ bin_dir }}/kubeadm init
+    --config={{ kube_config_dir }}/kubeadm-config.yaml
+    --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
+    --skip-phases={{ kubeadm_init_phases_skip | join(',') }}
+    {{ kube_external_ca_mode | ternary('', '--upload-certs') }}
+  register: kubeadm_init
+  # Retry is because upload config sometimes fails
+  retries: 3
+  until: kubeadm_init is succeeded or "field is immutable" in kubeadm_init.stderr
  when: inventory_hostname == first_kube_control_plane and not kubeadm_already_run.stat.exists
-  vars:
-    kubeadm_init_first_control_plane_cmd: >-
-      timeout -k {{ kubeadm_init_timeout }} {{ kubeadm_init_timeout }}
-      {{ bin_dir }}/kubeadm init
-      --config={{ kube_config_dir }}/kubeadm-config.yaml
-      --ignore-preflight-errors={{ kubeadm_ignore_preflight_errors | join(',') }}
-      --skip-phases={{ kubeadm_init_phases_skip | join(',') }}
-      {{ kube_external_ca_mode | ternary('', '--upload-certs') }}
+  failed_when: kubeadm_init.rc != 0 and "field is immutable" not in kubeadm_init.stderr
  environment:
    PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}"
  notify: Control plane | restart kubelet
-  block:
-    - name: Kubeadm | Initialize first control plane node (1st try)
-      command: "{{ kubeadm_init_first_control_plane_cmd }}"
-      register: kubeadm_init
-      failed_when: kubeadm_init.rc != 0 and "field is immutable" not in kubeadm_init.stderr
-  rescue:
-    # Retry is because upload config sometimes fails
-    # This retry task is separated from 1st task to show log of failure of 1st task.
-    - name: Kubeadm | Initialize first control plane node (retry)
-      command: "{{ kubeadm_init_first_control_plane_cmd }}"
-      register: kubeadm_init
-      retries: 2
-      until: kubeadm_init is succeeded or "field is immutable" in kubeadm_init.stderr
-      failed_when: kubeadm_init.rc != 0 and "field is immutable" not in kubeadm_init.stderr

 - name: Set kubeadm certificate key
  set_fact:
--- a/roles/kubespray_defaults/defaults/main/download.yml
+++ b/roles/kubespray_defaults/defaults/main/download.yml
@@ -897,7 +897,7 @@ downloads:
      - k8s_cluster

  dnsautoscaler:
-    enabled: "{{ dns_mode in ['coredns', 'coredns_dual'] and enable_dns_autoscaler }}"
+    enabled: "{{ dns_mode in ['coredns', 'coredns_dual'] }}"
    container: true
    repo: "{{ dnsautoscaler_image_repo }}"
    tag: "{{ dnsautoscaler_image_tag }}"
--- a/tests/files/ubuntu24-ha-separate-etcd.yml
+++ b/tests/files/ubuntu24-ha-separate-etcd.yml
@@ -1,13 +0,0 @@
---
-cloud_image: ubuntu-2404
-cluster_layout:
-  - node_groups: ['kube_control_plane']
-  - node_groups: ['kube_control_plane']
-  - node_groups: ['kube_control_plane']
-  - node_groups: ['kube_node']
-  - node_groups: ['etcd']
-  - node_groups: ['etcd']
-  - node_groups: ['etcd']
-
-kube_network_plugin: calico
-calico_datastore: etcd