From 088b1b0cec84dd5f09f594a8af981e66ec5a8364 Mon Sep 17 00:00:00 2001
From: Max Gautier <mg@max.gautier.name>
Date: Mon, 29 Apr 2024 15:31:27 +0200
Subject: [PATCH] Add `enabled` to pkgs to handle ipvs

Some packages requirements depends on inventory variables
(`kube_proxy_mode` in that case but it could apply to others).

As the case seems pretty rare, instead of adding complexity to pkgs, we
add an escape hatch to use jinja conditions.
That should be revisited if we find ourselves shoehorning lots of logic
in this later on.
---
 roles/kubernetes/preinstall/defaults/main.yml             | 3 ---
 roles/kubernetes/preinstall/files/pkgs-schema.json        | 5 +++++
 .../kubernetes/preinstall/tasks/0070-system-packages.yml  | 2 +-
 roles/kubernetes/preinstall/vars/main.yml                 | 8 ++++++++
 4 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/roles/kubernetes/preinstall/defaults/main.yml b/roles/kubernetes/preinstall/defaults/main.yml
index 09da2ec9b..77de0b702 100644
--- a/roles/kubernetes/preinstall/defaults/main.yml
+++ b/roles/kubernetes/preinstall/defaults/main.yml
@@ -6,9 +6,6 @@ epel_enabled: false
 # Kubespray sets this to true after clusterDNS is running to apply changes to the host resolv.conf
 dns_late: false
 
-common_required_pkgs:
-  - "{{ kube_proxy_mode == 'ipvs' | ternary(['ipvsadm', 'ipset'], []) }}"
-
 # Set to true if your network does not support IPv6
 # This may be necessary for pulling Docker images from
 # GCE docker repository
diff --git a/roles/kubernetes/preinstall/files/pkgs-schema.json b/roles/kubernetes/preinstall/files/pkgs-schema.json
index 22fd0fa19..1fb9e28de 100644
--- a/roles/kubernetes/preinstall/files/pkgs-schema.json
+++ b/roles/kubernetes/preinstall/files/pkgs-schema.json
@@ -9,6 +9,11 @@
             "type": "object",
             "additionalProperties": false,
             "properties": {
+                "enabled": {
+                    "description": "Escape hatch to filter packages. The value is expected to be pre-resolved to a boolean by Jinja",
+                    "type": "boolean",
+                    "default": true
+                },
                 "groups": {
                     "description": "Match if the host is in one of these groups. If not specified match any host.",
                     "type": "array",
diff --git a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml b/roles/kubernetes/preinstall/tasks/0070-system-packages.yml
index 1e27c6b7a..7085ffb0c 100644
--- a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml
+++ b/roles/kubernetes/preinstall/tasks/0070-system-packages.yml
@@ -64,7 +64,7 @@
     # The json_query for selecting packages name is split for readability
     # see files/pkgs-schema.json for the structure of `pkgs`
     # and the matching semantics
-    full_query: "[? value | ( {{ filters_os }} ) && ( {{ filters_groups }} ) ].key"
+    full_query: "[? value | (enabled == null || enabled) && ( {{ filters_os }} ) && ( {{ filters_groups }} ) ].key"
     filters_groups: "groups | @ == null || [? contains(`{{ group_names }}`, @)]"
     filters_os: "os == null || (os | ( {{ filters_family }} ) || ( {{ filters_distro }} ))"
     dquote: !unsafe '"'
diff --git a/roles/kubernetes/preinstall/vars/main.yml b/roles/kubernetes/preinstall/vars/main.yml
index 7c83d855e..28ee56a27 100644
--- a/roles/kubernetes/preinstall/vars/main.yml
+++ b/roles/kubernetes/preinstall/vars/main.yml
@@ -54,7 +54,15 @@ pkgs:
           major_versions:
           - "11"
           - "12"
+  ipset:
+    enabled: "{{ kube_proxy_mode != 'ipvs' }}"
+    groups:
+    - k8s_cluster
   iptables: *deb_redhat
+  ipvsadm:
+    enabled: "{{ kube_proxy_mode == 'ipvs' }}"
+    groups:
+    - k8s_cluster
   libseccomp: *redhat_family
   libseccomp2:
     groups: