MetalLB: update to v0.10.2 (#7925)
Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>pull/7931/head
parent
0171c71de0
commit
48ceca4919
|
@ -157,11 +157,10 @@ metallb_speaker_enabled: true
|
||||||
# operator: "Equal"
|
# operator: "Equal"
|
||||||
# value: ""
|
# value: ""
|
||||||
# effect: "NoSchedule"
|
# effect: "NoSchedule"
|
||||||
# metallb_version: v0.9.6
|
# metallb_version: v0.10.2
|
||||||
# metallb_protocol: "layer2"
|
# metallb_protocol: "layer2"
|
||||||
# metallb_port: "7472"
|
# metallb_port: "7472"
|
||||||
# metallb_limits_cpu: "100m"
|
# metallb_memberlist_port: "7946"
|
||||||
# metallb_limits_mem: "100Mi"
|
|
||||||
# metallb_additional_address_pools:
|
# metallb_additional_address_pools:
|
||||||
# kube_service_pool:
|
# kube_service_pool:
|
||||||
# ip_range:
|
# ip_range:
|
||||||
|
|
|
@ -1,10 +1,9 @@
|
||||||
---
|
---
|
||||||
metallb_enabled: false
|
metallb_enabled: false
|
||||||
metallb_version: v0.9.6
|
metallb_version: v0.10.2
|
||||||
metallb_protocol: "layer2"
|
metallb_protocol: "layer2"
|
||||||
metallb_port: "7472"
|
metallb_port: "7472"
|
||||||
metallb_limits_cpu: "100m"
|
metallb_memberlist_port: "7946"
|
||||||
metallb_limits_mem: "100Mi"
|
|
||||||
metallb_peers: []
|
metallb_peers: []
|
||||||
metallb_speaker_enabled: true
|
metallb_speaker_enabled: true
|
||||||
metallb_speaker_nodeselector: {}
|
metallb_speaker_nodeselector: {}
|
||||||
|
@ -12,6 +11,8 @@ metallb_controller_nodeselector: {}
|
||||||
metallb_speaker_tolerations:
|
metallb_speaker_tolerations:
|
||||||
- effect: NoSchedule
|
- effect: NoSchedule
|
||||||
key: node-role.kubernetes.io/master
|
key: node-role.kubernetes.io/master
|
||||||
|
operator: Exists
|
||||||
- effect: NoSchedule
|
- effect: NoSchedule
|
||||||
key: node-role.kubernetes.io/control-plane
|
key: node-role.kubernetes.io/control-plane
|
||||||
|
operator: Exists
|
||||||
metallb_controller_tolerations: []
|
metallb_controller_tolerations: []
|
||||||
|
|
|
@ -50,25 +50,3 @@
|
||||||
with_items: "{{ rendering.results }}"
|
with_items: "{{ rendering.results }}"
|
||||||
when:
|
when:
|
||||||
- "inventory_hostname == groups['kube_control_plane'][0]"
|
- "inventory_hostname == groups['kube_control_plane'][0]"
|
||||||
|
|
||||||
- name: Kubernetes Apps | Check existing secret of MetalLB
|
|
||||||
command: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf -n metallb-system get secret memberlist"
|
|
||||||
register: metallb_secret
|
|
||||||
become: true
|
|
||||||
ignore_errors: true # noqa ignore-errors
|
|
||||||
when:
|
|
||||||
- inventory_hostname == groups['kube_control_plane'][0]
|
|
||||||
|
|
||||||
- name: Kubernetes Apps | Create random bytes for MetalLB
|
|
||||||
command: "openssl rand -base64 32"
|
|
||||||
register: metallb_rand
|
|
||||||
when:
|
|
||||||
- inventory_hostname == groups['kube_control_plane'][0]
|
|
||||||
- metallb_secret.rc != 0
|
|
||||||
|
|
||||||
- name: Kubernetes Apps | Install secret of MetalLB if not existing
|
|
||||||
command: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf -n metallb-system create secret generic memberlist --from-literal=secretkey={{ metallb_rand.stdout }}"
|
|
||||||
become: true
|
|
||||||
when:
|
|
||||||
- inventory_hostname == groups['kube_control_plane'][0]
|
|
||||||
- metallb_secret.rc != 0
|
|
||||||
|
|
|
@ -58,9 +58,7 @@ metadata:
|
||||||
spec:
|
spec:
|
||||||
allowPrivilegeEscalation: false
|
allowPrivilegeEscalation: false
|
||||||
allowedCapabilities:
|
allowedCapabilities:
|
||||||
- NET_ADMIN
|
|
||||||
- NET_RAW
|
- NET_RAW
|
||||||
- SYS_ADMIN
|
|
||||||
allowedHostPaths: []
|
allowedHostPaths: []
|
||||||
defaultAddCapabilities: []
|
defaultAddCapabilities: []
|
||||||
defaultAllowPrivilegeEscalation: false
|
defaultAllowPrivilegeEscalation: false
|
||||||
|
@ -72,6 +70,8 @@ spec:
|
||||||
hostPorts:
|
hostPorts:
|
||||||
- max: {{ metallb_port }}
|
- max: {{ metallb_port }}
|
||||||
min: {{ metallb_port }}
|
min: {{ metallb_port }}
|
||||||
|
- max: {{ metallb_memberlist_port }}
|
||||||
|
min: {{ metallb_memberlist_port }}
|
||||||
privileged: true
|
privileged: true
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
requiredDropCapabilities:
|
requiredDropCapabilities:
|
||||||
|
@ -121,7 +121,6 @@ rules:
|
||||||
- get
|
- get
|
||||||
- list
|
- list
|
||||||
- watch
|
- watch
|
||||||
- update
|
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- ''
|
- ''
|
||||||
resources:
|
resources:
|
||||||
|
@ -162,6 +161,13 @@ rules:
|
||||||
- get
|
- get
|
||||||
- list
|
- list
|
||||||
- watch
|
- watch
|
||||||
|
- apiGroups: ["discovery.k8s.io"]
|
||||||
|
resources:
|
||||||
|
- endpointslices
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- ''
|
- ''
|
||||||
resources:
|
resources:
|
||||||
|
@ -212,6 +218,37 @@ rules:
|
||||||
- list
|
- list
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: metallb
|
||||||
|
name: controller
|
||||||
|
namespace: metallb-system
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- secrets
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- secrets
|
||||||
|
resourceNames:
|
||||||
|
- memberlist
|
||||||
|
verbs:
|
||||||
|
- list
|
||||||
|
- apiGroups:
|
||||||
|
- apps
|
||||||
|
resources:
|
||||||
|
- deployments
|
||||||
|
resourceNames:
|
||||||
|
- controller
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
|
@ -275,6 +312,21 @@ subjects:
|
||||||
- kind: ServiceAccount
|
- kind: ServiceAccount
|
||||||
name: speaker
|
name: speaker
|
||||||
---
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: metallb
|
||||||
|
name: controller
|
||||||
|
namespace: metallb-system
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: controller
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: controller
|
||||||
|
---
|
||||||
{% if metallb_speaker_enabled %}
|
{% if metallb_speaker_enabled %}
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: DaemonSet
|
kind: DaemonSet
|
||||||
|
@ -316,36 +368,32 @@ spec:
|
||||||
fieldRef:
|
fieldRef:
|
||||||
fieldPath: status.podIP
|
fieldPath: status.podIP
|
||||||
# needed when another software is also using memberlist / port 7946
|
# needed when another software is also using memberlist / port 7946
|
||||||
|
# when changing this default you also need to update the container ports definition
|
||||||
|
# and the PodSecurityPolicy hostPorts definition
|
||||||
#- name: METALLB_ML_BIND_PORT
|
#- name: METALLB_ML_BIND_PORT
|
||||||
# value: "7946"
|
# value: "{{ metallb_memberlist_port }}"
|
||||||
- name: METALLB_ML_LABELS
|
- name: METALLB_ML_LABELS
|
||||||
value: "app=metallb,component=speaker"
|
value: "app=metallb,component=speaker"
|
||||||
- name: METALLB_ML_NAMESPACE
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.namespace
|
|
||||||
- name: METALLB_ML_SECRET_KEY
|
- name: METALLB_ML_SECRET_KEY
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
name: memberlist
|
name: memberlist
|
||||||
key: secretkey
|
key: secretkey
|
||||||
image: {{ metallb_speaker_image_repo }}:{{ metallb_version }}
|
image: {{ metallb_speaker_image_repo }}:{{ metallb_version }}
|
||||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
|
||||||
name: speaker
|
name: speaker
|
||||||
ports:
|
ports:
|
||||||
- containerPort: {{ metallb_port }}
|
- containerPort: {{ metallb_port }}
|
||||||
name: monitoring
|
name: monitoring
|
||||||
resources:
|
- containerPort: {{ metallb_memberlist_port }}
|
||||||
limits:
|
name: memberlist-tcp
|
||||||
cpu: {{ metallb_limits_cpu }}
|
- containerPort: {{ metallb_memberlist_port }}
|
||||||
memory: {{ metallb_limits_mem }}
|
name: memberlist-udp
|
||||||
|
protocol: UDP
|
||||||
securityContext:
|
securityContext:
|
||||||
allowPrivilegeEscalation: false
|
allowPrivilegeEscalation: false
|
||||||
capabilities:
|
capabilities:
|
||||||
add:
|
add:
|
||||||
- NET_ADMIN
|
|
||||||
- NET_RAW
|
- NET_RAW
|
||||||
- SYS_ADMIN
|
|
||||||
drop:
|
drop:
|
||||||
- ALL
|
- ALL
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
|
@ -399,16 +447,16 @@ spec:
|
||||||
- args:
|
- args:
|
||||||
- --port={{ metallb_port }}
|
- --port={{ metallb_port }}
|
||||||
- --config=config
|
- --config=config
|
||||||
|
env:
|
||||||
|
- name: METALLB_ML_SECRET_NAME
|
||||||
|
value: memberlist
|
||||||
|
- name: METALLB_DEPLOYMENT
|
||||||
|
value: controller
|
||||||
image: {{ metallb_controller_image_repo }}:{{ metallb_version }}
|
image: {{ metallb_controller_image_repo }}:{{ metallb_version }}
|
||||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
|
||||||
name: controller
|
name: controller
|
||||||
ports:
|
ports:
|
||||||
- containerPort: {{ metallb_port }}
|
- containerPort: {{ metallb_port }}
|
||||||
name: monitoring
|
name: monitoring
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: {{ metallb_limits_cpu }}
|
|
||||||
memory: {{ metallb_limits_mem }}
|
|
||||||
securityContext:
|
securityContext:
|
||||||
allowPrivilegeEscalation: false
|
allowPrivilegeEscalation: false
|
||||||
capabilities:
|
capabilities:
|
||||||
|
|
Loading…
Reference in New Issue