Allow public only metallb deployments (#36)

nephelaiio · Dec 25, 2023 · f4e6a76 · f4e6a76
1 parent 57ee0d9
commit f4e6a76
Show file tree

Hide file tree

Showing 10 changed files with 74 additions and 53 deletions.
diff --git a/defaults/main/k8s.yml b/defaults/main/k8s.yml
@@ -9,13 +9,14 @@ k8s_volume_verify: true
 
 k8s_kubeconfig: "~/.kube/config"
 k8s_wait_timeout: 600
-k8s_address_pools_local:
-  - scheme: 'internal'
-    name: "{{ k8s_address_pool_private_name }}"
-    pool: "{{ k8s_address_pool_private_iprange }}"
-  - scheme: 'internet-facing'
-    name: "{{ k8s_address_pool_public_name }}"
-    pool: "{{ k8s_address_pool_public_iprange }}"
+k8s_address_pools_local_private:
+  scheme: 'internal'
+  name: "{{ k8s_address_pool_private_name }}"
+  pool: "{{ k8s_address_pool_private_iprange }}"
+k8s_address_pools_local_public:
+  scheme: 'internet-facing'
+  name: "{{ k8s_address_pool_public_name }}"
+  pool: "{{ k8s_address_pool_public_iprange }}"
 k8s_address_pools_aws:
   - scheme: 'internal'
     name: private
@@ -25,7 +26,4 @@ k8s_retry_delay: 30
 k8s_retry_num: 10
 
 k8s_address_pool_private_name: "private"
-k8s_address_pool_private_iprange: ""
-
 k8s_address_pool_public_name: "public"
-k8s_address_pool_public_iprange: ""
diff --git a/molecule/argocd/molecule.yml b/molecule/argocd/molecule.yml
@@ -43,7 +43,6 @@ provisioner:
 
           # role vardefs
           k8s_address_pool_private_iprange: "{{ kind_network_addr | ansible.utils.ipsubnet(24, 2) }}"
-          k8s_address_pool_public_iprange: "{{ kind_network_addr | ansible.utils.ipsubnet(24, 3) }}"
           k8s_metallb_speaker_secret: secret
           k8s_verifier_path: ${MOLECULE_EPHEMERAL_DIRECTORY}
           k8s_opensearch_deploy: false

diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
@@ -34,7 +34,7 @@ provisioner:
           # kind vardefs
           kind_network_addr: 172.19.0.0/16
           kind_bin: ${MOLECULE_EPHEMERAL_DIRECTORY}/kind
-          kind_cluster_name: molecule-k8s
+          kind_cluster_name: molecule-k8s-${MOLECULE_SCENARIO_NAME}
           kind_kubeconfig: "{{ k8s_kubeconfig }}"
           kind_registry_deploy: false
           kind_proxy_deploy: true

diff --git a/molecule/longhorn/molecule.yml b/molecule/longhorn/molecule.yml
@@ -43,7 +43,6 @@ provisioner:
 
           # role vardefs
           k8s_address_pool_private_iprange: "{{ kind_network_addr | ansible.utils.ipsubnet(24, 2) }}"
-          k8s_address_pool_public_iprange: "{{ kind_network_addr | ansible.utils.ipsubnet(24, 3) }}"
           k8s_metallb_speaker_secret: secret
           k8s_verifier_path: ${MOLECULE_EPHEMERAL_DIRECTORY}
           k8s_opensearch_deploy: false

diff --git a/molecule/mysql/molecule.yml b/molecule/mysql/molecule.yml
@@ -34,7 +34,7 @@ provisioner:
           # kind vardefs
           kind_network_addr: 172.19.0.0/16
           kind_bin: ${MOLECULE_EPHEMERAL_DIRECTORY}/kind
-          kind_cluster_name: molecule-k8s
+          kind_cluster_name: molecule-k8s-${MOLECULE_SCENARIO_NAME}
           kind_kubeconfig: "{{ k8s_kubeconfig }}"
           kind_registry_deploy: false
           kind_proxy_deploy: true
@@ -55,7 +55,6 @@ provisioner:
 
           # role vardefs
           k8s_address_pool_private_iprange: "{{ kind_network_addr | ansible.utils.ipsubnet(24, 2) }}"
-          k8s_address_pool_public_iprange: "{{ kind_network_addr | ansible.utils.ipsubnet(24, 3) }}"
           k8s_metallb_speaker_secret: secret
           k8s_verifier_path: ${MOLECULE_EPHEMERAL_DIRECTORY}
           k8s_opensearch_deploy: false

diff --git a/molecule/opensearch/molecule.yml b/molecule/opensearch/molecule.yml
@@ -43,7 +43,6 @@ provisioner:
 
           # role vardefs
           k8s_address_pool_private_iprange: "{{ kind_network_addr | ansible.utils.ipsubnet(24, 2) }}"
-          k8s_address_pool_public_iprange: "{{ kind_network_addr | ansible.utils.ipsubnet(24, 3) }}"
           k8s_metallb_speaker_secret: secret
           k8s_verifier_path: ${MOLECULE_EPHEMERAL_DIRECTORY}
           k8s_opensearch_deploy: true

diff --git a/molecule/strimzi/molecule.yml b/molecule/strimzi/molecule.yml
@@ -43,7 +43,6 @@ provisioner:
 
           # role vardefs
           k8s_address_pool_private_iprange: "{{ kind_network_addr | ansible.utils.ipsubnet(24, 2) }}"
-          k8s_address_pool_public_iprange: "{{ kind_network_addr | ansible.utils.ipsubnet(24, 3) }}"
           k8s_metallb_speaker_secret: secret
           k8s_verifier_path: ${MOLECULE_EPHEMERAL_DIRECTORY}
           k8s_opensearch_deploy: false

diff --git a/molecule/zalando/molecule.yml b/molecule/zalando/molecule.yml
@@ -49,7 +49,6 @@ provisioner:
 
           # role vardefs
           k8s_address_pool_private_iprange: "{{ kind_network_addr | ansible.utils.ipsubnet(24, 2) }}"
-          k8s_address_pool_public_iprange: "{{ kind_network_addr | ansible.utils.ipsubnet(24, 3) }}"
           k8s_metallb_speaker_secret: secret
           k8s_verifier_path: ${MOLECULE_EPHEMERAL_DIRECTORY}
           k8s_opensearch_deploy: false

diff --git a/tasks/deploy/check.yml b/tasks/deploy/check.yml
@@ -1,38 +1,44 @@
 ---
 - name: Check cluster type input
-  ansible.builtin.fail:
-    msg: "k8s_cluster_type must be one of [{{ valid_cluster_types | join(', ') }}]"
+  ansible.builtin.assert:
+    fail_msg: "k8s_cluster_type must be one of [{{ valid_cluster_types | join(', ') }}]"
+    that:
+      - k8s_cluster_type in valid_cluster_types
   vars:
     valid_cluster_types:
       - local
       - aws
-  when: k8s_cluster_type not in valid_cluster_types
 
 - name: Check local cluster settings
   when:
     - k8s_cluster_type == 'local'
     - k8s_address_pools is undefined
   block:
     - name: Check private address pool range
-      ansible.builtin.fail:
-        msg: "private address pool range must be set"
-      when: k8s_address_pool_private_iprange | length == 0
+      ansible.builtin.assert:
+        fail_msg: "private address pool range must be set as subnet/prefix"
+        that:
+          - k8s_address_pool_private_iprange is defined
+          - k8s_address_pool_private_iprange | ansible.utils.ipaddr('network/prefix')
 
-    - name: Check public address pool name
-      ansible.builtin.fail:
-        msg: "public address pool name must be set"
-      when: k8s_address_pool_public_name | length == 0
+    - name: Initialize address pool metadata
+      ansible.builtin.set_fact:
+        k8s_address_pools: "{{ [k8s_address_pools_local_private] }}"
 
-    - name: Check public address pool range
-      ansible.builtin.fail:
-        msg: "public address pool range must be set as subnet/prefix"
-      when: k8s_address_pool_public_iprange | length == 0 or not (k8s_address_pool_public_iprange | ansible.utils.ipaddr('network/prefix'))
+    - name: Extend adress pool metadata
+      when: k8s_address_pool_public_iprange is defined
+      block:
+        - name: Check public address pool range
+          ansible.builtin.assert:
+            fail_msg: "public address pool range must be set as subnet/prefix"
+            that:
+              - k8s_address_pool_public_iprange | ansible.utils.ipaddr('network/prefix')
 
-    - name: Set k8s_address_pool metadata
-      ansible.builtin.set_fact:
-        k8s_address_pools: "{{ k8s_address_pools_local }}"
+        - name: Extend k8s_address_pool metadata
+          ansible.builtin.set_fact:
+            k8s_address_pools: "{{ k8s_address_pools + [k8s_address_pools_local_public] }}"
 
-- name: Check aws cluster settings
+- name: Check AWS cluster settings
   when:
     - k8s_cluster_type == 'aws'
     - k8s_address_pools is undefined
@@ -41,33 +47,56 @@
       ansible.builtin.set_fact:
         k8s_address_pools: "{{ k8s_address_pools_aws }}"
 
-- name: Check metallb speaker secret is set
-  ansible.builtin.fail:
-    msg: "k8s_metallb_speaker_secret must be set"
-  when: k8s_metallb_speaker_secret is not defined or k8s_metallb_speaker_secret | length == 0
+- name: Check MetalLB pool definitions
+  ansible.builtin.assert:
+    fail_msg: "k8s_address_pools must not be empty"
+    that:
+      - k8s_address_pools | length > 0
+
+- name: Debug MetalLB pool configuration
+  ansible.builtin.debug:
+    var: k8s_address_pools
+
+- name: Check MetalLB speaker secret is set
+  ansible.builtin.assert:
+    fail_msg: "k8s_metallb_speaker_secret must be set"
+    that:
+      - k8s_metallb_speaker_secret is defined
+      - k8s_metallb_speaker_secret | length > 0
 
 - name: Check nginx ingress controller release
-  ansible.builtin.fail:
-    msg: "k8s_nginx_chart_release must be at least '{{ chart_release_min }}'"
+  ansible.builtin.assert:
+    fail_msg: "k8s_nginx_chart_release must be at least '{{ chart_release_min }}'"
+    that:
+      - chart_release_req_normalized is version(chart_release_min_normalized, operator='ge')
   vars:
     chart_release_min: "4.0.15"
     chart_release_req_normalized: "{{ k8s_nginx_chart.release | regex_replace('^v', '') }}"
     chart_release_min_normalized: "{{ chart_release_min | regex_replace('^v', '') }}"
-  when: (chart_release_req_normalized) is version(chart_release_min_normalized, operator='lt')
 
 - name: Check certmanager release
-  ansible.builtin.fail:
-    msg: "k8s_certmanager_chart.release must be at least '{{ chart_release_min }}'"
+  ansible.builtin.assert:
+    fail_msg: "k8s_certmanager_chart.release must be at least '{{ _release_min }}'"
+    that:
+      - _release_string is version(_release_min, operator='ge' )
   vars:
-    chart_release_min: "v1.6.1"
-  when: (k8s_certmanager_chart.release | regex_replace('^v', '')) is version(chart_release_min | regex_replace('^v', '' ), operator='le')
+    _release_string: "{{ (k8s_certmanager_chart.release | regex_replace('^v', '')) }}"
+    _release_min: "{{ 'v1.6.1' | regex_replace('^v', '' ) }}"
 
 - name: Check certmanager name
-  ansible.builtin.fail:
-    msg: >
+  ansible.builtin.assert:
+    fail_msg: >
       k8s_certmanager_issuer_name must be one of [{{ valid_issuer_names | join(', ') }}]
+    that:
+      - k8s_certmanager_issuer_name in valid_issuer_names
   vars:
     valid_issuer_names:
       - local
       - letsencrypt
-  when: k8s_certmanager_issuer_name not in valid_issuer_names
+
+- name: Check certmanager secret
+  ansible.builtin.assert:
+    fail_msg: k8s_certmanager_secret must be set for letsenrypt issuer
+    that:
+      - k8s_certmanager_secret is defined
+  when: k8s_certmanager_issuer_name == 'letsencrypt'
diff --git a/tasks/deploy/metallb.yml b/tasks/deploy/metallb.yml
@@ -1,5 +1,5 @@
 ---
-- name: Deploy metallb chart
+- name: Deploy MetalLB chart
   kubernetes.core.helm:
     name: metallb
     chart_ref: "{{ k8s_metallb_chart.name }}"
@@ -16,7 +16,7 @@
     kubeconfig: "{{ k8s_kubeconfig | default(omit) }}"
     binary_path: "{{ lookup('ansible.builtin.env', 'HELM_BIN', default=k8s_helm_bin) }}"
 
-- name: Create metallb pools
+- name: Create MetalLB pools
   kubernetes.core.k8s:
     state: present
     kubeconfig: "{{ k8s_kubeconfig | default(omit) }}"
@@ -37,7 +37,7 @@
   register: metallb_pool_create
   until: metallb_pool_create is success
 
-- name: Advertise metallb pools
+- name: Advertise MetalLB pools
   kubernetes.core.k8s:
     state: present
     kubeconfig: "{{ k8s_kubeconfig | default(omit) }}"