redhat-cop / k8s_config Goto Github PK

View Code? Open in Web Editor NEW

9.0 12.0 2.0 84 KB

Ansible role for managing Kubernetes configuration

License: GNU General Public License v3.0

Python 98.86% Shell 0.66% Jinja 0.48%

gpte

k8s_config's People

Contributors

Stargazers

Watchers

Forkers

kubealex lastsamurai-desu

k8s_config's Issues

Helm Support

The k8s_config role should include Helm (v3) support. While we could approach this with Helm templates, it is probably best to fully support Helm via the CLI.

Waiting on ansible/ansible#62450

Discovery configuration

Configuration should support a standard way of retrieving objects from the cluster and setting facts based on the retrieved objects.

This can currently be done using pre_tasks and set_fact, but this means that the fact gathering is outside of the config repository which is likely to cause more issues.

One way of addressing this could be to have an open-ended method of putting pre-tasks into the config repo.

Sanity check at start of role execution

Various checks should be run to sanity check variables at the start of role execution.

Support Output Files

It would be useful if k8s_config supported outputting files recording the configured resources and differences from the desired state.

Output of configured resources could have a number of uses including use as input for a tool such as ArgoCD.

k8s_config_output_file - Output of configured resource states.
k8s_config_output_only - Only generate output files, don't change anything.
k8s_config_status_file - Output for resource status.

Support helm template release name

Support passing name to helm template.

It is difficult to track what ClusterRoleBindings and RoleBindings grant access to users and groups. It would be useful to support a mechanism of managing access that can both grant and revoke access to users, groups, and service accounts.

  cluster_role_bindings:
    cluster-admin:
      users: ['bob']
      groups: ['my-cluster-admins']
      service_accounts:
      - name: automation
        namespace: default      
      remove_unlisted: ['users', 'groups']

k8s_config : k8s cert-manager configuration error

in k8s_config, i've got this error several times. It especially happens the first times k8s_config is run on a cluster.

TASK [k8s_config : k8s cert-manager configuration] ***********************************************************************************
changed: [localhost] => (item=Secret(v1) letsencrypt-route53-credentials-secret in cert-manager)
failed: [localhost] (item=ClusterIssuer(cert-manager.io/v1) letsencrypt in cert-manager) => {"_k8s_resources_idx": 1, "ansible_loop_var": "_k8s_resources_idx", "attempts": 1, "changed": false, "error": 500, "msg": "Failed to apply object: b'{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"Internal error occurred: failed calling webhook \\\\\"webhook.cert-manager.io\\\\\": Post \\\\\"https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s\\\\\": no endpoints available for service \\\\\"cert-manager-webhook\\\\\"\",\"reason\":\"InternalError\",\"details\":{\"causes\":[{\"message\":\"failed calling webhook \\\\\"webhook.cert-manager.io\\\\\": Post \\\\\"https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s\\\\\": no endpoints available for service \\\\\"cert-manager-webhook\\\\\"\"}]},\"code\":500}\\n'", "reason": "Internal Server Error", "status": 500}

Before running k8s_config, I ensure all cluster-operators are up and running.

But then when i run k8s_config the first time, some cluster operators change state:

(k8s_config) [ec2-user@bastion ~]$ oc get co|awk '$3 == "False" || $4 == "True" || $5 == "True" {print}'
image-registry                             4.6.31    True        True          False      36h
kube-apiserver                             4.6.31    True        True          False      37h
openshift-apiserver                        4.6.31    True        False         True       37h

It looks like we miss a check + wait in the k8s_config playbooks.

I'm not attaching the full log to this issue, but can share it privately if needed.

Confusing error message if URL load fails #6

fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'k8s_resource_definitions'. Error was a <class 'KeyError'>, original message: 'kind'"}

Kustomize Support

It would be good to have kustomize support similar to how OpenShift templates are supported.

k8s_resources:
- name: Kustomize app
  kustomize: path/for/kustomize/build

The path supplied for kustomize should be searched for in the config sources and the fully qualified path is passed to the final kustomize build command.

ServiceAccount convenience functionality

It would be nice to have a convenience functionality for creating service accounts:

k8s_resources:
- namespace: someplace
  service_accounts:
  - someaccount

Rather than:

k8s_resources:
- namespace: someplace
  resources:
  - definition:
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: someaccount

redhat-cop / k8s_config Goto Github PK

k8s_config's People

Contributors

Stargazers

Watchers

Forkers

k8s_config's Issues

Helm Support

Discovery configuration

Sanity check at start of role execution

Support Output Files

Support helm template release name

RBAC management

k8s_config : k8s cert-manager configuration error

Confusing error message if URL load fails #6

Kustomize Support

ServiceAccount convenience functionality

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent