redhat-cop / k8s_config Goto Github PK
View Code? Open in Web Editor NEWAnsible role for managing Kubernetes configuration
License: GNU General Public License v3.0
Ansible role for managing Kubernetes configuration
License: GNU General Public License v3.0
The k8s_config role should include Helm (v3) support. While we could approach this with Helm templates, it is probably best to fully support Helm via the CLI.
Waiting on ansible/ansible#62450
Configuration should support a standard way of retrieving objects from the cluster and setting facts based on the retrieved objects.
This can currently be done using pre_tasks
and set_fact
, but this means that the fact gathering is outside of the config repository which is likely to cause more issues.
One way of addressing this could be to have an open-ended method of putting pre-tasks into the config repo.
Various checks should be run to sanity check variables at the start of role execution.
It would be useful if k8s_config supported outputting files recording the configured resources and differences from the desired state.
Output of configured resources could have a number of uses including use as input for a tool such as ArgoCD.
k8s_config_output_file
- Output of configured resource states.
k8s_config_output_only
- Only generate output files, don't change anything.
k8s_config_status_file
- Output for resource status.
Support passing name to helm template.
It is difficult to track what ClusterRoleBindings and RoleBindings grant access to users and groups. It would be useful to support a mechanism of managing access that can both grant and revoke access to users, groups, and service accounts.
cluster_role_bindings:
cluster-admin:
users: ['bob']
groups: ['my-cluster-admins']
service_accounts:
- name: automation
namespace: default
remove_unlisted: ['users', 'groups']
in k8s_config, i've got this error several times. It especially happens the first times k8s_config is run on a cluster.
TASK [k8s_config : k8s cert-manager configuration] ***********************************************************************************
changed: [localhost] => (item=Secret(v1) letsencrypt-route53-credentials-secret in cert-manager)
failed: [localhost] (item=ClusterIssuer(cert-manager.io/v1) letsencrypt in cert-manager) => {"_k8s_resources_idx": 1, "ansible_loop_var": "_k8s_resources_idx", "attempts": 1, "changed": false, "error": 500, "msg": "Failed to apply object: b'{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"Internal error occurred: failed calling webhook \\\\\"webhook.cert-manager.io\\\\\": Post \\\\\"https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s\\\\\": no endpoints available for service \\\\\"cert-manager-webhook\\\\\"\",\"reason\":\"InternalError\",\"details\":{\"causes\":[{\"message\":\"failed calling webhook \\\\\"webhook.cert-manager.io\\\\\": Post \\\\\"https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s\\\\\": no endpoints available for service \\\\\"cert-manager-webhook\\\\\"\"}]},\"code\":500}\\n'", "reason": "Internal Server Error", "status": 500}
Before running k8s_config, I ensure all cluster-operators are up and running.
But then when i run k8s_config the first time, some cluster operators change state:
(k8s_config) [ec2-user@bastion ~]$ oc get co|awk '$3 == "False" || $4 == "True" || $5 == "True" {print}'
image-registry 4.6.31 True True False 36h
kube-apiserver 4.6.31 True True False 37h
openshift-apiserver 4.6.31 True False True 37h
It looks like we miss a check + wait in the k8s_config playbooks.
I'm not attaching the full log to this issue, but can share it privately if needed.
fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'k8s_resource_definitions'. Error was a <class 'KeyError'>, original message: 'kind'"}
It would be good to have kustomize support similar to how OpenShift templates are supported.
k8s_resources:
- name: Kustomize app
kustomize: path/for/kustomize/build
The path supplied for kustomize should be searched for in the config sources and the fully qualified path is passed to the final kustomize build
command.
It would be nice to have a convenience functionality for creating service accounts:
k8s_resources:
- namespace: someplace
service_accounts:
- someaccount
Rather than:
k8s_resources:
- namespace: someplace
resources:
- definition:
apiVersion: v1
kind: ServiceAccount
metadata:
name: someaccount
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.