Enable v1.30 on EL 9 distributions

This commit makes Kubernetes v1.30 release work on EL 9 distros like AlmaLinux and Rocky, by: - Setting the new default K8s relase to v1.30. - Updating keepalived system container relase to the latest. - Updating the release and simplifying the configurations of haproxy system container. - Updating README by adding TLS ingress examples to reflect new haproxy confs. Fixes: #1
mmul-it · May 30, 2024 · c7bdf7c · c7bdf7c
1 parent 8996922
commit c7bdf7c
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 18 deletions.
diff --git a/README.md b/README.md
@@ -424,6 +424,35 @@ $ curl http://demo.192.168.122.199.nip.io
 <html><body><h1>It works!</h1></body></html>
 ```
 
+Or to test TLS:
+
+```console
+$ kubectl create deployment demo --image=httpd --port=80
+deployment.apps/demo created
+
+$ kubectl expose deployment demo
+service/demo exposed
+
+$ openssl genrsa -out cert.key 2048
+(no output)
+
+$ openssl req -new -key cert.key -out cert.csr -subj "/CN=demo.192.168.122.199.nip.io"
+(no output)
+
+$ openssl x509 -req -days 366 -in cert.csr -signkey cert.key -out cert.crt
+Certificate request self-signature ok
+subject=CN = demo.192.168.122.199.nip.io
+
+$ kubectl create secret tls tls-secret --cert=./cert.crt --key=./cert.key
+secret/tls-secret created
+
+$ kubectl create ingress demo --class=nginx --rule="demo.192.168.122.199.nip.io/*=demo:80,tls=tls-secret"
+ingress.networking.k8s.io/demo created
+
+$ curl -k https://demo.192.168.122.199.nip.io
+<html><body><h1>It works!</h1></body></html>
+```
+
 #### Ingress NGINX with MetalLB
 
 Another way is to use it in combination with MetalLB, by declaring a

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,6 +1,6 @@
 ---
 
-k8s_release: 'v1.29'
+k8s_release: 'v1.30'
 
 k8s_local_workdir: "~/kubernetes"
 
@@ -27,6 +27,7 @@ k8s_redhat_packages:
   - containerd.io
   - kubeadm
   - kubectl
+  - kubelet
 
 k8s_container_service: "{{ 'docker' if ansible_distribution_major_version == '7' else 'containerd' }}"
 

diff --git a/templates/multi-control-plane/haproxy.cfg.j2 b/templates/multi-control-plane/haproxy.cfg.j2
@@ -2,8 +2,8 @@
 # Global settings
 #---------------------------------------------------------------------
 global
-    log /dev/log local0
-    log /dev/log local1 notice
+    log stdout format raw local0
+    maxconn 4096
     daemon
 
 #---------------------------------------------------------------------
@@ -26,7 +26,6 @@ defaults
     timeout server          20s
     timeout http-keep-alive 10s
     timeout check           10s
-    maxconn                 3000
 
 #---------------------------------------------------------------------
 # main frontend which proxys to the apiserver backends
@@ -41,15 +40,15 @@ frontend apiserver
 # round robin balancing between the various k8s control planes
 #---------------------------------------------------------------------
 backend apiserver
-    option  httpchk GET /readyz HTTP/1.0
-    option  log-health-checks
+    option  httpchk
+    http-check connect ssl
+    http-check send meth GET uri /healthz
     http-check expect status 200
     mode tcp
     balance     roundrobin
-    default-server verify none check-ssl inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 5000 maxqueue 5000 weight 100
 {% for host in ansible_play_batch %}
 {% if hostvars[host].k8s_role == 'control-plane' %}
-    server control-plane-{{ loop.index }} {{ host }}:{{ k8s_control_plane_port }} check
+    server control-plane-{{ loop.index }} {{ host }}:{{ k8s_control_plane_port }} check verify none
 {% endif %}
 {% endfor %}
 
@@ -74,25 +73,17 @@ frontend ingresshttps
 # round robin balancing between the various k8s control planes
 #---------------------------------------------------------------------
 backend ingresshttp
-    option  httpchk GET /readyz HTTP/1.0
-    option  log-health-checks
-    http-check expect status 200
     mode tcp
     balance     roundrobin
-    default-server verify none check-ssl inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 5000 maxqueue 5000 weight 100
 {% for host in ansible_play_batch %}
 {% if hostvars[host].k8s_role == 'control-plane' %}
     server control-plane-{{ loop.index }} {{ host }}:80 check
 {% endif %}
 {% endfor %}
 
 backend ingresshttps
-    option  httpchk GET /readyz HTTP/1.0
-    option  log-health-checks
-    http-check expect status 200
     mode tcp
     balance     roundrobin
-    default-server verify none check-ssl inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 5000 maxqueue 5000 weight 100
 {% for host in ansible_play_batch %}
 {% if hostvars[host].k8s_role == 'control-plane' %}
     server control-plane-{{ loop.index }} {{ host }}:443 check

diff --git a/templates/multi-control-plane/haproxy_pod.yaml.j2 b/templates/multi-control-plane/haproxy_pod.yaml.j2
@@ -5,7 +5,7 @@ metadata:
   namespace: kube-system
 spec:
   containers:
-  - image: haproxy:2.1.4
+  - image: haproxy:2.8
     name: haproxy
     livenessProbe:
       failureThreshold: 8
@@ -14,6 +14,13 @@ spec:
         path: /healthz
         port: {{ k8s_balancer_port }}
         scheme: HTTPS
+    {% if k8s_ingress_nginx_haproxy_conf | bool %}
+    securityContext:
+      capabilities:
+        add:
+        - NET_BIND_SERVICE
+      runAsUser: 0
+    {% endif %}
     volumeMounts:
     - mountPath: /usr/local/etc/haproxy/haproxy.cfg
       name: haproxyconf

diff --git a/templates/multi-control-plane/keepalived_pod.yaml.j2 b/templates/multi-control-plane/keepalived_pod.yaml.j2
@@ -6,7 +6,7 @@ metadata:
   namespace: kube-system
 spec:
   containers:
-  - image: osixia/keepalived:2.0.17
+  - image: osixia/keepalived:2.0.20
     name: keepalived
     resources: {}
     securityContext: