k3s_server: add kube_vip_arp parameter (#550)

With the kube_vip_arp parameter it is possible to set or unset the
vip_arp environment variable of the kube-vip-ds daemonset. The value of
the kube_vip_arp is true by default to not change the existing default.

Signed-off-by: Christian Berendt <berendt@osism.tech>
Co-authored-by: Techno Tim <timothystewart6@gmail.com>

.github/workflows/cache.yml

@@ -16,7 +16,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # 5.1.0
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # 5.1.1
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: 'pip' # caching pip dependencies

.github/workflows/lint.yml

@@ -16,7 +16,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # 5.1.0
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # 5.1.1
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: 'pip' # caching pip dependencies
@@ -47,7 +47,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7
       - name: Ensure SHA pinned actions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@74606c30450304eee8660aae751818321754feb1 # 3.0.9
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b88cd0aad2c36a63e42c71f81cb1958fed95ac87 # 3.0.10
         with:
           allowlist: |
             aws-actions/

.github/workflows/test.yml

@@ -59,7 +59,7 @@ jobs:
           EOF
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # 5.1.0
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # 5.1.1
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: 'pip' # caching pip dependencies
@@ -118,7 +118,7 @@ jobs:
 
       - name: Upload log files
         if: always() # do this even if a step before has failed
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # 4.3.4
         with:
           name: logs
           path: |

molecule/cilium/overrides.yml

@@ -6,7 +6,7 @@
       ansible.builtin.set_fact:
         # See:
         # https://github.com/flannel-io/flannel/blob/67d603aaf45ef80f5dd39f43714fc5e6f8a637eb/Documentation/troubleshooting.md#Vagrant
-        cilium_iface: eth0
+        cilium_iface: eth1
 
         # The test VMs might be a bit slow, so we give them more time to join the cluster:
         retry_count: 45

requirements.txt

@@ -6,7 +6,7 @@
 #
 ansible-compat==4.1.11
     # via molecule
-ansible-core==2.16.6
+ansible-core==2.17.2
     # via
     #   -r requirements.in
     #   ansible-compat
@@ -96,7 +96,7 @@ platformdirs==4.1.0
     # via virtualenv
 pluggy==1.3.0
     # via molecule
-pre-commit==3.7.1
+pre-commit==3.8.0
     # via -r requirements.in
 pre-commit-hooks==4.6.0
     # via -r requirements.in

roles/k3s_server/defaults/main.yml

@@ -4,6 +4,9 @@
 # will determine the right interface automatically at runtime.
 kube_vip_iface: null
 
+# Enables ARP broadcasts from Leader
+kube_vip_arp: true
+
 # Name of the master group
 group_name_master: master
 

roles/k3s_server/tasks/main.yml

@@ -29,7 +29,7 @@
 - name: Deploy metallb manifest
   include_tasks: metallb.yml
   tags: metallb
-  when: kube_vip_lb_ip_range is not defined and (cilium_bgp is not defined or cilium_iface is not defined)
+  when: kube_vip_lb_ip_range is not defined and (not cilium_bgp or cilium_iface is not defined)
 
 - name: Deploy kube-vip manifest
   include_tasks: kube-vip.yml

roles/k3s_server/templates/vip.yaml.j2

@@ -27,7 +27,7 @@ spec:
         - manager
         env:
         - name: vip_arp
-          value: "true"
+          value: "{{ 'true' if kube_vip_arp | bool else 'false' }}"
         - name: port
           value: "6443"
 {% if kube_vip_iface %}

roles/k3s_server_post/tasks/cilium.yml

@@ -221,9 +221,10 @@
     - name: Configure Cilium BGP
       when: cilium_bgp
       block:
+
         - name: Copy BGP manifests to first master
           ansible.builtin.template:
-            src: "cilium-bgp.crs.j2"
+            src: "cilium.crs.j2"
             dest: /tmp/k3s/cilium-bgp.yaml
             owner: root
             group: root
@@ -246,37 +247,6 @@
           ansible.builtin.command: "{{ item }}"
           loop:
             - k3s kubectl get CiliumBGPPeeringPolicy.cilium.io
-          changed_when: false
-          loop_control:
-            label: "{{ item }}"
-
-    - name: Configure Cilium Load Balancer
-      when: cilium_iface
-      block:
-        - name: Copy Load Balancer manifests to first master
-          ansible.builtin.template:
-            src: "cilium-lb.crs.j2"
-            dest: /tmp/k3s/cilium-lb.yaml
-            owner: root
-            group: root
-            mode: 0755
-
-        - name: Apply LB manifests
-          ansible.builtin.command:
-            cmd: kubectl apply -f /tmp/k3s/cilium-lb.yaml
-          register: apply_cr
-          changed_when: "'configured' in apply_cr.stdout or 'created' in apply_cr.stdout"
-          failed_when: "'is invalid' in apply_cr.stderr"
-          ignore_errors: true
-
-        - name: Print error message if LB manifests application fails
-          ansible.builtin.debug:
-            msg: "{{ apply_cr.stderr }}"
-          when: "'is invalid' in apply_cr.stderr"
-
-        - name: Test for LB config resources
-          ansible.builtin.command: "{{ item }}"
-          loop:
             - k3s kubectl get CiliumLoadBalancerIPPool.cilium.io
           changed_when: false
           loop_control:

roles/k3s_server_post/tasks/main.yml

@@ -12,7 +12,7 @@
 - name: Deploy metallb pool
   include_tasks: metallb.yml
   tags: metallb
-  when: kube_vip_lb_ip_range is not defined and (cilium_bgp is not defined or cilium_iface is not defined)
+  when: kube_vip_lb_ip_range is not defined and (not cilium_bgp or cilium_iface is not defined)
 
 - name: Remove tmp directory used for manifests
   file:

roles/k3s_server_post/templates/cilium-lb.crs.j2

@@ -1,13 +0,0 @@
----
-apiVersion: "cilium.io/v2alpha1"
-kind: CiliumLoadBalancerIPPool
-metadata:
-  name: "01-lb-pool"
-spec:
-  blocks:
-{% if "/" in cilium_bgp_lb_cidr %}
-  - cidr: {{ cilium_bgp_lb_cidr }}
-{% else %}
-  - start: {{ cilium_bgp_lb_cidr.split('-')[0] }}
-    stop: {{ cilium_bgp_lb_cidr.split('-')[1] }}
-{% endif %}

roles/k3s_server_post/templates/cilium.crs.j2

@@ -19,3 +19,16 @@ spec: # CiliumBGPPeeringPolicySpec
    serviceSelector:
       matchExpressions:
          - {key: somekey, operator: NotIn, values: ['never-used-value']}
+---
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: "01-lb-pool"
+spec:
+  blocks:
+{% if "/" in cilium_bgp_lb_cidr %}
+  - cidr: {{ cilium_bgp_lb_cidr }}
+{% else %}
+  - start: {{ cilium_bgp_lb_cidr.split('-')[0] }}
+    stop: {{ cilium_bgp_lb_cidr.split('-')[1] }}
+{% endif %}