Merge 7239c927de into b86156b995

* Added support for metallb >= 0.14.4

* update gpg

* Added support for metallb >= 0.14.4

* remove extra file

---------

Co-authored-by: Konstantin Kornienko <k.kornienko@postgrespro.ru>
Co-authored-by: Konstantin Kornienko <konstantin.kornienko@gmail.com>

.github/workflows/cache.yml

@@ -16,7 +16,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # 5.1.1
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # 5.1.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: 'pip' # caching pip dependencies

.github/workflows/lint.yml

@@ -16,7 +16,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # 5.1.1
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # 5.1.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: 'pip' # caching pip dependencies
@@ -47,7 +47,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7
       - name: Ensure SHA pinned actions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b88cd0aad2c36a63e42c71f81cb1958fed95ac87 # 3.0.10
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@74606c30450304eee8660aae751818321754feb1 # 3.0.9
         with:
           allowlist: |
             aws-actions/

.github/workflows/test.yml

@@ -59,7 +59,7 @@ jobs:
           EOF
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # 5.1.1
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # 5.1.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: 'pip' # caching pip dependencies
@@ -118,7 +118,7 @@ jobs:
 
       - name: Upload log files
         if: always() # do this even if a step before has failed
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # 4.3.4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
         with:
           name: logs
           path: |

molecule/cilium/overrides.yml

@@ -6,7 +6,7 @@
       ansible.builtin.set_fact:
         # See:
         # https://github.com/flannel-io/flannel/blob/67d603aaf45ef80f5dd39f43714fc5e6f8a637eb/Documentation/troubleshooting.md#Vagrant
-        cilium_iface: eth1
+        cilium_iface: eth0
 
         # The test VMs might be a bit slow, so we give them more time to join the cluster:
         retry_count: 45

requirements.txt

@@ -6,7 +6,7 @@
 #
 ansible-compat==4.1.11
     # via molecule
-ansible-core==2.17.2
+ansible-core==2.16.6
     # via
     #   -r requirements.in
     #   ansible-compat
@@ -96,7 +96,7 @@ platformdirs==4.1.0
     # via virtualenv
 pluggy==1.3.0
     # via molecule
-pre-commit==3.8.0
+pre-commit==3.7.1
     # via -r requirements.in
 pre-commit-hooks==4.6.0
     # via -r requirements.in

roles/k3s_server/defaults/main.yml

@@ -4,9 +4,6 @@
 # will determine the right interface automatically at runtime.
 kube_vip_iface: null
 
-# Enables ARP broadcasts from Leader
-kube_vip_arp: true
-
 # Name of the master group
 group_name_master: master
 

roles/k3s_server/tasks/main.yml

@@ -29,7 +29,7 @@
 - name: Deploy metallb manifest
   include_tasks: metallb.yml
   tags: metallb
-  when: kube_vip_lb_ip_range is not defined and (not cilium_bgp or cilium_iface is not defined)
+  when: kube_vip_lb_ip_range is not defined and (cilium_bgp is not defined or cilium_iface is not defined)
 
 - name: Deploy kube-vip manifest
   include_tasks: kube-vip.yml

roles/k3s_server/templates/vip.yaml.j2

@@ -27,7 +27,7 @@ spec:
         - manager
         env:
         - name: vip_arp
-          value: "{{ 'true' if kube_vip_arp | bool else 'false' }}"
+          value: "true"
         - name: port
           value: "6443"
 {% if kube_vip_iface %}

roles/k3s_server_post/tasks/cilium.yml

@@ -221,10 +221,9 @@
     - name: Configure Cilium BGP
       when: cilium_bgp
       block:
-
         - name: Copy BGP manifests to first master
           ansible.builtin.template:
-            src: "cilium.crs.j2"
+            src: "cilium-bgp.crs.j2"
             dest: /tmp/k3s/cilium-bgp.yaml
             owner: root
             group: root
@@ -247,6 +246,37 @@
           ansible.builtin.command: "{{ item }}"
           loop:
             - k3s kubectl get CiliumBGPPeeringPolicy.cilium.io
+          changed_when: false
+          loop_control:
+            label: "{{ item }}"
+
+    - name: Configure Cilium Load Balancer
+      when: cilium_iface
+      block:
+        - name: Copy Load Balancer manifests to first master
+          ansible.builtin.template:
+            src: "cilium-lb.crs.j2"
+            dest: /tmp/k3s/cilium-lb.yaml
+            owner: root
+            group: root
+            mode: 0755
+
+        - name: Apply LB manifests
+          ansible.builtin.command:
+            cmd: kubectl apply -f /tmp/k3s/cilium-lb.yaml
+          register: apply_cr
+          changed_when: "'configured' in apply_cr.stdout or 'created' in apply_cr.stdout"
+          failed_when: "'is invalid' in apply_cr.stderr"
+          ignore_errors: true
+
+        - name: Print error message if LB manifests application fails
+          ansible.builtin.debug:
+            msg: "{{ apply_cr.stderr }}"
+          when: "'is invalid' in apply_cr.stderr"
+
+        - name: Test for LB config resources
+          ansible.builtin.command: "{{ item }}"
+          loop:
             - k3s kubectl get CiliumLoadBalancerIPPool.cilium.io
           changed_when: false
           loop_control:

roles/k3s_server_post/tasks/main.yml

@@ -12,7 +12,7 @@
 - name: Deploy metallb pool
   include_tasks: metallb.yml
   tags: metallb
-  when: kube_vip_lb_ip_range is not defined and (not cilium_bgp or cilium_iface is not defined)
+  when: kube_vip_lb_ip_range is not defined and (cilium_bgp is not defined or cilium_iface is not defined)
 
 - name: Remove tmp directory used for manifests
   file:

roles/k3s_server_post/templates/cilium-bgp.crs.j2

@@ -19,16 +19,3 @@ spec: # CiliumBGPPeeringPolicySpec
    serviceSelector:
       matchExpressions:
          - {key: somekey, operator: NotIn, values: ['never-used-value']}
----
-apiVersion: "cilium.io/v2alpha1"
-kind: CiliumLoadBalancerIPPool
-metadata:
-  name: "01-lb-pool"
-spec:
-  blocks:
-{% if "/" in cilium_bgp_lb_cidr %}
-  - cidr: {{ cilium_bgp_lb_cidr }}
-{% else %}
-  - start: {{ cilium_bgp_lb_cidr.split('-')[0] }}
-    stop: {{ cilium_bgp_lb_cidr.split('-')[1] }}
-{% endif %}

roles/k3s_server_post/templates/cilium-lb.crs.j2

@@ -0,0 +1,13 @@
+---
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: "01-lb-pool"
+spec:
+  blocks:
+{% if "/" in cilium_bgp_lb_cidr %}
+  - cidr: {{ cilium_bgp_lb_cidr }}
+{% else %}
+  - start: {{ cilium_bgp_lb_cidr.split('-')[0] }}
+    stop: {{ cilium_bgp_lb_cidr.split('-')[1] }}
+{% endif %}