You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

205 lines
6.8 KiB

Upgrade ansible (#10190) * project: update all dependencies including ansible Upgrade to ansible 7.x and ansible-core 2.14.x. There seems to be issue with ansible 8/ansible-core 2.15 so we remain on those versions for now. It's quite a big bump already anyway. Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * tests: install aws galaxy collection Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * ansible-lint: disable various rules after ansible upgrade Temporarily disable a bunch of linting action following ansible upgrade. Those should be taken care of separately. Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve deprecated-module ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve no-free-form ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve schema[meta] ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve schema[playbook] ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve schema[tasks] ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve risky-file-permissions ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve risky-shell-pipe ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: remove deprecated warn args Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: use fqcn for non builtin tasks Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve syntax-check[missing-file] for contrib playbook Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: use arithmetic inside jinja to fix ansible 6 upgrade Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
Upgrade ansible (#10190) * project: update all dependencies including ansible Upgrade to ansible 7.x and ansible-core 2.14.x. There seems to be issue with ansible 8/ansible-core 2.15 so we remain on those versions for now. It's quite a big bump already anyway. Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * tests: install aws galaxy collection Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * ansible-lint: disable various rules after ansible upgrade Temporarily disable a bunch of linting action following ansible upgrade. Those should be taken care of separately. Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve deprecated-module ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve no-free-form ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve schema[meta] ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve schema[playbook] ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve schema[tasks] ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve risky-file-permissions ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve risky-shell-pipe ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: remove deprecated warn args Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: use fqcn for non builtin tasks Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve syntax-check[missing-file] for contrib playbook Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: use arithmetic inside jinja to fix ansible 6 upgrade Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
Upgrade ansible (#10190) * project: update all dependencies including ansible Upgrade to ansible 7.x and ansible-core 2.14.x. There seems to be issue with ansible 8/ansible-core 2.15 so we remain on those versions for now. It's quite a big bump already anyway. Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * tests: install aws galaxy collection Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * ansible-lint: disable various rules after ansible upgrade Temporarily disable a bunch of linting action following ansible upgrade. Those should be taken care of separately. Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve deprecated-module ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve no-free-form ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve schema[meta] ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve schema[playbook] ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve schema[tasks] ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve risky-file-permissions ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve risky-shell-pipe ansible-lint error Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: remove deprecated warn args Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: use fqcn for non builtin tasks Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: resolve syntax-check[missing-file] for contrib playbook Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: use arithmetic inside jinja to fix ansible 6 upgrade Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
  1. ---
  2. - name: Testcases for network
  3. hosts: kube_control_plane[0]
  4. vars:
  5. test_image_repo: registry.k8s.io/e2e-test-images/agnhost
  6. test_image_tag: "2.40"
  7. tasks:
  8. - name: Force binaries directory for Flatcar Container Linux by Kinvolk
  9. set_fact:
  10. bin_dir: "/opt/bin"
  11. when: ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
  12. - name: Force binaries directory for other hosts
  13. set_fact:
  14. bin_dir: "/usr/local/bin"
  15. when: not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
  16. - name: Check kubelet serving certificates approved with kubelet_csr_approver
  17. when:
  18. - kubelet_rotate_server_certificates | default(false)
  19. - kubelet_csr_approver_enabled | default(kubelet_rotate_server_certificates | default(false))
  20. block:
  21. - name: Get certificate signing requests
  22. command: "{{ bin_dir }}/kubectl get csr"
  23. register: get_csr
  24. changed_when: false
  25. - debug: # noqa name[missing]
  26. msg: "{{ get_csr.stdout.split('\n') }}"
  27. - name: Check there are csrs
  28. assert:
  29. that: get_csr.stdout_lines | length > 0
  30. fail_msg: kubelet_rotate_server_certificates is {{ kubelet_rotate_server_certificates }} but no csr's found
  31. - name: Get Denied/Pending certificate signing requests
  32. shell: "set -o pipefail && {{ bin_dir }}/kubectl get csr | grep -e Denied -e Pending || true"
  33. register: get_csr_denied_pending
  34. changed_when: false
  35. - name: Check there are Denied/Pending csrs
  36. assert:
  37. that: get_csr_denied_pending.stdout_lines | length == 0
  38. fail_msg: kubelet_csr_approver is enabled but CSRs are not approved
  39. - name: Approve kubelet serving certificates
  40. when:
  41. - kubelet_rotate_server_certificates | default(false)
  42. - not (kubelet_csr_approver_enabled | default(kubelet_rotate_server_certificates | default(false)))
  43. block:
  44. - name: Get certificate signing requests
  45. command: "{{ bin_dir }}/kubectl get csr -o name"
  46. register: get_csr
  47. changed_when: false
  48. - name: Check there are csrs
  49. assert:
  50. that: get_csr.stdout_lines | length > 0
  51. fail_msg: kubelet_rotate_server_certificates is {{ kubelet_rotate_server_certificates }} but no csr's found
  52. - name: Approve certificates
  53. command: "{{ bin_dir }}/kubectl certificate approve {{ get_csr.stdout_lines | join(' ') }}"
  54. register: certificate_approve
  55. when: get_csr.stdout_lines | length > 0
  56. changed_when: certificate_approve.stdout
  57. - debug: # noqa name[missing]
  58. msg: "{{ certificate_approve.stdout.split('\n') }}"
  59. - name: Create test namespace
  60. command: "{{ bin_dir }}/kubectl create namespace test"
  61. changed_when: false
  62. - name: Wait for API token of test namespace
  63. shell: "set -o pipefail && {{ bin_dir }}/kubectl describe serviceaccounts default --namespace test | grep Tokens | awk '{print $2}'"
  64. args:
  65. executable: /bin/bash
  66. changed_when: false
  67. register: default_token
  68. until: default_token.stdout | length > 0
  69. retries: 5
  70. delay: 5
  71. - name: Run 2 agnhost pods in test ns
  72. shell:
  73. cmd: |
  74. set -o pipefail
  75. cat <<EOF | {{ bin_dir }}/kubectl apply -f -
  76. apiVersion: v1
  77. kind: Pod
  78. metadata:
  79. name: {{ item }}
  80. namespace: test
  81. spec:
  82. containers:
  83. - name: agnhost
  84. image: {{ test_image_repo }}:{{ test_image_tag }}
  85. command: ['/agnhost', 'netexec', '--http-port=8080']
  86. securityContext:
  87. allowPrivilegeEscalation: false
  88. capabilities:
  89. drop: ['ALL']
  90. runAsUser: 1000
  91. runAsNonRoot: true
  92. seccompProfile:
  93. type: RuntimeDefault
  94. EOF
  95. executable: /bin/bash
  96. changed_when: false
  97. loop:
  98. - agnhost1
  99. - agnhost2
  100. - import_role: # noqa name[missing]
  101. name: cluster-dump
  102. - name: Check that all pods are running and ready
  103. command: "{{ bin_dir }}/kubectl get pods --namespace test --no-headers -o yaml"
  104. changed_when: false
  105. register: run_pods_log
  106. until:
  107. # Check that all pods are running
  108. - '(run_pods_log.stdout | from_yaml)["items"] | map(attribute = "status.phase") | unique | list == ["Running"]'
  109. # Check that all pods are ready
  110. - '(run_pods_log.stdout | from_yaml)["items"] | map(attribute = "status.containerStatuses") | map("map", attribute = "ready") | map("min") | min'
  111. retries: 18
  112. delay: 10
  113. failed_when: false
  114. no_log: true
  115. - name: Get pod names
  116. command: "{{ bin_dir }}/kubectl get pods -n test -o json"
  117. changed_when: false
  118. register: pods
  119. no_log: true
  120. - debug: # noqa name[missing]
  121. msg: "{{ pods.stdout.split('\n') }}"
  122. failed_when: not run_pods_log is success
  123. - name: Get hostnet pods
  124. command: "{{ bin_dir }}/kubectl get pods -n test -o
  125. jsonpath='{range .items[?(.spec.hostNetwork)]}{.metadata.name} {.status.podIP} {.status.containerStatuses} {end}'"
  126. changed_when: false
  127. register: hostnet_pods
  128. ignore_errors: true # noqa ignore-errors
  129. no_log: true
  130. - name: Get running pods
  131. command: "{{ bin_dir }}/kubectl get pods -n test -o
  132. jsonpath='{range .items[?(.status.phase==\"Running\")]}{.metadata.name} {.status.podIP} {.status.containerStatuses} {end}'"
  133. changed_when: False
  134. register: running_pods
  135. no_log: true
  136. - name: Check kubectl output
  137. command: "{{ bin_dir }}/kubectl get pods --all-namespaces -owide"
  138. changed_when: False
  139. register: get_pods
  140. no_log: true
  141. - debug: # noqa name[missing]
  142. msg: "{{ get_pods.stdout.split('\n') }}"
  143. - name: Set networking facts
  144. set_fact:
  145. kube_pods_subnet: 10.233.64.0/18
  146. pod_names: "{{ (pods.stdout | from_json)['items'] | map(attribute='metadata.name') | list }}"
  147. pod_ips: "{{ (pods.stdout | from_json)['items'] | selectattr('status.podIP', 'defined') | map(attribute='status.podIP') | list }}"
  148. pods_hostnet: |
  149. {% set list = hostnet_pods.stdout.split(" ") %}
  150. {{ list }}
  151. pods_running: |
  152. {% set list = running_pods.stdout.split(" ") %}
  153. {{ list }}
  154. - name: Check pods IP are in correct network
  155. assert:
  156. that: item | ansible.utils.ipaddr(kube_pods_subnet)
  157. when:
  158. - not item in pods_hostnet
  159. - item in pods_running
  160. with_items: "{{ pod_ips }}"
  161. - name: Curl between pods is working
  162. command: "{{ bin_dir }}/kubectl -n test exec {{ item[0] }} -- curl {{ item[1] }}:8080"
  163. when:
  164. - not item[0] in pods_hostnet
  165. - not item[1] in pods_hostnet
  166. with_nested:
  167. - "{{ pod_names }}"
  168. - "{{ pod_ips }}"
  169. - name: Curl between hostnet pods is working
  170. command: "{{ bin_dir }}/kubectl -n test exec {{ item[0] }} -- curl {{ item[1] }}:8080"
  171. when:
  172. - item[0] in pods_hostnet
  173. - item[1] in pods_hostnet
  174. with_nested:
  175. - "{{ pod_names }}"
  176. - "{{ pod_ips }}"