fix: add tolerations / affinity to cert-manager (#8389)

Signed-off-by: Cyril Corbon <corboncyril@gmail.com>
2 years ago · 86953b2ac4
3 changed files with 57 additions and 0 deletions
--- a/inventory/sample/group_vars/k8s_cluster/addons.yml
+++ b/inventory/sample/group_vars/k8s_cluster/addons.yml
@ -130,6 +130,24 @@ ingress_alb_enabled: false
 # Cert manager deployment
 cert_manager_enabled: false
 # cert_manager_namespace: "cert-manager"
+# cert_manager_tolerations:
+#   - key: node-role.kubernetes.io/master
+#     effect: NoSchedule
+#   - key: node-role.kubernetes.io/control-plane
+#     effect: NoSchedule
+# cert_manager_affinity:
+#  nodeAffinity:
+#    preferredDuringSchedulingIgnoredDuringExecution:
+#    - weight: 100
+#      preference:
+#        matchExpressions:
+#        - key: node-role.kubernetes.io/control-plane
+#          operator: In
+#          values:
+#          - ""
+# cert_manager_nodeselector:
+#   kubernetes.io/os: "linux"
+
 # cert_manager_trusted_internal_ca: |
 #   -----BEGIN CERTIFICATE-----
 #   [REPLACE with your CA certificate]
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml
@ -1,3 +1,6 @@
 ---
 cert_manager_namespace: "cert-manager"
 cert_manager_user: 1001
+cert_manager_tolerations: []
+cert_manager_affinity: {}
+cert_manager_nodeselector: {}
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
@ -874,6 +874,18 @@ spec:
                fieldPath: metadata.namespace
          resources:
            {}
+{% if cert_manager_tolerations %}
+      tolerations:
+        {{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
+{% endif %}
+{% if cert_manager_nodeselector %}
+      nodeSelector:
+        {{ cert_manager_nodeselector | to_nice_yaml | indent(width=8) }}
+{% endif %}
+{% if cert_manager_affinity %}
+      affinity:
+        {{ cert_manager_affinity | to_nice_yaml | indent(width=8) }}
+{% endif %}
 ---
 {% if cert_manager_trusted_internal_ca is defined %}
 apiVersion: v1
@ -939,6 +951,18 @@ spec:
                fieldPath: metadata.namespace
          resources:
            {}
+{% if cert_manager_tolerations %}
+      tolerations:
+        {{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
+{% endif %}
+{% if cert_manager_nodeselector %}
+      nodeSelector:
+        {{ cert_manager_nodeselector | to_nice_yaml | indent(width=8) }}
+{% endif %}
+{% if cert_manager_affinity %}
+      affinity:
+        {{ cert_manager_affinity | to_nice_yaml | indent(width=8) }}
+{% endif %}
 {% if cert_manager_trusted_internal_ca is defined %}
          volumeMounts:
          - mountPath: /etc/ssl/certs/internal-ca.pem
@ -1023,6 +1047,18 @@ spec:
                fieldPath: metadata.namespace
          resources:
            {}
+{% if cert_manager_tolerations %}
+      tolerations:
+        {{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
+{% endif %}
+{% if cert_manager_nodeselector %}
+      nodeSelector:
+        {{ cert_manager_nodeselector | to_nice_yaml | indent(width=8) }}
+{% endif %}
+{% if cert_manager_affinity %}
+      affinity:
+        {{ cert_manager_affinity | to_nice_yaml | indent(width=8) }}
+{% endif %}
 ---
 # Source: cert-manager/templates/webhook-mutating-webhook.yaml
 apiVersion: admissionregistration.k8s.io/v1