feat(k3s): replace nginx loadbalancer with kube-vip for control-plane HA
Deploys kube-vip as a DaemonSet on all k3s server nodes, advertising a VIP (192.168.20.2) via ARP. Eliminates the single-point-of-failure k3s-loadbalancer VM. - New kube_vip role: RBAC + DaemonSet templates, TLS SAN cert rotation - playbooks/kube-vip.yaml: migration playbook (serial=1, idempotent) - Updated k3s install tasks (server primary/secondary, agent) to use k3s_vip instead of the loadbalancer VM IP - Added k3s_vip: 192.168.20.2 to group_vars (below DHCP range .11-.250) Migration steps in playbook header comment.
This commit is contained in:
Tuan-Dat Tran
61
roles/kube_vip/tasks/main.yaml
Normal file
61
roles/kube_vip/tasks/main.yaml
Normal file
@@ -0,0 +1,61 @@
|
||||
---
|
||||
- name: Remove stale static pod manifest if present
|
||||
ansible.builtin.file:
|
||||
path: "{{ kube_vip_static_pod_path }}"
|
||||
state: absent
|
||||
become: true
|
||||
|
||||
- name: Ensure k3s server manifests directory exists
|
||||
ansible.builtin.file:
|
||||
path: "{{ kube_vip_manifests_dir }}"
|
||||
state: directory
|
||||
mode: "0755"
|
||||
become: true
|
||||
|
||||
- name: Deploy kube-vip RBAC manifest
|
||||
ansible.builtin.template:
|
||||
src: templates/kube-vip-rbac.yaml.j2
|
||||
dest: "{{ kube_vip_manifests_dir }}/kube-vip-rbac.yaml"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
become: true
|
||||
|
||||
- name: Deploy kube-vip DaemonSet manifest
|
||||
ansible.builtin.template:
|
||||
src: templates/kube-vip.yaml.j2
|
||||
dest: "{{ kube_vip_manifests_dir }}/kube-vip.yaml"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
become: true
|
||||
|
||||
- name: Ensure VIP is present in k3s TLS SANs config
|
||||
ansible.builtin.blockinfile:
|
||||
path: /etc/rancher/k3s/config.yaml
|
||||
create: true
|
||||
marker: "# {mark} ANSIBLE MANAGED kube-vip TLS SAN"
|
||||
block: |
|
||||
tls-san:
|
||||
- "{{ k3s_vip }}"
|
||||
become: true
|
||||
register: tls_san_added
|
||||
|
||||
- name: Stop k3s for certificate rotation
|
||||
ansible.builtin.systemd:
|
||||
name: k3s
|
||||
state: stopped
|
||||
become: true
|
||||
when: tls_san_added.changed
|
||||
|
||||
- name: Rotate k3s certificates to include VIP in SAN
|
||||
ansible.builtin.command: k3s certificate rotate
|
||||
become: true
|
||||
when: tls_san_added.changed
|
||||
|
||||
- name: Start k3s after certificate rotation
|
||||
ansible.builtin.systemd:
|
||||
name: k3s
|
||||
state: started
|
||||
become: true
|
||||
when: tls_san_added.changed
|
||||
Reference in New Issue
Block a user