fix: add tls sans options for k3s too (#1170)

* fix: add tls sans options for k3s too

Signed-off-by: Devin Buhl <[email protected]>

* chore: update comment

Signed-off-by: Devin Buhl <[email protected]>

---------

Signed-off-by: Devin Buhl <[email protected]>

.github/tests/config-k0s.yaml

@@ -1,3 +1,4 @@
+# Test: k0s
 ---
 ci_test: true
 
@@ -17,6 +18,7 @@ bootstrap_cloudflare_tunnel_secret: fake
 bootstrap_cloudflare_tunnel_id: fake
 bootstrap_node_cidr: 10.10.10.0/24
 bootstrap_kube_api_addr: 10.10.10.254
+bootstrap_kube_api_hostname: fake
 bootstrap_k8s_gateway_addr: 10.10.10.253
 bootstrap_external_ingress_addr: 10.10.10.252
 bootstrap_internal_ingress_addr: 10.10.10.251

.github/tests/config-k3s-ipv4.yaml

@@ -17,6 +17,7 @@ bootstrap_cloudflare_tunnel_secret: fake
 bootstrap_cloudflare_tunnel_id: fake
 bootstrap_node_cidr: 10.10.10.0/24
 bootstrap_kube_api_addr: 10.10.10.254
+bootstrap_kube_api_hostname: fake
 bootstrap_k8s_gateway_addr: 10.10.10.253
 bootstrap_external_ingress_addr: 10.10.10.252
 bootstrap_internal_ingress_addr: 10.10.10.251

.github/tests/config-k3s-ipv6.yaml

@@ -17,6 +17,7 @@ bootstrap_cloudflare_tunnel_secret: fake
 bootstrap_cloudflare_tunnel_id: fake
 bootstrap_node_cidr: 10.10.10.0/24
 bootstrap_kube_api_addr: 10.10.10.254
+bootstrap_kube_api_hostname: fake
 bootstrap_k8s_gateway_addr: 10.10.10.253
 bootstrap_external_ingress_addr: 10.10.10.252
 bootstrap_internal_ingress_addr: 10.10.10.251

.github/tests/config-k3s-no-kube-vip.yaml

@@ -17,6 +17,7 @@ bootstrap_cloudflare_tunnel_secret: fake
 bootstrap_cloudflare_tunnel_id: fake
 bootstrap_node_cidr: 10.10.10.0/24
 bootstrap_kube_api_addr: # left blank to not use kube-vip
+bootstrap_kube_api_hostname: fake
 bootstrap_k8s_gateway_addr: 10.10.10.253
 bootstrap_external_ingress_addr: 10.10.10.252
 bootstrap_internal_ingress_addr: 10.10.10.251

bootstrap/tasks/validation/github.yaml

@@ -1,5 +1,6 @@
 ---
 - name: Query Github username
+  when: not ci_test | default(false)
   ansible.builtin.uri:
     url: https://api.github.com/users/{{ bootstrap_github_username }}
     timeout: 5
@@ -8,13 +9,14 @@
   register: result
 
 - name: Check if username exists
+  when: not ci_test | default(false)
   ansible.builtin.assert:
     that: result.json.login == bootstrap_github_username
     success_msg: Github user {{ bootstrap_github_username }} exists
     fail_msg: Github user {{ bootstrap_github_username }} does not exist
 
 - name: Query Github repo
-  when: not bootstrap_private_github_repo | default(false)
+  when: (not ci_test | default(false)) or (not bootstrap_private_github_repo | default(false))
   ansible.builtin.uri:
     url: https://api.github.com/repos/{{ bootstrap_github_username }}/{{ bootstrap_github_repository_name }}
     timeout: 5
@@ -23,14 +25,14 @@
   register: result
 
 - name: Check if repo exists
-  when: not bootstrap_private_github_repo | default(false)
+  when: (not ci_test | default(false)) or (not bootstrap_private_github_repo | default(false))
   ansible.builtin.assert:
     that: result.json.full_name == bootstrap_github_username + '/' + bootstrap_github_repository_name
     success_msg: Github repo {{ bootstrap_github_username }}/{{ bootstrap_github_repository_name }} exists
     fail_msg: Github repo {{ bootstrap_github_username }}/{{ bootstrap_github_repository_name }} does not exist
 
 - name: Query Github repo branch
-  when: not bootstrap_private_github_repo | default(false)
+  when: (not ci_test | default(false)) or (not bootstrap_private_github_repo | default(false))
   ansible.builtin.uri:
     url: https://api.github.com/repos/{{ bootstrap_github_username }}/{{ bootstrap_github_repository_name }}/branches/{{ bootstrap_github_repository_branch | default('main', true) }}
     timeout: 5
@@ -39,7 +41,7 @@
   register: result
 
 - name: Check if repo branch exists
-  when: not bootstrap_private_github_repo | default(false)
+  when: (not ci_test | default(false)) or (not bootstrap_private_github_repo | default(false))
   ansible.builtin.assert:
     that: result.json.name == bootstrap_github_repository_branch | default('main', true)
     success_msg: Github repo branch {{ bootstrap_github_repository_branch | default('main', true) }} exists

bootstrap/templates/ansible/inventory/group_vars/kubernetes/main.yaml.j2

@@ -19,7 +19,7 @@ k3s_registration_address: "{{ kube_api_addr }}"
 k3s_server_manifests_templates:
   - custom-cilium-helmchart.yaml.j2
   - custom-coredns-helmchart.yaml.j2
-#% if bootstrap_nodes.master | length > 1 or bootstrap_kube_api_addr %#
+#% if bootstrap_nodes.master | length > 1 or bootstrap_kube_api_addr | default('') %#
 # /var/lib/rancher/k3s/server/manifests
 k3s_server_manifests_urls:
   - url: https://raw.githubusercontent.com/kube-vip/website/main/content/manifests/rbac.yaml

bootstrap/templates/ansible/inventory/group_vars/kubernetes/supplemental.yaml.j2

@@ -2,11 +2,14 @@
 timezone: "#{ bootstrap_timezone }#"
 github_username: "#{ bootstrap_github_username }#"
 coredns_addr: "#{ bootstrap_service_cidr.split(',')[0] | nthhost(10) }#"
-#% if bootstrap_nodes.master | length > 1 or bootstrap_kube_api_addr %#
+#% if bootstrap_nodes.master | length > 1 or bootstrap_kube_api_addr | default('') %#
 kube_api_addr: "#{ bootstrap_kube_api_addr }#"
 #% else %#
 kube_api_addr: "#{ bootstrap_nodes.master[0].address }#"
 #% endif %#
+#% if bootstrap_kube_api_hostname | default('') %#
+kube_api_hostname: "#{ bootstrap_kube_api_hostname }#"
+#% endif %#
 cluster_cidr: "#{ bootstrap_cluster_cidr.split(',')[0] }#"
 service_cidr: "#{ bootstrap_service_cidr.split(',')[0] }#"
 node_cidr: "#{ bootstrap_node_cidr }#"

bootstrap/templates/ansible/inventory/group_vars/master/main.yaml.j2

@@ -12,6 +12,9 @@ k3s_server:
   #% endif %#
   tls-san:
     - "{{ kube_api_addr }}"
+    #% if bootstrap_kube_api_hostname | default('') %#
+    - "{{ kube_api_hostname }}"
+    #% endif %#
   docker: false
   flannel-backend: "none"             # This needs to be in quotes
   disable:

bootstrap/templates/ansible/playbooks/templates/kube-vip-static-pod.yaml.j2.j2

@@ -1,4 +1,4 @@
-#% if bootstrap_distribution == 'k3s' and (bootstrap_nodes.master | length > 1 or bootstrap_kube_api_addr) %#
+#% if bootstrap_distribution == 'k3s' and (bootstrap_nodes.master | length > 1 or bootstrap_kube_api_addr | default('')) %#
 ---
 apiVersion: v1
 kind: Pod

bootstrap/templates/k0s-config.yaml.j2

@@ -44,14 +44,14 @@ spec:
         api:
           sans:
             - "#{ bootstrap_kube_api_addr }#"
-            #% if bootstrap_kube_api_hostname is defined %#
+            #% if bootstrap_kube_api_hostname | default('') %#
             - "#{ bootstrap_kube_api_hostname }#"
             #% endif %#
             #% for item in bootstrap_nodes.master %#
             #% if item.address != bootstrap_kube_api_addr %#
             - "#{ item.address }#"
             #% endif %#
-            #% if (bootstrap_kube_api_hostname is not defined) or (item.name != bootstrap_kube_api_hostname) %#
+            #% if (not bootstrap_kube_api_hostname | default('')) or (item.name != bootstrap_kube_api_hostname | default('')) %#
             - "#{ item.name }#"
             #% endif %#
             #% endfor %#
@@ -90,10 +90,10 @@ spec:
                   ipv6:
                     enabled: true
                   #% endif %#
-                  #% if bootstrap_nodes.master | length == 1 and not bootstrap_kube_api_addr %#
-                  k8sServiceHost: "#{ bootstrap_nodes.master[0].address }#"
-                  #% else %#
+                  #% if bootstrap_nodes.master | length > 1 or bootstrap_kube_api_addr | default('') %#
                   k8sServiceHost: "#{ bootstrap_kube_api_addr }#"
+                  #% else %#
+                  k8sServiceHost: "#{ bootstrap_nodes.master[0].address }#"
                   #% endif %#
                   k8sServicePort: 6443
                   kubeProxyReplacement: true

bootstrap/templates/kubernetes/flux/vars/cluster-settings.yaml.j2

@@ -7,10 +7,10 @@ metadata:
 data:
   TIMEZONE: "#{ bootstrap_timezone }#"
   COREDNS_ADDR: "#{ bootstrap_service_cidr.split(',')[0] | nthhost(10) }#"
-  #% if bootstrap_nodes.master | length == 1 and not bootstrap_kube_api_addr %#
-  KUBE_API_ADDR: "#{ bootstrap_nodes.master[0].address }#"
-  #% else %#
+  #% if bootstrap_nodes.master | length > 1 or bootstrap_kube_api_addr | default('') %#
   KUBE_API_ADDR: "#{ bootstrap_kube_api_addr }#"
+  #% else %#
+  KUBE_API_ADDR: "#{ bootstrap_nodes.master[0].address }#"
   #% endif %#
   CLUSTER_CIDR: "#{ bootstrap_cluster_cidr.split(',')[0] }#"
   SERVICE_CIDR: "#{ bootstrap_service_cidr.split(',')[0] }#"

bootstrap/vars/config.sample.yaml

@@ -4,7 +4,6 @@
 #
 
 # Distribution can either be 'k3s' or 'k0s'
-# Note that changing this to k0s will ignore `system_upgrade_controller` in the addons.
 bootstrap_distribution: k3s
 
 # Github username (e.g. onedr0p)
@@ -43,12 +42,12 @@ bootstrap_cloudflare_tunnel_id:
 # CIDR your nodes are on (e.g. 192.168.1.0/24)
 bootstrap_node_cidr:
 # The IP address of the Kube API, choose an available IP in your nodes network that is not being used
-# (Optional) Leave this blank if you are deploying a single master node, this will disable kube-vip in k3s
-# or keepalived in k0s and use the master node IP instead
+# Leave this blank if you are deploying a single master node, this will disable kube-vip in k3s
+# and keepalived in k0s and use the master node IP instead
 bootstrap_kube_api_addr:
-# The hostname of the Kube API, set this if you intend to call the Kube API by hostname rather than IP
-# (Optional) This is currently only utilized in k0s and is added to the Kube API cert sans
-# bootstrap_kube_api_hostname:
+# (Optional) The hostname of the Kube API, set this if you intend to call the Kube API by
+# hostname rather than IP. Hostname is added to the Kube API cert sans
+bootstrap_kube_api_hostname:
 # The Load balancer IP for k8s_gateway, choose an available IP in your nodes network that is not being used
 bootstrap_k8s_gateway_addr:
 # The Load balancer IP for external ingress, choose an available IP in your nodes network that is not being used