From 04b19359cb71aef2f6981a74fd69a6e6f8c3927a Mon Sep 17 00:00:00 2001
From: Hans Feldt <2808287+hafe@users.noreply.github.com>
Date: Wed, 21 Oct 2020 16:32:20 +0200
Subject: [PATCH] allow non existing etcd group (#6797)

When using kubeadm managed etcd, configuring an etcd group can now
be skipped.
---
 .../preinstall/tasks/0020-verify-settings.yml     | 15 ++++++++++++---
 .../kubernetes/preinstall/tasks/0090-etchosts.yml |  2 +-
 roles/kubespray-defaults/defaults/main.yaml       |  7 +++++--
 roles/kubespray-defaults/tasks/no_proxy.yml       |  2 +-
 .../calico/templates/calico-node.yml.j2           |  3 ++-
 5 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml b/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
index 95086e6f9..e590d6609 100644
--- a/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
+++ b/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
@@ -1,14 +1,22 @@
 ---
-- name: Stop if either kube-master, kube-node or etcd is empty
+- name: Stop if either kube-master or kube-node group is empty
   assert:
-    that: groups.get('{{ item }}')
+    that: "groups.get('{{ item }}')"
   with_items:
     - kube-master
     - kube-node
-    - etcd
   run_once: true
   when: not ignore_assert_errors
 
+- name: Stop if etcd group is empty in external etcd mode
+  assert:
+    that: groups.get('etcd')
+    fail_msg: "Group 'etcd' cannot be empty in external etcd mode"
+  run_once: true
+  when:
+    - not ignore_assert_errors
+    - not etcd_kubeadm_enabled
+
 - name: Stop if non systemd OS type
   assert:
     that: ansible_service_mgr == "systemd"
@@ -61,6 +69,7 @@
     that: groups.etcd|length is not divisibleby 2
   when:
     - not ignore_assert_errors
+    - groups.get('etcd')
     - inventory_hostname in groups['etcd']
 
 - name: Stop if memory is too small for masters
diff --git a/roles/kubernetes/preinstall/tasks/0090-etchosts.yml b/roles/kubernetes/preinstall/tasks/0090-etchosts.yml
index a8c40f6f9..81913cb10 100644
--- a/roles/kubernetes/preinstall/tasks/0090-etchosts.yml
+++ b/roles/kubernetes/preinstall/tasks/0090-etchosts.yml
@@ -2,7 +2,7 @@
 - name: Hosts | create list from inventory
   set_fact:
     etc_hosts_inventory_block: |-
-      {% for item in (groups['k8s-cluster'] + groups['etcd'] + groups['calico-rr']|default([]))|unique -%}
+      {% for item in (groups['k8s-cluster'] + groups['etcd']|default([]) + groups['calico-rr']|default([]))|unique -%}
       {% if 'access_ip' in hostvars[item] or 'ip' in hostvars[item] or 'ansible_default_ipv4' in hostvars[item] -%}
       {{ hostvars[item]['access_ip'] | default(hostvars[item]['ip'] | default(hostvars[item]['ansible_default_ipv4']['address'])) }}
       {%- if ('ansible_hostname' in hostvars[item] and item != hostvars[item]['ansible_hostname']) %} {{ hostvars[item]['ansible_hostname'] }}.{{ dns_domain }} {{ hostvars[item]['ansible_hostname'] }}{% endif %} {{ item }}.{{ dns_domain }} {{ item }}
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index 13c947a2d..7a9c31dc2 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -472,6 +472,9 @@ kube_apiserver_client_key: "{{ kube_cert_dir }}/ca.key"
 # Set to true to deploy etcd-events cluster
 etcd_events_cluster_enabled: false
 
+# etcd group can be empty when kubeadm manages etcd
+etcd_hosts: "{{ groups['etcd'] | default(groups['kube-master']) }}"
+
 # Vars for pointing to etcd endpoints
 is_etcd_master: "{{ inventory_hostname in groups['etcd'] }}"
 etcd_address: "{{ ip | default(fallback_ips[inventory_hostname]) }}"
@@ -482,12 +485,12 @@ etcd_client_url: "https://{{ etcd_access_address }}:2379"
 etcd_events_peer_url: "https://{{ etcd_events_access_address }}:2382"
 etcd_events_client_url: "https://{{ etcd_events_access_address }}:2381"
 etcd_access_addresses: |-
-  {% for item in groups['etcd'] -%}
+  {% for item in etcd_hosts -%}
     https://{{ hostvars[item]['access_ip'] | default(hostvars[item]['ip'] | default(fallback_ips[item])) }}:2379{% if not loop.last %},{% endif %}
   {%- endfor %}
 etcd_events_access_addresses_list: |-
   [
-  {% for item in groups['etcd'] -%}
+  {% for item in etcd_hosts -%}
     'https://{{ hostvars[item]['access_ip'] | default(hostvars[item]['ip'] | default(fallback_ips[item])) }}:2381'{% if not loop.last %},{% endif %}
   {%- endfor %}
   ]
diff --git a/roles/kubespray-defaults/tasks/no_proxy.yml b/roles/kubespray-defaults/tasks/no_proxy.yml
index 5af4cc068..a0de178f7 100755
--- a/roles/kubespray-defaults/tasks/no_proxy.yml
+++ b/roles/kubespray-defaults/tasks/no_proxy.yml
@@ -11,7 +11,7 @@
       {% else %}
       {% set cluster_or_master = 'k8s-cluster' %}
       {% endif %}
-      {%- for item in (groups[cluster_or_master] + groups['etcd'] + groups['calico-rr']|default([]))|unique -%}
+      {%- for item in (groups[cluster_or_master] + groups['etcd']|default([]) + groups['calico-rr']|default([]))|unique -%}
       {{ hostvars[item]['access_ip'] | default(hostvars[item]['ip'] | default(fallback_ips[item])) }},
       {%-   if item != hostvars[item].get('ansible_hostname', '') -%}
       {{ hostvars[item]['ansible_hostname'] }},
diff --git a/roles/network_plugin/calico/templates/calico-node.yml.j2 b/roles/network_plugin/calico/templates/calico-node.yml.j2
index 056f26dd4..0cdfbbc02 100644
--- a/roles/network_plugin/calico/templates/calico-node.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-node.yml.j2
@@ -18,8 +18,9 @@ spec:
       labels:
         k8s-app: calico-node
       annotations:
-        # Mark pod as critical for rescheduling (Will have no effect starting with kubernetes 1.12)
+{% if calico_datastore == "etcd" %}
         kubespray.etcd-cert/serial: "{{ etcd_client_cert_serial }}"
+{% endif %}
 {% if calico_felix_prometheusmetricsenabled %}
         prometheus.io/scrape: 'true'
         prometheus.io/port: "{{ calico_felix_prometheusmetricsport }}"
-- 
GitLab