From 86953b2ac4eec87ff38fa07466c6741328d40389 Mon Sep 17 00:00:00 2001
From: cyril-corbon <corboncyril@gmail.com>
Date: Tue, 11 Jan 2022 18:14:26 +0100
Subject: [PATCH] fix: add tolerations / affinity to cert-manager (#8389)
Signed-off-by: Cyril Corbon <corboncyril@gmail.com>
---
.../sample/group_vars/k8s_cluster/addons.yml | 18 ++++++++++
.../cert_manager/defaults/main.yml | 3 ++
.../templates/cert-manager.yml.j2 | 36 +++++++++++++++++++
3 files changed, 57 insertions(+)
diff --git a/inventory/sample/group_vars/k8s_cluster/addons.yml b/inventory/sample/group_vars/k8s_cluster/addons.yml
index 8ae1df7e5..d43c90e2d 100644
--- a/inventory/sample/group_vars/k8s_cluster/addons.yml
+++ b/inventory/sample/group_vars/k8s_cluster/addons.yml
@@ -130,6 +130,24 @@ ingress_alb_enabled: false
# Cert manager deployment
cert_manager_enabled: false
# cert_manager_namespace: "cert-manager"
+# cert_manager_tolerations:
+# - key: node-role.kubernetes.io/master
+# effect: NoSchedule
+# - key: node-role.kubernetes.io/control-plane
+# effect: NoSchedule
+# cert_manager_affinity:
+# nodeAffinity:
+# preferredDuringSchedulingIgnoredDuringExecution:
+# - weight: 100
+# preference:
+# matchExpressions:
+# - key: node-role.kubernetes.io/control-plane
+# operator: In
+# values:
+# - ""
+# cert_manager_nodeselector:
+# kubernetes.io/os: "linux"
+
# cert_manager_trusted_internal_ca: |
# -----BEGIN CERTIFICATE-----
# [REPLACE with your CA certificate]
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml b/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml
index 58c09e6a9..74fbb52d7 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml
@@ -1,3 +1,6 @@
---
cert_manager_namespace: "cert-manager"
cert_manager_user: 1001
+cert_manager_tolerations: []
+cert_manager_affinity: {}
+cert_manager_nodeselector: {}
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
index 96cfccf26..011042230 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
@@ -874,6 +874,18 @@ spec:
fieldPath: metadata.namespace
resources:
{}
+{% if cert_manager_tolerations %}
+ tolerations:
+ {{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
+{% endif %}
+{% if cert_manager_nodeselector %}
+ nodeSelector:
+ {{ cert_manager_nodeselector | to_nice_yaml | indent(width=8) }}
+{% endif %}
+{% if cert_manager_affinity %}
+ affinity:
+ {{ cert_manager_affinity | to_nice_yaml | indent(width=8) }}
+{% endif %}
---
{% if cert_manager_trusted_internal_ca is defined %}
apiVersion: v1
@@ -939,6 +951,18 @@ spec:
fieldPath: metadata.namespace
resources:
{}
+{% if cert_manager_tolerations %}
+ tolerations:
+ {{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
+{% endif %}
+{% if cert_manager_nodeselector %}
+ nodeSelector:
+ {{ cert_manager_nodeselector | to_nice_yaml | indent(width=8) }}
+{% endif %}
+{% if cert_manager_affinity %}
+ affinity:
+ {{ cert_manager_affinity | to_nice_yaml | indent(width=8) }}
+{% endif %}
{% if cert_manager_trusted_internal_ca is defined %}
volumeMounts:
- mountPath: /etc/ssl/certs/internal-ca.pem
@@ -1023,6 +1047,18 @@ spec:
fieldPath: metadata.namespace
resources:
{}
+{% if cert_manager_tolerations %}
+ tolerations:
+ {{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
+{% endif %}
+{% if cert_manager_nodeselector %}
+ nodeSelector:
+ {{ cert_manager_nodeselector | to_nice_yaml | indent(width=8) }}
+{% endif %}
+{% if cert_manager_affinity %}
+ affinity:
+ {{ cert_manager_affinity | to_nice_yaml | indent(width=8) }}
+{% endif %}
---
# Source: cert-manager/templates/webhook-mutating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1
--
GitLab