preinstall: simplify OS packages selection

Since a2019c1c (Add a JSON schema describing the packages install structure, 2024-04-25), we use a custom structure to select which packages should be installed on a particular host OS. This has proven too rigid in practice, and the query is pretty complicated. Replace this by simply using an array of jinja conditions for the packages, which should be easier to understand for everyone and more flexible. Also remove the associated schema and validation which are no longer needed.

preinstall: simplify OS packages selection
8ff4ad2d · Max Gautier · d0f1d520 · d0f1d520 · 8ff4ad2d · 8ff4ad2d
Unverified Commit 8ff4ad2d authored 4 months ago by Max Gautier
--- a/roles/kubernetes/preinstall/files/pkgs-schema.json
+++ b/roles/kubernetes/preinstall/files/pkgs-schema.json
-{
-    "$schema": "https://json-schema.org/draft/2020-12/schema",
-    "$id": "https://kubespray.io/internal/os_packages.schema.json",
-    "title": "Os packages",
-    "description": "Criteria for selecting packages to install on Kubernetes nodes during installation by Kubespray",
-    "type": "object",
-    "patternProperties": {
-        ".*": {
-            "type": "object",
-            "additionalProperties": false,
-            "properties": {
-                "enabled": {
-                    "description": "Escape hatch to filter packages. The value is expected to be pre-resolved to a boolean by Jinja",
-                    "type": "boolean",
-                    "default": true
-                },
-                "groups": {
-                    "description": "Match if the host is in one of these groups. If not specified match any host.",
-                    "type": "array",
-                    "minItems": 1,
-                    "items":{
-                        "type": "string",
-                        "pattern": "^[0-9A-Za-z_]*$"
-                    }
-                },
-                "os": {
-                    "type": "object",
-                    "description": "If not specified match any OS. Otherwise, must match by 'families' or 'distributions' to be included.",
-                    "additionalProperties": false,
-                    "minProperties": 1,
-                    "properties": {
-                        "families": {
-                            "description": "Match if ansible_os_family is part of the list.",
-                            "type": "array",
-                            "minItems": 1,
-                            "items": {
-                                "type": "string"
-                            }
-                        },
-                        "distributions": {
-                            "type": "object",
-                            "description": "Match if ansible_distribution match one of defined keys.",
-                            "minProperties": 1,
-                            "patternProperties": {
-                                ".*": {
-                                    "description": "Match if either the value is the empty hash, or one major_versions/versions/releases contains the corresponding variable ('ansible_distrbution_*')",
-                                    "type": "object",
-                                    "additionalProperties": false,
-                                    "properties": {
-                                        "major_versions": {
-                                            "type": "array",
-                                            "minItems": 1,
-                                            "items": {
-                                                "type": "string"
-                                            }
-                                        },
-                                        "versions": {
-                                            "type": "array",
-                                            "minItems": 1,
-                                            "items": {
-                                                "type": "string"
-                                            }
-                                        },
-                                        "releases": {
-                                            "type": "array",
-                                            "minItems": 1,
-                                            "items": {
-                                                "type": "string"
-                                            }
-                                        }
-                                    }
-                                }
-                            }
-                        }
-                    }
-                }
-            }
-        }
-    }
-}
--- a/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml
+++ b/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml
@@ -321,11 +321,6 @@
    - kube_apiserver_enable_admission_plugins is defined
    - kube_apiserver_enable_admission_plugins | length > 0
- name: Verify that the packages list structure is valid
-  ansible.utils.validate:
-    criteria: "{{ lookup('file', 'pkgs-schema.json') }}"
-    data: "{{ pkgs }}"
 - name: Verify that the packages list is sorted
  vars:
    pkgs_lists: "{{ pkgs.keys() | list }}"

--- a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml
+++ b/roles/kubernetes/preinstall/tasks/0070-system-packages.yml
@@ -60,23 +60,8 @@
    - bootstrap-os
 - name: Install packages requirements
-  vars:
-    # The json_query for selecting packages name is split for readability
-    # see files/pkgs-schema.json for the structure of `pkgs`
-    # and the matching semantics
-    full_query: "[? value | (enabled == null || enabled) && ( {{ filters_os }} ) && ( {{ filters_groups }} ) ].key"
-    filters_groups: "groups | @ == null || [? contains(`{{ group_names }}`, @)]"
-    filters_os: "os == null || (os | ( {{ filters_family }} ) || ( {{ filters_distro }} ))"
-    dquote: !unsafe '"'
-    # necessary to workaround Ansible escaping
-    filters_distro: "distributions.{{ dquote }}{{ ansible_distribution  }}{{ dquote }} |
-                          @ == `{}` ||
-                          contains(not_null(major_versions, `[]`), '{{ ansible_distribution_major_version }}') ||
-                          contains(not_null(versions, `[]`), '{{ ansible_distribution_version }}') ||
-                          contains(not_null(releases, `[]`), '{{ ansible_distribution_release }}')"
-    filters_family: "families && contains(families, '{{ ansible_os_family }}')"
  package:
-    name: "{{ pkgs | dict2items | to_json|from_json | community.general.json_query(full_query) }}"
+    name: "{{ pkgs | dict2items | selectattr('value', 'ansible.builtin.all') | map(attribute='key') }}"
    state: present
  register: pkgs_task_result
  until: pkgs_task_result is succeeded

--- a/roles/kubernetes/preinstall/vars/main.yml
+++ b/roles/kubernetes/preinstall/vars/main.yml
 ---
 pkgs:
-  apparmor: &debian_family_base
+  apparmor:
-    os:
+    - "{{ ansible_os_family == 'Debian' }}"
-      families:
+  apt-transport-https:
-      - Debian
+    - "{{ ansible_os_family == 'Debian' }}"
-  apt-transport-https: *debian_family_base
+  aufs-tools:
-  aufs-tools: &deb_10
+    - "{{ ansible_os_family == 'Debian' }}"
-    groups:
+    - "{{ ansible_distribution_major_version == '10' }}"
-    - k8s_cluster
+    - "{{ 'k8s_cluster' in group_names }}"
-    os:
+  bash-completion: []
-      distributions:
+  conntrack:
-        Debian:
+    - "{{ ansible_os_family in ['Debian', 'RedHat'] }}"
-          major_versions:
+    - "{{ 'k8s_cluster' in group_names }}"
-          - "10"
-  bash-completion: {}
-  conntrack: &deb_redhat
-    groups:
-    - k8s_cluster
-    os:
-      families:
-      - Debian
-      - RedHat
  conntrack-tools:
-    groups:
+    - "{{ ansible_os_family == 'Suse' or ansible_distribution == 'Amazon' }}"
-    - k8s_cluster
+    - "{{ 'k8s_cluster' in group_names }}"
-    os:
+  container-selinux:
-      families:
+    - "{{ ansible_os_family == 'RedHat' }}"
-      - Suse
+    - "{{ 'k8s_cluster' in group_names }}"
-      distributions:
+  curl: []
-        Amazon: {}
-  container-selinux: &redhat_family
-    groups:
-    - k8s_cluster
-    os:
-      families:
-      - RedHat
-  curl: {}
  device-mapper:
-    groups:
+    - "{{ ansible_os_family == 'Suse' }}"
-    - k8s_cluster
+    - "{{ 'k8s_cluster' in group_names }}"
-    os:
+  device-mapper-libs:
-      families:
+    - "{{ ansible_os_family == 'RedHat' }}"
-      - Suse
+  e2fsprogs: []
-  device-mapper-libs: *redhat_family
+  ebtables: []
-  e2fsprogs: {}
+  gnupg:
-  ebtables: {}
+    - "{{ ansible_distribution == 'Debian' }}"
-  gnupg: &debian
+    - "{{ ansible_distribution_major_version in ['11', '12'] }}"
-    groups:
+    - "{{ 'k8s_cluster' in group_names }}"
-    - k8s_cluster
-    os:
-      distributions:
-        Debian:
-          major_versions:
-          - "11"
-          - "12"
  ipset:
-    enabled: "{{ kube_proxy_mode != 'ipvs' }}"
+    - "{{ kube_proxy_mode != 'ipvs' }}"
-    groups:
+    - "{{ 'k8s_cluster' in group_names }}"
-    - k8s_cluster
+  iptables:
-  iptables: *deb_redhat
+    - "{{ ansible_os_family in ['Debian', 'RedHat'] }}"
  ipvsadm:
-    enabled: "{{ kube_proxy_mode == 'ipvs' }}"
+    - "{{ kube_proxy_mode == 'ipvs' }}"
-    groups:
+    - "{{ 'k8s_cluster' in group_names }}"
-    - k8s_cluster
+  libseccomp:
-  libseccomp: *redhat_family
+    - "{{ ansible_os_family == 'RedHat' }}"
  libseccomp2:
-    groups:
+    - "{{ ansible_os_family in ['Debian', 'Suse'] }}"
-    - k8s_cluster
+    - "{{ 'k8s_cluster' in group_names }}"
-    os:
-      families:
-      - Suse
-      - Debian
  libselinux-python:  # TODO: Handle rehat_family + major < 8
-    os:
+    - "{{ ansible_distribution == 'Amazon' }}"
-      distributions:
-        Amazon: {}
  libselinux-python3:
-    os:
+    - "{{ ansible_distribution == 'Fedora' }}"
-      distributions:
-        Fedora: {}
  mergerfs:
-    os:
+    - "{{ ansible_distribution == 'Debian' }}"
-      distributions:
+    - "{{ ansible_distribution_major_version == '12' }}"
-        Debian:
+  nss:
-          major_versions:
+    - "{{ ansible_os_family == 'RedHat' }}"
-          - "12"
+  openssl: []
-  nss: *redhat_family
+  python-apt:
-  openssl: {}
+    - "{{ ansible_os_family == 'Debian' }}"
-  python-apt: *deb_10
+    - "{{ ansible_distribution_major_version == '10' }}"
-  # TODO: not for debian 10
+  python3-apt:
-  python3-apt: *debian_family_base
+    - "{{ ansible_os_family == 'Debian' }}"
+    - "{{ ansible_distribution_major_version != '10' }}"
  python3-libselinux:
-    os:
+    - "{{ ansible_distribution in ['RedHat', 'CentOS'] }}"
-      distributions:
+  rsync: []
-        RedHat: {}
+  socat: []
-        CentOS: {}
+  software-properties-common:
-  rsync: {}
+    - "{{ ansible_os_family == 'Debian' }}"
-  socat: {}
+  tar: []
-  software-properties-common: *debian_family_base
+  unzip: []
-  tar: {}
+  xfsprogs: []
-  unzip: {}
-  xfsprogs: {}