Update MetalLB deployment, wait for resource.

[Jeroen0494]

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespaces from that line:

/kind api-change

/kind bug

/kind cleanup
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

Fixes #10003

What this PR does / why we need it:

Continuation of PR #9120.

Does this PR introduce a user-facing change?:

Update MetalLB deployment, wait for resource.

[k8s-ci-robot]

Hi @Jeroen0494. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Jeroen0494]

Also see my comment here:
#9120 (comment)

[floryut]

@Jeroen0494 Thanks for the followup fix 🙇
/ok-to-test

[liupeng0518]

#9990

pls rebase master branch.

[Jeroen0494]

#9990

pls rebase master branch.

Hi, I rebased, pushed some more fixes and squashed my commits.

[eugene-marchanka]

Hey! I have an issue running your branch:

TASK [kubernetes-apps/metallb : Kubernetes Apps | Install and configure MetalLB] **********************************************************************************************************
fatal: [test00-00]: FAILED! => 
  msg: '''dict object'' has no attribute ''results'''
skipping: [test00-01]
skipping: [test00-02]

Could you, please, take a look?
Thanks!

[Jeroen0494]

Hey! I have an issue running your branch:

TASK [kubernetes-apps/metallb : Kubernetes Apps | Install and configure MetalLB] **********************************************************************************************************
fatal: [test00-00]: FAILED! => 
  msg: '''dict object'' has no attribute ''results'''
skipping: [test00-01]
skipping: [test00-02]

Could you, please, take a look? Thanks!

Hi, I'm sorry this is happening. I'll look into it tomorrow afternoon when I'm at work, and give the whole thing a more thorough testing.

I'm also a bit surprised this wasn't noticed during CI/CD testing. @floryut is MetalLB included in the Kubespray CI tests?

[eugene-marchanka]

I fixed it modifying this:

- name: Kubernetes Apps | Lay Down MetalLB
  become: true
  template:
    src: "{{ item }}.j2"
    dest: "{{ kube_config_dir }}/{{ item }}"
    mode: 0644
  with_items:
  - metallb.yml
  register: metallb_rendering
  when:
  - "inventory_hostname == groups['kube_control_plane'][0]"

but faced another problem:

  msg: |-
    error running kubectl (/usr/local/bin/kubectl apply --force --wait --filename=/etc/kubernetes/metallb.yml) command (rc=1), out='customresourcedefinition.apiextensions.k8s.io/addresspools.metallb.io created
    customresourcedefinition.apiextensions.k8s.io/bfdprofiles.metallb.io created
    customresourcedefinition.apiextensions.k8s.io/bgpadvertisements.metallb.io created
    customresourcedefinition.apiextensions.k8s.io/bgppeers.metallb.io created
    customresourcedefinition.apiextensions.k8s.io/communities.metallb.io created
    customresourcedefinition.apiextensions.k8s.io/ipaddresspools.metallb.io created
    customresourcedefinition.apiextensions.k8s.io/l2advertisements.metallb.io created
    clusterrole.rbac.authorization.k8s.io/metallb-system:controller created
    clusterrole.rbac.authorization.k8s.io/metallb-system:speaker created
    clusterrolebinding.rbac.authorization.k8s.io/metallb-system:controller created
    clusterrolebinding.rbac.authorization.k8s.io/metallb-system:speaker created
    ', err='error parsing /etc/kubernetes/metallb.yml: error converting YAML to JSON: yaml: line 133: mapping values are not allowed in this context
    Error from server (NotFound): error when creating "/etc/kubernetes/metallb.yml": namespaces "metallb-system" not found
    Error from server (NotFound): error when creating "/etc/kubernetes/metallb.yml": namespaces "metallb-system" not found
    Error from server (NotFound): error when creating "/etc/kubernetes/metallb.yml": namespaces "metallb-system" not found
    Error from server (NotFound): error when creating "/etc/kubernetes/metallb.yml": namespaces "metallb-system" not found
    Error from server (NotFound): error when creating "/etc/kubernetes/metallb.yml": namespaces "metallb-system" not found
    Error from server (NotFound): error when creating "/etc/kubernetes/metallb.yml": namespaces "metallb-system" not found
    Error from server (NotFound): error when creating "/etc/kubernetes/metallb.yml": namespaces "metallb-system" not found
    Error from server (NotFound): error when creating "/etc/kubernetes/metallb.yml": namespaces "metallb-system" not found
    Error from server (NotFound): error when creating "/etc/kubernetes/metallb.yml": namespaces "metallb-system" not found
    Error from server (NotFound): error when creating "/etc/kubernetes/metallb.yml": namespaces "metallb-system" not found

[eugene-marchanka]

some refactoring for error:

TASK [kubernetes-apps/metallb : MetalLB | Create address pools configuration] *************************************************************************************************************
fatal: [test00-00]: FAILED! =>                                                                                                                                                             
  msg: |-                                                                                                                                                                                  
    The task includes an option with an undefined variable. The error was: 'item' is undefined                                                                                             
                                                                                                                                                                                           
    The error appears to be in '..kubespray/roles/kubernetes-apps/metallb/tasks/main.yml': line 6
8, column 5, but may                                                                                                                                                                       
    be elsewhere in the file depending on the exact syntax problem.                                                                                                                        
                                                                                                                                                                                           
    The offending line appears to be:                                                                                                                                                      
                                                                                                                                                                                                                                                                                                                                                                                      
      - name: MetalLB | Create address pools configuration                                                                                                                                 
        ^ here                                                                                                                                                                             
skipping: [test00-01]                                                                                                                                                                      
skipping: [test00-02]

[eugene-marchanka]

another one:

TASK [kubernetes-apps/metallb : Kubernetes Apps | Delete MetalLB ConfigMap] ***************************************************************************************************************
skipping: [test00-01]
skipping: [test00-02]
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ModuleNotFoundError: No module named 'kubernetes'
fatal: [test00-00]: FAILED! => changed=false 
  error: No module named 'kubernetes'

[eugene-marchanka]

another one:

TASK [kubernetes-apps/metallb : Kubernetes Apps | Delete MetalLB ConfigMap] ***************************************************************************************************************
skipping: [test00-01]
skipping: [test00-02]
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ModuleNotFoundError: No module named 'kubernetes'
fatal: [test00-00]: FAILED! => changed=false 
  error: No module named 'kubernetes'

This works fine with me:

- name: Kubernetes Apps | Delete MetalLB ConfigMap
  command: "{{ bin_dir }}/kubectl delete configmap -n metallb-system config --ignore-not-found=true"
  when: inventory_hostname == groups['kube_control_plane'][0]
  no_log: "{{ not (unsafe_show_logs|bool) }}"

[floryut]

Hey! I have an issue running your branch:

TASK [kubernetes-apps/metallb : Kubernetes Apps | Install and configure MetalLB] **********************************************************************************************************
fatal: [test00-00]: FAILED! => 
  msg: '''dict object'' has no attribute ''results'''
skipping: [test00-01]
skipping: [test00-02]

Could you, please, take a look? Thanks!

Hi, I'm sorry this is happening. I'll look into it tomorrow afternoon when I'm at work, and give the whole thing a more thorough testing.

I'm also a bit surprised this wasn't noticed during CI/CD testing. @floryut is MetalLB included in the Kubespray CI tests?

Now that you are mentioning this, after a quick search we don't have any CI coverage for MetalLB use cases, not even a simple deployment :/

[Jeroen0494]

@eugene-marchanka Thank you for the help! I've updated the installation, should be quite a bit better now. Could you give it a spin?

[eugene-marchanka]

@eugene-marchanka Thank you for the help! I've updated the installation, should be quite a bit better now. Could you give it a spin?

Hey!
Just did another run and got an error:

TASK [kubernetes-apps/metallb : MetalLB | Create address pools configuration] *************************************************************************************************************
skipping: [test00-01]
skipping: [test00-02]
fatal: [test00-00]: FAILED! => changed=false 
  msg: |-
    error running kubectl (/usr/local/bin/kubectl apply --force --filename=/etc/kubernetes/pools.yaml) command (rc=1), out='', err='Error from server (InternalError): error when creating "/etc/kubernetes/pools.yaml": Internal error occurred: failed calling webhook "ipaddresspoolvalidationwebhook.metallb.io": failed to call webhook: Post "https://webhook-service.metallb-system.svc:443/validate-metallb-io-v1beta1-ipaddresspool?timeout=10s": dial tcp 10.233.14.18:443: connect: connection refused
    '

[Jeroen0494]

@eugene-marchanka Thank you for the help! I've updated the installation, should be quite a bit better now. Could you give it a spin?

Hey! Just did another run and got an error:

TASK [kubernetes-apps/metallb : MetalLB | Create address pools configuration] *************************************************************************************************************
skipping: [test00-01]
skipping: [test00-02]
fatal: [test00-00]: FAILED! => changed=false 
  msg: |-
    error running kubectl (/usr/local/bin/kubectl apply --force --filename=/etc/kubernetes/pools.yaml) command (rc=1), out='', err='Error from server (InternalError): error when creating "/etc/kubernetes/pools.yaml": Internal error occurred: failed calling webhook "ipaddresspoolvalidationwebhook.metallb.io": failed to call webhook: Post "https://webhook-service.metallb-system.svc:443/validate-metallb-io-v1beta1-ipaddresspool?timeout=10s": dial tcp 10.233.14.18:443: connect: connection refused
    '

Yea, so this is the reason I want to use the kubernetes.core.k8s module. Because the playbook needs to wait until the controller pod is properly running before resources can be created.

@floryut any change I can switch from using the self-written kube module to the kubernetes.core collection, and add this as a requirement in requirements.txt? Because the kube module doesn't have what I need to prevent any further errors in this regard. Without a proper wait-until-ready, this isn't going to work.

[eugene-marchanka]

@eugene-marchanka Thank you for the help! I've updated the installation, should be quite a bit better now. Could you give it a spin?

Hey! Just did another run and got an error:

TASK [kubernetes-apps/metallb : MetalLB | Create address pools configuration] *************************************************************************************************************
skipping: [test00-01]
skipping: [test00-02]
fatal: [test00-00]: FAILED! => changed=false 
  msg: |-
    error running kubectl (/usr/local/bin/kubectl apply --force --filename=/etc/kubernetes/pools.yaml) command (rc=1), out='', err='Error from server (InternalError): error when creating "/etc/kubernetes/pools.yaml": Internal error occurred: failed calling webhook "ipaddresspoolvalidationwebhook.metallb.io": failed to call webhook: Post "https://webhook-service.metallb-system.svc:443/validate-metallb-io-v1beta1-ipaddresspool?timeout=10s": dial tcp 10.233.14.18:443: connect: connection refused
    '

A workaround is to add simple sleep task before deploying pools. Finally deployed without issues 🚀 :

- name: Kubernetes Apps | Install and configure MetalLB
  kube:
    name: "MetalLB"
    kubectl: "{{ bin_dir }}/kubectl"
    filename: "{{ kube_config_dir }}/metallb.yml"
    state: "{{ metallb_rendering.changed | ternary('latest','present') }}"
    wait: true
  become: true
  when:
  - "inventory_hostname == groups['kube_control_plane'][0]"

- name: Sleep
  command: "sleep 300"
  when: inventory_hostname == groups['kube_control_plane'][0]
  no_log: "{{ not (unsafe_show_logs|bool) }}"

- name: MetalLB | Address pools
  block:
  - name: MetalLB | Layout address pools template
    ansible.builtin.template:
      src: pools.yaml.j2
      dest: "{{ kube_config_dir }}/pools.yaml"
      mode: 0644
    register: pools_rendering

[Jeroen0494]

Thank you so much for working hard to fix the issue @Jeroen0494 @eugene-marchanka !
@Jeroen0494 Could you apply @eugene-marchanka's workaround into this pull request? That would help many people I guess.

I certainly can, but this would implement a wait of 300, even if the controller is already running. What's against using the kubernetes.core.k8s module? I already have working code for this.

@oomichi kind reminder.

[yankay]

HI @Jeroen0494

The v2.22 will release the next week.
So the PR can be combined into v2.22 if it is merged before it.

[Jeroen0494]

HI @Jeroen0494

The v2.22 will release the next week. So the PR can be combined into v2.22 if it is merged before it.

Thanks. I'm still waiting for an answer for my question, so I guess it won't be ready before the release.

[Nathanael-Mtd]

Hi !

It seems Kubespray v2.22.0 release broke upgrade/install for metallb users because that PR isn't merged :/

Maybe it should a good idea to add an advertissement to tell users to skip the metallb upgrade for the v2.22.0 release ?

[cosandr]

Thanks for your effort, I've tried this PR out a bit and found some issues.

I'd also like to comment on the usage of kubernetes.core modules, these require the Python kubernetes library on the target host, which is likely not so trivial to setup considering the broad OS compatibility of kubespray. You could attempt to delegate these tasks to localhost, but personally I don't think that's a great solution either.

Oh yeah, and I suggest you look into kubectl wait instead of an arbitrary sleep, i.e. kubectl -n metallb-system wait --for condition=established --timeout=300s crd/addresspools.metallb.io.

[Jeroen0494]

Thanks for your effort, I've tried this PR out a bit and found some issues.

I'd also like to comment on the usage of kubernetes.core modules, these require the Python kubernetes library on the target host, which is likely not so trivial to setup considering the broad OS compatibility of kubespray. You could attempt to delegate these tasks to localhost, but personally I don't think that's a great solution either.

Oh yeah, and I suggest you look into kubectl wait instead of an arbitrary sleep, i.e. kubectl -n metallb-system wait --for condition=established --timeout=300s crd/addresspools.metallb.io.

Indeed we use connection: local for our internal Kubernetes deployments, the only change this would require for Kubespray is to add the following to the requirements.txt:

ansible-galaxy collection install kubernetes.core

That's really everything.

But I will take another look at the kubectl wait command to see if there is something this can offer. And I will review your requested changes.

[Jeroen0494]

@cosandr @yankay I've added a simple wait for the controller to be running.

[MrFreezeex]

A few comments but looks good overall, thanks :). Could you also add a test similarly to the other PR?

[MrFreezeex]

Ah and could you also please cleanup (or squash) you commit history?

[Jeroen0494]

@MrFreezeex fixes applied and commits squashed.

[MrFreezeex]

@MrFreezeex fixes applied and commits squashed.

It's missing a test like in here https://github.com/kubernetes-sigs/kubespray/pull/10135/files#diff-bd336fb2e0cd1a14218d71fb76a197149c77d677109d2415562c9c53fe774e76

[Jeroen0494]

I've added a basic test.

[MrFreezeex]

Thanks for your contribution and the extra miles of adding tests and docs!
/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: floryut, Jeroen0494, MrFreezeex

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [floryut]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment