Feature/kube native upgrade#14
Draft
nekwar wants to merge 4 commits into
Draft
Conversation
Adds a standalone playbook and task file to obtain the MKE3 client bundle via the REST API (/auth/login → /api/clientbundle), extract it locally, and delete the ZIP. - mke-client-bundle-playbook.yml: targets managers to inherit mke_url from inventory all.vars; saves bundle to playbook_dir/mke-bundle - tasks/mke-client-bundle-tasks.yml: auth with retries, download with retries, unzip, cleanup; all tasks delegate to localhost - .gitignore: exclude ansible/mke-bundle/ (contains TLS keys)
Adds tasks to install mke-upgrade-controller via the client bundle kubeconfig, with optional System Upgrade Controller (SUC) deployment and the MKE privilege configuration SUC requires to operate. mke-upgrade-controller-tasks.yml: - fetches the client bundle (reuses mke-client-bundle-tasks.yml) - conditionally deploys SUC from latest release manifests - patches the SUC deployment with control-plane node affinity - conditionally runs SUC privilege grants - applies mke-upgrade-controller static manifests from feature/mke3-upgrade-support branch suc-priv-grant-tasks.yml: - GET /api/ucp/config-toml, merge, PUT — sets priv-attribute allowlists and enable_admin_ucp_scheduling = true in [scheduling_configuration] - PUT /collectionGrants/authenticated/swarm/scheduler — grants Scheduler role to all authenticated users on the root swarm collection tasks/helpers/suc_priv_grant.py: - idempotent TOML merger: priv_attributes arrays in [cluster_config] and enable_admin_ucp_scheduling bool in [scheduling_configuration] - accepts SA as CLI arg; all six priv attributes always granted vars/common-vars.yml: - deploy_suc (bool, default false) - suc_service_account (default: system-upgrade:system-upgrade)
Moves the mke-upgrade-controller installation play out of mke-install-playbook.yml into a dedicated mke-post-install-playbook.yml. Motivation: all post-install operations run on localhost via the MKE REST API and kube API — no SSH to cluster nodes required. The standalone playbook can be re-run independently after SSH has been disabled without needing to repeat the full installation sequence. mke-install-playbook.yml delegates to the new playbook via import_playbook as its final step.
Sets SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS=3600 on the default-controller-env ConfigMap in the system-upgrade namespace. The default 900s deadline is insufficient for OS upgrade jobs which require pulling a ~1.4GB image and running bootc switch per node.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ansible: automated MKE post-install configuration
Adds a post-install Ansible workflow that configures an MKE3 cluster without SSH — all operations run on the controller via the MKE REST API and kube API, safe to run after SSH is disabled.
What's added
mke-client-bundle-playbook.yml/tasks/mke-client-bundle-tasks.ymlFetches the MKE3 client bundle via REST API, extracts
kube.yml, cleans up the ZIP. Auth and download both have retries.tasks/mke-upgrade-controller-tasks.ymlInstalls
mke-upgrade-controller(branchfeature/mke3-upgrade-support) using the bundle kubeconfig. Whendeploy_suc: true, also deploys System Upgrade Controller with:SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS=3600ConfigMap patchmke-post-install-playbook.ymlStandalone playbook wrapping the above. Imported by
mke-install-playbook.ymlas its final step; can also be run independently after SSH is disabled.New vars (
vars/common-vars.yml)deploy_sucfalsesuc_service_accountsystem-upgrade:system-upgrade