From 7d651728da337a2e2b6dcb3530aac21b15e11c41 Mon Sep 17 00:00:00 2001
From: Daniel Herrmann <daniel.herrmann1@gmail.com>
Date: Fri, 23 Sep 2022 12:39:59 +0200
Subject: [PATCH] Dynamically untaint node, fix sysctl for Ubuntu 22.04

---
 tasks/master-setup.yml | 24 +++++++++++++++++++-----
 tasks/sysctl-setup.yml | 12 ++++++++++--
 2 files changed, 29 insertions(+), 7 deletions(-)

diff --git a/tasks/master-setup.yml b/tasks/master-setup.yml
index 72ab695..7ab75d0 100644
--- a/tasks/master-setup.yml
+++ b/tasks/master-setup.yml
@@ -76,10 +76,24 @@
   changed_when: "'created' in weave_result.stdout"
   when: kubernetes_pod_network.cni == 'weave'
 
-# TODO: Check if taint exists with something like `kubectl describe nodes`
-# instead of using kubernetes_init_stat.stat.exists check.
-- name: Allow pods on master node (if configured).
-  command: "kubectl taint nodes --all node-role.kubernetes.io/master-"
+# Check if a Taint exists
+- name: Check if taint exists preventing pods to be scheduled on the master node
+  shell: |
+    set -o pipefail
+    kubectl describe nodes | grep Taints | grep --invert-match \<none\>  | sed -r 's/Taints:\s+(.*:NoSchedule)/\1/'
+  args:
+    executable: /bin/bash
+  register: kube_taint
+  # grep will exit with 1 when no results found.
+  # This causes the task not to halt play.
+  ignore_errors: true
+  changed_when: false
   when:
     - kubernetes_allow_pods_on_master | bool
-    - not kubernetes_init_stat.stat.exists
+
+# Untaint node depending on previous result
+- name: Allow pods on master node (if configured).
+  command: "kubectl taint nodes --all {{ kube_taint.stdout }}-"
+  when:
+    - kubernetes_allow_pods_on_master | bool
+    - not kube_taint.failed
diff --git a/tasks/sysctl-setup.yml b/tasks/sysctl-setup.yml
index 174ebca..de1027d 100644
--- a/tasks/sysctl-setup.yml
+++ b/tasks/sysctl-setup.yml
@@ -7,11 +7,19 @@
     ansible_distribution != 'Debian'
     or ansible_distribution_major_version | int < 10
 
-# See: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#letting-iptables-see-bridged-traffic
+# See: https://kubernetes.io/docs/setup/production-environment/container-runtimes/#forwarding-ipv4-and-letting-iptables-see-bridged-traffic
+- name: Ensure br_netfilter is loaded
+  community.general.modprobe:
+    name: br_netfilter
+    state: present
+  when: >
+    ansible_distribution != 'Debian'
+    or ansible_distribution_major_version | int < 10
+
 - name: Let iptables see bridged traffic.
   sysctl:
     name: "{{ item }}"
-    value: '1'
+    value: "1"
     state: present
   loop:
     - net.bridge.bridge-nf-call-iptables