From b174ec93e9c4b5c49a4e3413085a789cbcbf8154 Mon Sep 17 00:00:00 2001 From: Alexander Olofsson Date: Mon, 10 Jul 2023 16:21:22 +0200 Subject: [PATCH] Initial work on hiera-ifying and Puppet 8 support The code is ugly, but should mean that etcd can still be installed both as part of the control-plane as well as on standalone nodes --- REFERENCE.md | 60 ++++++++-------- data/common.yaml | 2 + manifests/init.pp | 10 ++- manifests/server/etcd.pp | 45 ++++++++---- manifests/server/etcd/setup.pp | 69 ++++++++++++------ spec/classes/server/etcd_spec.rb | 116 +++++++++++++++++++++---------- 6 files changed, 197 insertions(+), 105 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index c130f10..2e1990f 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -95,9 +95,9 @@ The following parameters are available in the `k8s` class: * [`uid`](#-k8s--uid) * [`gid`](#-k8s--gid) * [`etcd_cluster_name`](#-k8s--etcd_cluster_name) -* [`native_packaging`](#-k8s--native_packaging) * [`version`](#-k8s--version) * [`etcd_version`](#-k8s--etcd_version) +* [`native_packaging`](#-k8s--native_packaging) * [`container_registry`](#-k8s--container_registry) * [`container_image_tag`](#-k8s--container_image_tag) * [`container_manager`](#-k8s--container_manager) @@ -212,29 +212,25 @@ name of the etcd cluster for searching its nodes in the puppetdb Default value: `'default'` -##### `native_packaging` - -Data type: `K8s::Native_packaging` +##### `version` +Data type: `String[1]` -Default value: `'loose'` -##### `version` +##### `etcd_version` Data type: `String[1]` -Default value: `'1.26.1'` - -##### `etcd_version` +##### `native_packaging` -Data type: `String[1]` +Data type: `K8s::Native_packaging` -Default value: `'3.5.1'` +Default value: `'loose'` ##### `container_registry` @@ -1961,11 +1957,11 @@ Default value: `"${cert_path}/client-ca.key"` ##### `cluster_name` -Data type: `String[1]` +Data type: `Optional[String[1]]` -name of the etcd cluster for searching its nodes in the puppetdb +name of the etcd cluster for searching its nodes in the puppetdb, will use k8s::etcd_cluster_name unless otherwise specified -Default value: `pick($k8s::server::etcd_cluster_name, 'default')` +Default value: `undef` ##### `ensure` @@ -1981,7 +1977,7 @@ Data type: `Optional[K8s::Firewall]` define the type of firewall to use -Default value: `$k8s::server::firewall_type` +Default value: `undef` ##### `generate_ca` @@ -2041,11 +2037,11 @@ Default value: `"${cert_path}/peer-ca.key"` ##### `puppetdb_discovery_tag` -Data type: `String[1]` +Data type: `Optional[String[1]]` enable puppetdb resource searching -Default value: `pick($k8s::server::puppetdb_discovery_tag, $cluster_name)` +Default value: `$cluster_name` ##### `self_signed_tls` @@ -2057,11 +2053,11 @@ Default value: `false` ##### `version` -Data type: `String[1]` +Data type: `Optional[String[1]]` -version of ectd to install +version of ectd to install, will use k8s::etcd_version unless otherwise specified -Default value: `pick($k8s::etcd_version, '3.5.1')` +Default value: `undef` ##### `user` @@ -2147,11 +2143,11 @@ Default value: `undef` ##### `auto_tls` -Data type: `Boolean` +Data type: `Optional[Boolean]` -Default value: `$k8s::server::etcd::self_signed_tls` +Default value: `undef` ##### `binary_path` @@ -2187,11 +2183,11 @@ Default value: `"${etcd_name}.etcd"` ##### `ensure` -Data type: `K8s::Ensure` +Data type: `Optional[K8s::Ensure]` set ensure for installation or deinstallation -Default value: `$k8s::server::etcd::ensure` +Default value: `undef` ##### `etcd_name` @@ -2219,11 +2215,11 @@ Default value: `undef` ##### `group` -Data type: `String[1]` +Data type: `Optional[String[1]]` etcd system user group -Default value: `$k8s::server::etcd::group` +Default value: `undef` ##### `initial_advertise_peer_urls` @@ -2299,11 +2295,11 @@ Default value: `'etcd'` ##### `peer_auto_tls` -Data type: `Boolean` +Data type: `Optional[Boolean]` -Default value: `$k8s::server::etcd::self_signed_tls` +Default value: `undef` ##### `peer_cert_file` @@ -2371,19 +2367,19 @@ Default value: `undef` ##### `user` -Data type: `String[1]` +Data type: `Optional[String[1]]` etcd system user -Default value: `$k8s::server::etcd::user` +Default value: `undef` ##### `version` -Data type: `String[1]` +Data type: `Optional[String[1]]` The ectd version to install -Default value: `$k8s::server::etcd::version` +Default value: `undef` ### `k8s::server::resources` diff --git a/data/common.yaml b/data/common.yaml index ed97d53..3a069bf 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -1 +1,3 @@ --- +k8s::version: 1.26.1 +k8s::etcd_version: 3.5.1 diff --git a/manifests/init.pp b/manifests/init.pp index feab8fb..19fc750 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -19,11 +19,13 @@ # @param etcd_cluster_name name of the etcd cluster for searching its nodes in the puppetdb # class k8s ( + # Stored in Hiera data + String[1] $version, + String[1] $etcd_version, + K8s::Ensure $ensure = 'present', Enum['container', 'native'] $packaging = 'native', K8s::Native_packaging $native_packaging = 'loose', - String[1] $version = '1.26.1', - String[1] $etcd_version = '3.5.1', String[1] $container_registry = 'registry.k8s.io', Optional[String[1]] $container_image_tag = undef, @@ -164,7 +166,9 @@ ensure_packages([$_conntrack,]) } - include k8s::install::cni_plugins + if $role != 'none' { + include k8s::install::cni_plugins + } if $role == 'server' { include k8s::server diff --git a/manifests/server/etcd.pp b/manifests/server/etcd.pp index 80ef1e4..c818446 100644 --- a/manifests/server/etcd.pp +++ b/manifests/server/etcd.pp @@ -4,7 +4,7 @@ # @param cert_path path to cert files # @param client_ca_cert # @param client_ca_key -# @param cluster_name name of the etcd cluster for searching its nodes in the puppetdb +# @param cluster_name name of the etcd cluster for searching its nodes in the puppetdb, will use k8s::etcd_cluster_name unless otherwise specified # @param ensure set ensure for installation or deinstallation # @param firewall_type define the type of firewall to use # @param generate_ca whether to generate a own ca or not @@ -16,17 +16,17 @@ # @param peer_ca_key # @param puppetdb_discovery_tag enable puppetdb resource searching # @param self_signed_tls -# @param version version of ectd to install +# @param version version of ectd to install, will use k8s::etcd_version unless otherwise specified # class k8s::server::etcd ( - K8s::Ensure $ensure = 'present', - String[1] $version = pick($k8s::etcd_version, '3.5.1'), + K8s::Ensure $ensure = 'present', + Optional[String[1]] $version = undef, - Boolean $manage_setup = true, - Boolean $manage_firewall = false, - Boolean $manage_members = false, - String[1] $cluster_name = pick($k8s::server::etcd_cluster_name, 'default'), - String[1] $puppetdb_discovery_tag = pick($k8s::server::puppetdb_discovery_tag, $cluster_name), + Boolean $manage_setup = true, + Boolean $manage_firewall = false, + Boolean $manage_members = false, + Optional[String[1]] $cluster_name = undef, + Optional[String[1]] $puppetdb_discovery_tag = $cluster_name, Boolean $self_signed_tls = false, Boolean $manage_certs = true, @@ -40,7 +40,8 @@ Stdlib::Unixpath $client_ca_key = "${cert_path}/client-ca.key", Stdlib::Unixpath $client_ca_cert = "${cert_path}/client-ca.pem", - Optional[K8s::Firewall] $firewall_type = $k8s::server::firewall_type, + Optional[K8s::Firewall] $firewall_type = undef, + String[1] $user = 'etcd', String[1] $group = 'etcd', ) { @@ -120,6 +121,17 @@ } if $ensure == 'present' and $manage_members { + if defined(Class['k8s']) { + $_k8s_cluster_name = $k8s::etcd_cluster_name + $_k8s_puppetdb_discovery_tag = $k8s::puppetdb_discovery_tag + } else { + $_k8s_cluster_name = lookup('k8s::cluster_name', undef, undef, undef) + $_k8s_puppetdb_discovery_tag = lookup('k8s::puppetdb_discovery_tag', undef, undef, undef) + } + + $_cluster_name = pick($cluster_name, $_k8s_cluster_name, 'default') + $_puppetdb_discovery_tag = pick($puppetdb_discovery_tag, $cluster_name, $_k8s_puppetdb_discovery_tag, 'default') + # Needs the PuppetDB terminus installed $pql_query = [ 'resources[certname,parameters] {', @@ -129,8 +141,8 @@ ' resources {', ' type = \'Class\' and', ' title = \'K8s::Server::Etcd\' and', - " parameters.cluster_name = '${cluster_name}' and", - " parameters.puppetdb_discovery_tag = '${puppetdb_discovery_tag}' and", + " parameters.cluster_name = '${_cluster_name}' and", + " parameters.puppetdb_discovery_tag = '${_puppetdb_discovery_tag}' and", " certname != '${trusted[certname]}'", ' }', ' }', @@ -162,10 +174,15 @@ } if $manage_firewall { + if defined(Class['k8s']) { + $_k8s_firewall_type = $k8s::firewall_type + } else { + $_k8s_firewall_type = lookup('k8s::firewall_type', undef, undef, undef) + } if $facts['firewalld_version'] { - $_firewall_type = pick($firewall_type, 'firewalld') + $_firewall_type = pick($firewall_type, $_k8s_firewall_type, 'firewalld') } else { - $_firewall_type = pick($firewall_type, 'iptables') + $_firewall_type = pick($firewall_type, $_k8s_firewall_type, 'iptables') } case $_firewall_type { diff --git a/manifests/server/etcd/setup.pp b/manifests/server/etcd/setup.pp index eda59ed..2a457c8 100644 --- a/manifests/server/etcd/setup.pp +++ b/manifests/server/etcd/setup.pp @@ -35,10 +35,10 @@ # @param version The ectd version to install # class k8s::server::etcd::setup ( - K8s::Ensure $ensure = $k8s::server::etcd::ensure, + Optional[K8s::Ensure] $ensure = undef, Enum['archive','package'] $install = 'archive', String[1] $package = 'etcd', - String[1] $version = $k8s::server::etcd::version, + Optional[String[1]] $version = undef, String[1] $etcd_name = $facts['networking']['hostname'], String[1] $fqdn = $facts['networking']['fqdn'], @@ -56,14 +56,14 @@ Optional[Stdlib::Unixpath] $peer_cert_file = undef, Optional[Stdlib::Unixpath] $peer_key_file = undef, Optional[Stdlib::Unixpath] $peer_trusted_ca_file = undef, + Optional[Boolean] $peer_auto_tls = undef, Boolean $peer_client_cert_auth = false, - Boolean $peer_auto_tls = $k8s::server::etcd::self_signed_tls, Optional[Stdlib::Unixpath] $cert_file = undef, Optional[Stdlib::Unixpath] $key_file = undef, Optional[Stdlib::Unixpath] $trusted_ca_file = undef, + Optional[Boolean] $auto_tls = undef, Boolean $client_cert_auth = false, - Boolean $auto_tls = $k8s::server::etcd::self_signed_tls, Optional[Integer] $auto_compaction_retention = undef, Optional[Enum['existing', 'new']] $initial_cluster_state = undef, @@ -72,17 +72,44 @@ Optional[Stdlib::Unixpath] $binary_path = undef, Stdlib::Unixpath $storage_path = '/var/lib/etcd', - String[1] $user = $k8s::server::etcd::user, - String[1] $group = $k8s::server::etcd::group, + Optional[String[1]] $user = undef, + Optional[String[1]] $group = undef, Optional[Integer[0, 65535]] $uid = undef, Optional[Integer[0, 65535]] $gid = undef, ) { + if defined(Class['k8s']) { + $_k8s_etcd_version = $k8s::etcd_version + } else { + $_k8s_etcd_version = lookup('k8s::etcd_version') + } + if defined(Class['k8s::server::etcd']) { + $_k8s_server_etcd_ensure = $k8s::server::etcd::ensure + $_k8s_server_etcd_version = $k8s::server::etcd::version + $_k8s_server_etcd_self_signed_tls = $k8s::server::etcd::self_signed_tls + $_k8s_server_etcd_manage_certs = $k8s::server::etcd::manage_certs + $_k8s_server_etcd_user = $k8s::server::etcd::user + $_k8s_server_etcd_group = $k8s::server::etcd::group + } else { + $_k8s_server_etcd_ensure = lookup('k8s::server::etcd::ensure', undef, undef, undef) + $_k8s_server_etcd_version = lookup('k8s::server::etcd::version', undef, undef, undef) + $_k8s_server_etcd_self_signed_tls = lookup('k8s::server::etcd::self_signed_tls', undef, undef, undef) + $_k8s_server_etcd_manage_certs = lookup('k8s::server::etcd::manage_certs', undef, undef, undef) + $_k8s_server_etcd_user = lookup('k8s::server::etcd::user', undef, undef, undef) + $_k8s_server_etcd_group = lookup('k8s::server::etcd::group', undef, undef, undef) + } + $_ensure = pick($ensure, $_k8s_server_etcd_ensure, 'present') + $_peer_auto_tls = pick($peer_auto_tls, $_k8s_server_etcd_self_signed_tls, false) + $_auto_tls = pick($auto_tls, $_k8s_server_etcd_self_signed_tls, false) + $_version = pick($version, $_k8s_server_etcd_version, $_k8s_etcd_version) + $_user = pick($user, $_k8s_server_etcd_user, 'etcd') + $_group = pick($group, $_k8s_server_etcd_group, 'etcd') + if $install == 'archive' { $_url = k8s::format_url($archive_template, { version => $version, }) $_file = basename($_url) archive { "/var/tmp/${_file}": - ensure => $ensure, + ensure => $_ensure, source => $_url, extract => true, extract_command => 'tar xfz %s --strip-components=1', @@ -92,20 +119,20 @@ notify => Service['etcd'], } - if $ensure == 'absent' { + if $_ensure == 'absent' { file { ['/usr/local/bin/etcd', '/usr/local/bin/etcdctl']: ensure => 'absent', } } - group { $group: - ensure => $ensure, + group { $_group: + ensure => $_ensure, system => true, gid => $gid, } - user { $user: - ensure => $ensure, + user { $_user: + ensure => $_ensure, comment => 'etcd user', gid => $gid, home => $storage_path, @@ -119,13 +146,13 @@ } } else { package { $package: - ensure => stdlib::ensure($ensure, 'package'), + ensure => stdlib::ensure($_ensure, 'package'), } } file { default: - ensure => stdlib::ensure($ensure, 'directory'); + ensure => stdlib::ensure($_ensure, 'directory'); '/etc/etcd': ; $storage_path: @@ -134,7 +161,7 @@ } # Use generated certs by default - if !$k8s::server::etcd::self_signed_tls and $k8s::server::etcd::manage_certs { + if !$_k8s_server_etcd_self_signed_tls and $_k8s_server_etcd_manage_certs { $_dir = "${storage_path}/certs" $_cert_file = pick($cert_file, "${_dir}/etcd-server.pem") $_key_file = pick($key_file, "${_dir}/etcd-server.key") @@ -161,7 +188,7 @@ file { default: - ensure => stdlib::ensure($ensure, 'file'), + ensure => stdlib::ensure($_ensure, 'file'), owner => 'root', group => 'root'; @@ -178,10 +205,12 @@ key_file => $_key_file, trusted_ca_file => $_trusted_ca_file, client_cert_auth => $_client_cert_auth, + auto_tls => $_auto_tls, peer_cert_file => $_peer_cert_file, peer_key_file => $_peer_key_file, peer_trusted_ca_file => $_peer_trusted_ca_file, peer_client_cert_auth => $_peer_client_cert_auth, + peer_auto_tls => $_peer_auto_tls, auto_compaction_retention => $auto_compaction_retention, initial_cluster_state => $initial_cluster_state, initial_cluster_token => $initial_cluster_token, @@ -202,21 +231,21 @@ $service_require = Package[$package] } else { $_binary_path = pick($binary_path, '/usr/local/bin/etcd') - $service_require = User[$user] + $service_require = User[$_user] } systemd::unit_file { 'etcd.service': - ensure => $ensure, + ensure => $_ensure, content => epp('k8s/etcd.service.epp', { binary_path => $_binary_path, workdir_path => $storage_path, - user => $user, + user => $_user, }), notify => Service['etcd'], } service { 'etcd': - ensure => stdlib::ensure($ensure, 'service'), + ensure => stdlib::ensure($_ensure, 'service'), enable => true, require => $service_require, subscribe => File['/etc/etcd/etcd.conf'], diff --git a/spec/classes/server/etcd_spec.rb b/spec/classes/server/etcd_spec.rb index 888a7c1..59f3369 100644 --- a/spec/classes/server/etcd_spec.rb +++ b/spec/classes/server/etcd_spec.rb @@ -10,51 +10,95 @@ manage_members: true } end - let(:pre_condition) do - <<~PUPPET - function puppetdb_query(String[1] $data) { - return [ - { - certname => 'node.example.com', - parameters => { - etcd_name => 'node', - initial_advertise_peer_urls => ['https://node.example.com:2380'], + + context "with k8s included" do + let(:pre_condition) do + <<~PUPPET + function puppetdb_query(String[1] $data) { + return [ + { + certname => 'node.example.com', + parameters => { + etcd_name => 'node', + initial_advertise_peer_urls => ['https://node.example.com:2380'], + } } - } - ] - } - - include ::k8s - class { '::k8s::server': - manage_etcd => false, - manage_certs => false, - manage_components => false, - manage_resources => false, - node_on_server => false, - } - PUPPET - end + ] + } - on_supported_os.each do |os, os_facts| - context "on #{os}" do - let(:facts) { os_facts } + include ::k8s + class { '::k8s::server': + manage_etcd => false, + manage_certs => false, + manage_components => false, + manage_resources => false, + node_on_server => false, + } + PUPPET + end - it { is_expected.to compile } + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } - it do - %w[etcd-peer-ca etcd-client-ca].each do |ca| - is_expected.to contain_k8s__server__tls__ca(ca) + it { is_expected.to compile } + + it do + %w[etcd-peer-ca etcd-client-ca].each do |ca| + is_expected.to contain_k8s__server__tls__ca(ca) + end end - end - it do - %w[etcd-peer etcd-client].each do |cert| - is_expected.to contain_k8s__server__tls__cert(cert) + it do + %w[etcd-peer etcd-client].each do |cert| + is_expected.to contain_k8s__server__tls__cert(cert) + end end + + it { is_expected.to contain_class('k8s::server::etcd::setup') } + it { is_expected.to contain_k8s__server__etcd__member('node').with_peer_urls(['https://node.example.com:2380']) } end + end + end + + context "without k8s included" do + let(:pre_condition) do + <<~PUPPET + function puppetdb_query(String[1] $data) { + return [ + { + certname => 'node.example.com', + parameters => { + etcd_name => 'node', + initial_advertise_peer_urls => ['https://node.example.com:2380'], + } + } + ] + } + PUPPET + end + + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } - it { is_expected.to contain_class('k8s::server::etcd::setup') } - it { is_expected.to contain_k8s__server__etcd__member('node').with_peer_urls(['https://node.example.com:2380']) } + it { is_expected.to compile } + + it do + %w[etcd-peer-ca etcd-client-ca].each do |ca| + is_expected.to contain_k8s__server__tls__ca(ca) + end + end + + it do + %w[etcd-peer etcd-client].each do |cert| + is_expected.to contain_k8s__server__tls__cert(cert) + end + end + + it { is_expected.to contain_class('k8s::server::etcd::setup') } + it { is_expected.to contain_k8s__server__etcd__member('node').with_peer_urls(['https://node.example.com:2380']) } + end end end end