diff --git a/REFERENCE.md b/REFERENCE.md index 5909ef9..b829d80 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -6,6 +6,8 @@ ### Classes +#### Public Classes + * [`k8s`](#k8s): Sets up a Kubernetes instance - either as a node or as a server * [`k8s::install::cni_plugins`](#k8s--install--cni_plugins): Manages the installation of CNI plugins * [`k8s::install::container_runtime`](#k8s--install--container_runtime): Manages the installation of a container runtime / CRI @@ -13,27 +15,31 @@ * [`k8s::install::kubeadm`](#k8s--install--kubeadm): Installs the kubeadm binary * [`k8s::install::kubectl`](#k8s--install--kubectl): Installs the kubectl binary * [`k8s::node`](#k8s--node): Installs a Kubernetes node -* [`k8s::node::kube_proxy`](#k8s--node--kube_proxy): Sets up a on-node kube-proxy instance * [`k8s::node::kubectl`](#k8s--node--kubectl): Installs the kubectl binary -* [`k8s::node::kubelet`](#k8s--node--kubelet): Installs and configures kubelet * [`k8s::node::simple_cni`](#k8s--node--simple_cni): Provide a simple bridged standard network interface. For basic usage if one does not have flannel, cilium, calico or something else yet. Uses the cni-plugins bridge binary to create a bridge interface to connect the containers * [`k8s::repo`](#k8s--repo): Handles repositories for the container runtime * [`k8s::server`](#k8s--server): Sets up a Kubernetes server instance -* [`k8s::server::apiserver`](#k8s--server--apiserver): Installs and configures a Kubernetes apiserver -* [`k8s::server::controller_manager`](#k8s--server--controller_manager): Installs and configures a Kubernetes controller manager * [`k8s::server::etcd`](#k8s--server--etcd): Sets up an etcd cluster node * [`k8s::server::etcd::setup`](#k8s--server--etcd--setup): Installs and configures an etcd instance -* [`k8s::server::resources`](#k8s--server--resources): Generates and deploys standard Kubernetes in-cluster services -* [`k8s::server::resources::bootstrap`](#k8s--server--resources--bootstrap): Generates and deploys the default Puppet boostrap configuration into the cluster -* [`k8s::server::resources::coredns`](#k8s--server--resources--coredns): Generates and deploys the default CoreDNS DNS provider for Kubernetes -* [`k8s::server::resources::flannel`](#k8s--server--resources--flannel): Generates and deploys the default CoreDNS DNS provider for Kubernetes -* [`k8s::server::resources::kube_proxy`](#k8s--server--resources--kube_proxy): Generates and deploys the default kube-proxy service for Kubernetes -* [`k8s::server::scheduler`](#k8s--server--scheduler): Installs and configures a Kubernetes scheduler -* [`k8s::server::tls`](#k8s--server--tls): Generates the necessary Kubernetes certificates for a server * [`k8s::server::wait_online`](#k8s--server--wait_online): Creates a dummy exec to allow deferring applies until the Kubernetes API server has started +#### Private Classes + +* `k8s::common`: Sets up common Kubernetes components - users/groups/folders/etc +* `k8s::node::kube_proxy`: Sets up a on-node kube-proxy instance +* `k8s::node::kubelet`: Installs and configures kubelet +* `k8s::server::apiserver`: Installs and configures a Kubernetes apiserver +* `k8s::server::controller_manager`: Installs and configures a Kubernetes controller manager +* `k8s::server::resources`: Generates and deploys standard Kubernetes in-cluster services +* `k8s::server::resources::bootstrap`: Generates and deploys the default Puppet boostrap configuration into the cluster +* `k8s::server::resources::coredns`: Generates and deploys the default CoreDNS DNS provider for Kubernetes +* `k8s::server::resources::flannel`: Generates and deploys the default CoreDNS DNS provider for Kubernetes +* `k8s::server::resources::kube_proxy`: Generates and deploys the default kube-proxy service for Kubernetes +* `k8s::server::scheduler`: Installs and configures a Kubernetes scheduler +* `k8s::server::tls`: Generates the necessary Kubernetes certificates for a server + ### Defined types * [`k8s::binary`](#k8s--binary): Deploys a Kubernetes binary @@ -66,6 +72,7 @@ Uses the cni-plugins bridge binary to create a bridge interface to connect the c * [`K8s::IP_addresses`](#K8s--IP_addresses): a type to describe multiple IP addresses without subnet sizes * [`K8s::Native_packaging`](#K8s--Native_packaging): a type to describe Kubernetes native packaging methods * [`K8s::Node_auth`](#K8s--Node_auth): a type to describe node/kubelet authentication methods +* [`K8s::Node_role`](#K8s--Node_role): a type to describe a type of Kubernetes node * [`K8s::PortRange`](#K8s--PortRange): This regexp matches port range values * [`K8s::Proxy_auth`](#K8s--Proxy_auth): a type to describe kube-proxy authentication methods * [`K8s::Proxy_method`](#K8s--Proxy_method): a type to describe how kube-proxy should be deployed @@ -429,11 +436,11 @@ Default value: `true` ##### `role` -Data type: `Enum['node','server','none']` +Data type: `Optional[K8s::Node_role]` -role of the node +the role of the node -Default value: `'none'` +Default value: `undef` ##### `runc_version` @@ -453,11 +460,11 @@ Default value: `'10.1.0.0/24'` ##### `sysconfig_path` -Data type: `Optional[Stdlib::Unixpath]` +Data type: `Stdlib::Unixpath` -path to the sysconfig directory +path to the sysconfig directory, per-OS values are configured in hiera -Default value: `undef` +Default value: `'/etc/sysconfig'` ##### `tarball_url_template` @@ -908,114 +915,6 @@ enable puppetdb resource searching Default value: `$k8s::puppetdb_discovery_tag` -### `k8s::node::kube_proxy` - -For most use-cases, running kube-proxy inside the cluster itself is recommended - -#### Parameters - -The following parameters are available in the `k8s::node::kube_proxy` class: - -* [`arguments`](#-k8s--node--kube_proxy--arguments) -* [`auth`](#-k8s--node--kube_proxy--auth) -* [`ca_cert`](#-k8s--node--kube_proxy--ca_cert) -* [`cert`](#-k8s--node--kube_proxy--cert) -* [`cluster_cidr`](#-k8s--node--kube_proxy--cluster_cidr) -* [`config`](#-k8s--node--kube_proxy--config) -* [`control_plane_url`](#-k8s--node--kube_proxy--control_plane_url) -* [`ensure`](#-k8s--node--kube_proxy--ensure) -* [`key`](#-k8s--node--kube_proxy--key) -* [`puppetdb_discovery_tag`](#-k8s--node--kube_proxy--puppetdb_discovery_tag) -* [`token`](#-k8s--node--kube_proxy--token) - -##### `arguments` - -Data type: `Hash[String, Data]` - -A hash of additional arguments to pass to kube-proxy - -Default value: `{}` - -##### `auth` - -Data type: `K8s::Proxy_auth` - -The authentication method to use for the API server - -Default value: `$k8s::node::proxy_auth` - -##### `ca_cert` - -Data type: `Optional[Stdlib::Unixpath]` - -The path to the CA certificate to use for the API server - -Default value: `$k8s::node::ca_cert` - -##### `cert` - -Data type: `Optional[Stdlib::Unixpath]` - -The path to the client certificate to use for the API server - -Default value: `$k8s::node::proxy_cert` - -##### `cluster_cidr` - -Data type: `K8s::CIDR` - -The CIDR range of the cluster - -Default value: `$k8s::cluster_cidr` - -##### `config` - -Data type: `Hash[String, Data]` - -A hash of additional configuration options to pass to kube-proxy - -Default value: `{}` - -##### `control_plane_url` - -Data type: `Stdlib::HTTPUrl` - -The URL of the Kubernetes API server - -Default value: `$k8s::node::control_plane_url` - -##### `ensure` - -Data type: `K8s::Ensure` - -Whether the kube-proxy service should be configured - -Default value: `$k8s::node::ensure` - -##### `key` - -Data type: `Optional[Stdlib::Unixpath]` - -The path to the client key to use for the API server - -Default value: `$k8s::node::proxy_key` - -##### `puppetdb_discovery_tag` - -Data type: `String` - -The tag to use for PuppetDB service discovery - -Default value: `$k8s::node::puppetdb_discovery_tag` - -##### `token` - -Data type: `Optional[Sensitive[String]]` - -The token to use for the API server - -Default value: `$k8s::node::proxy_token` - ### `k8s::node::kubectl` Installs the kubectl binary @@ -1034,195 +933,6 @@ Whether to install the binary Default value: `$k8s::ensure` -### `k8s::node::kubelet` - -Installs and configures kubelet - -#### Parameters - -The following parameters are available in the `k8s::node::kubelet` class: - -* [`arguments`](#-k8s--node--kubelet--arguments) -* [`auth`](#-k8s--node--kubelet--auth) -* [`ca_cert`](#-k8s--node--kubelet--ca_cert) -* [`cert`](#-k8s--node--kubelet--cert) -* [`cert_path`](#-k8s--node--kubelet--cert_path) -* [`config`](#-k8s--node--kubelet--config) -* [`control_plane_url`](#-k8s--node--kubelet--control_plane_url) -* [`ensure`](#-k8s--node--kubelet--ensure) -* [`firewall_type`](#-k8s--node--kubelet--firewall_type) -* [`key`](#-k8s--node--kubelet--key) -* [`kubeconfig`](#-k8s--node--kubelet--kubeconfig) -* [`manage_firewall`](#-k8s--node--kubelet--manage_firewall) -* [`manage_kernel_modules`](#-k8s--node--kubelet--manage_kernel_modules) -* [`manage_sysctl_settings`](#-k8s--node--kubelet--manage_sysctl_settings) -* [`puppetdb_discovery_tag`](#-k8s--node--kubelet--puppetdb_discovery_tag) -* [`rotate_server_tls`](#-k8s--node--kubelet--rotate_server_tls) -* [`runtime`](#-k8s--node--kubelet--runtime) -* [`runtime_service`](#-k8s--node--kubelet--runtime_service) -* [`support_dualstack`](#-k8s--node--kubelet--support_dualstack) -* [`token`](#-k8s--node--kubelet--token) - -##### `arguments` - -Data type: `Hash[String, Data]` - -additional arguments to pass to kubelet - -Default value: `{}` - -##### `auth` - -Data type: `K8s::Node_auth` - -type of node authentication - -Default value: `$k8s::node::node_auth` - -##### `ca_cert` - -Data type: `Optional[Stdlib::Unixpath]` - -path to the ca cert - -Default value: `$k8s::node::ca_cert` - -##### `cert` - -Data type: `Optional[Stdlib::Unixpath]` - -path to node cert file - -Default value: `$k8s::node::node_cert` - -##### `cert_path` - -Data type: `Stdlib::Unixpath` - -path to cert files - -Default value: `$k8s::node::cert_path` - -##### `config` - -Data type: `Hash[String, Data]` - -additional config to pass to kubelet - -Default value: `{}` - -##### `control_plane_url` - -Data type: `Stdlib::HTTPUrl` - -cluster API connection - -Default value: `$k8s::node::control_plane_url` - -##### `ensure` - -Data type: `K8s::Ensure` - -set ensure for installation or deinstallation - -Default value: `$k8s::node::ensure` - -##### `firewall_type` - -Data type: `Optional[K8s::Firewall]` - -define the type of firewall to use - -Default value: `$k8s::node::firewall_type` - -##### `key` - -Data type: `Optional[Stdlib::Unixpath]` - -path to node key file - -Default value: `$k8s::node::node_key` - -##### `kubeconfig` - -Data type: `Stdlib::Unixpath` - -path to kubeconfig - -Default value: `'/srv/kubernetes/kubelet.kubeconf'` - -##### `manage_firewall` - -Data type: `Boolean` - -whether to manage firewall or not - -Default value: `$k8s::node::manage_firewall` - -##### `manage_kernel_modules` - -Data type: `Boolean` - -whether to load kernel modules or not - -Default value: `$k8s::node::manage_kernel_modules` - -##### `manage_sysctl_settings` - -Data type: `Boolean` - -whether to manage sysctl settings or not - -Default value: `$k8s::node::manage_sysctl_settings` - -##### `puppetdb_discovery_tag` - -Data type: `String[1]` - -enable puppetdb resource searching - -Default value: `$k8s::node::puppetdb_discovery_tag` - -##### `rotate_server_tls` - -Data type: `Boolean` - -whether to rotate server tls or not - -Default value: `$auth == 'bootstrap'` - -##### `runtime` - -Data type: `String` - -which container runtime to use - -Default value: `$k8s::container_manager` - -##### `runtime_service` - -Data type: `String` - -name of the service of the container runtime - -Default value: `$k8s::container_runtime_service` - -##### `support_dualstack` - -Data type: `Boolean` - -whether to support dualstack or not - -Default value: `$k8s::cluster_cidr =~ Array[Data, 2]` - -##### `token` - -Data type: `Optional[Sensitive[String]]` - -k8s token to join a cluster - -Default value: `$k8s::node::node_token` - ### `k8s::node::simple_cni` Class: k8s::node::simple_cni @@ -1520,1734 +1230,491 @@ enable puppetdb resource searching Default value: `$k8s::puppetdb_discovery_tag` -### `k8s::server::apiserver` +### `k8s::server::etcd` -Installs and configures a Kubernetes apiserver +Sets up an etcd cluster node #### Parameters -The following parameters are available in the `k8s::server::apiserver` class: - -* [`advertise_address`](#-k8s--server--apiserver--advertise_address) -* [`aggregator_ca_cert`](#-k8s--server--apiserver--aggregator_ca_cert) -* [`apiserver_cert`](#-k8s--server--apiserver--apiserver_cert) -* [`apiserver_client_cert`](#-k8s--server--apiserver--apiserver_client_cert) -* [`apiserver_client_key`](#-k8s--server--apiserver--apiserver_client_key) -* [`apiserver_key`](#-k8s--server--apiserver--apiserver_key) -* [`arguments`](#-k8s--server--apiserver--arguments) -* [`ca_cert`](#-k8s--server--apiserver--ca_cert) -* [`cert_path`](#-k8s--server--apiserver--cert_path) -* [`container_image`](#-k8s--server--apiserver--container_image) -* [`container_image_tag`](#-k8s--server--apiserver--container_image_tag) -* [`container_registry`](#-k8s--server--apiserver--container_registry) -* [`discover_etcd_servers`](#-k8s--server--apiserver--discover_etcd_servers) -* [`ensure`](#-k8s--server--apiserver--ensure) -* [`etcd_ca`](#-k8s--server--apiserver--etcd_ca) -* [`etcd_cert`](#-k8s--server--apiserver--etcd_cert) -* [`etcd_cluster_name`](#-k8s--server--apiserver--etcd_cluster_name) -* [`etcd_key`](#-k8s--server--apiserver--etcd_key) -* [`etcd_servers`](#-k8s--server--apiserver--etcd_servers) -* [`firewall_type`](#-k8s--server--apiserver--firewall_type) -* [`front_proxy_cert`](#-k8s--server--apiserver--front_proxy_cert) -* [`front_proxy_key`](#-k8s--server--apiserver--front_proxy_key) -* [`manage_firewall`](#-k8s--server--apiserver--manage_firewall) -* [`puppetdb_discovery_tag`](#-k8s--server--apiserver--puppetdb_discovery_tag) -* [`service_cluster_cidr`](#-k8s--server--apiserver--service_cluster_cidr) -* [`serviceaccount_private`](#-k8s--server--apiserver--serviceaccount_private) -* [`serviceaccount_public`](#-k8s--server--apiserver--serviceaccount_public) - -##### `advertise_address` - -Data type: `Stdlib::IP::Address::Nosubnet` - -bind address of the apiserver +The following parameters are available in the `k8s::server::etcd` class: -Default value: `fact('networking.ip')` +* [`addn_names`](#-k8s--server--etcd--addn_names) +* [`cert_path`](#-k8s--server--etcd--cert_path) +* [`client_ca_cert`](#-k8s--server--etcd--client_ca_cert) +* [`client_ca_key`](#-k8s--server--etcd--client_ca_key) +* [`cluster_name`](#-k8s--server--etcd--cluster_name) +* [`ensure`](#-k8s--server--etcd--ensure) +* [`firewall_type`](#-k8s--server--etcd--firewall_type) +* [`generate_ca`](#-k8s--server--etcd--generate_ca) +* [`group`](#-k8s--server--etcd--group) +* [`manage_certs`](#-k8s--server--etcd--manage_certs) +* [`manage_firewall`](#-k8s--server--etcd--manage_firewall) +* [`manage_members`](#-k8s--server--etcd--manage_members) +* [`manage_setup`](#-k8s--server--etcd--manage_setup) +* [`peer_ca_cert`](#-k8s--server--etcd--peer_ca_cert) +* [`peer_ca_key`](#-k8s--server--etcd--peer_ca_key) +* [`puppetdb_discovery_tag`](#-k8s--server--etcd--puppetdb_discovery_tag) +* [`self_signed_tls`](#-k8s--server--etcd--self_signed_tls) +* [`user`](#-k8s--server--etcd--user) +* [`version`](#-k8s--server--etcd--version) -##### `aggregator_ca_cert` +##### `addn_names` -Data type: `Stdlib::Unixpath` +Data type: `K8s::TLS_altnames` -path to the aggregator ca cert file +additional names for certificates -Default value: `$k8s::server::tls::aggregator_ca_cert` +Default value: `[]` -##### `apiserver_cert` +##### `cert_path` Data type: `Stdlib::Unixpath` -path to the apiserver cert file +path to cert files -Default value: `"${cert_path}/kube-apiserver.pem"` +Default value: `'/var/lib/etcd/certs'` -##### `apiserver_client_cert` +##### `client_ca_cert` Data type: `Stdlib::Unixpath` -path to the apiserver client cert file +path to the client ca cert -Default value: `"${cert_path}/apiserver-kubelet-client.pem"` +Default value: `"${cert_path}/client-ca.pem"` -##### `apiserver_client_key` +##### `client_ca_key` Data type: `Stdlib::Unixpath` -path to the apiserver client key file +path to the client ca key -Default value: `"${cert_path}/apiserver-kubelet-client.key"` +Default value: `"${cert_path}/client-ca.key"` -##### `apiserver_key` +##### `cluster_name` -Data type: `Stdlib::Unixpath` +Data type: `Optional[String[1]]` -path to the apiserver cert file +name of the etcd cluster for searching its nodes in the puppetdb, will use k8s::etcd_cluster_name unless otherwise specified -Default value: `"${cert_path}/kube-apiserver.key"` +Default value: `undef` -##### `arguments` +##### `ensure` -Data type: `Hash[String, Data]` +Data type: `K8s::Ensure` -additional arguments for the apiserver +set ensure for installation or deinstallation -Default value: `{}` +Default value: `'present'` -##### `ca_cert` +##### `firewall_type` -Data type: `Stdlib::Unixpath` +Data type: `Optional[K8s::Firewall]` -path to the ca cert +define the type of firewall to use -Default value: `$k8s::server::tls::ca_cert` +Default value: `undef` -##### `cert_path` +##### `generate_ca` -Data type: `Stdlib::Unixpath` +Data type: `Boolean` -path to cert files +whether to generate a own ca or not -Default value: `$k8s::server::tls::cert_path` +Default value: `false` -##### `container_image` +##### `group` Data type: `String[1]` -container image to use for the apiserver +group to run etcd as -Default value: `'kube-apiserver'` +Default value: `'etcd'` -##### `container_image_tag` +##### `manage_certs` -Data type: `Optional[String[1]]` +Data type: `Boolean` -container image tag to use for the apiserver +whether to manage certs or not -Default value: `$k8s::container_image_tag` +Default value: `true` -##### `container_registry` +##### `manage_firewall` -Data type: `String[1]` +Data type: `Boolean` -container registry to pull the image from - -Default value: `$k8s::container_registry` - -##### `discover_etcd_servers` - -Data type: `Boolean` - -enable puppetdb resource searching - -Default value: `$k8s::puppetdb_discovery` - -##### `ensure` - -Data type: `K8s::Ensure` - -set ensure for installation or deinstallation - -Default value: `$k8s::server::ensure` - -##### `etcd_ca` - -Data type: `Stdlib::Unixpath` - -path to the etcd ca cert file - -Default value: `"${cert_path}/etcd-ca.pem"` - -##### `etcd_cert` - -Data type: `Stdlib::Unixpath` - -path to the etcd cert file - -Default value: `"${cert_path}/etcd.pem"` - -##### `etcd_cluster_name` - -Data type: `String[1]` - -name of the etcd cluster for searching its nodes in the puppetdb - -Default value: `$k8s::server::etcd_cluster_name` - -##### `etcd_key` - -Data type: `Stdlib::Unixpath` - -path to the etcd key file - -Default value: `"${cert_path}/etcd.key"` - -##### `etcd_servers` - -Data type: `Optional[Array[Stdlib::HTTPUrl]]` - -list etcd servers if no puppetdb is used - -Default value: `$k8s::server::etcd_servers` - -##### `firewall_type` - -Data type: `Optional[K8s::Firewall]` - -define the type of firewall to use - -Default value: `$k8s::server::firewall_type` - -##### `front_proxy_cert` - -Data type: `Stdlib::Unixpath` - -path to the front proxy cert file - -Default value: `"${cert_path}/front-proxy-client.pem"` - -##### `front_proxy_key` - -Data type: `Stdlib::Unixpath` - -path to the front proxy key file - -Default value: `"${cert_path}/front-proxy-client.key"` - -##### `manage_firewall` - -Data type: `Boolean` - -whether to manage firewall or not - -Default value: `$k8s::server::manage_firewall` - -##### `puppetdb_discovery_tag` - -Data type: `String` - -enable puppetdb resource searching - -Default value: `$k8s::server::puppetdb_discovery_tag` - -##### `service_cluster_cidr` - -Data type: `K8s::CIDR` - -cidr of the service cluster - -Default value: `$k8s::service_cluster_cidr` - -##### `serviceaccount_private` - -Data type: `Stdlib::Unixpath` - -path to the service account private key file - -Default value: `"${cert_path}/service-account.key"` - -##### `serviceaccount_public` - -Data type: `Stdlib::Unixpath` - -path to the service account public key file - -Default value: `"${cert_path}/service-account.pub"` - -### `k8s::server::controller_manager` - -Installs and configures a Kubernetes controller manager - -#### Parameters - -The following parameters are available in the `k8s::server::controller_manager` class: - -* [`arguments`](#-k8s--server--controller_manager--arguments) -* [`ca_cert`](#-k8s--server--controller_manager--ca_cert) -* [`ca_key`](#-k8s--server--controller_manager--ca_key) -* [`cert`](#-k8s--server--controller_manager--cert) -* [`cert_path`](#-k8s--server--controller_manager--cert_path) -* [`cluster_cidr`](#-k8s--server--controller_manager--cluster_cidr) -* [`container_image`](#-k8s--server--controller_manager--container_image) -* [`container_image_tag`](#-k8s--server--controller_manager--container_image_tag) -* [`container_registry`](#-k8s--server--controller_manager--container_registry) -* [`control_plane_url`](#-k8s--server--controller_manager--control_plane_url) -* [`ensure`](#-k8s--server--controller_manager--ensure) -* [`key`](#-k8s--server--controller_manager--key) -* [`service_cluster_cidr`](#-k8s--server--controller_manager--service_cluster_cidr) - -##### `arguments` - -Data type: `Hash[String, Data]` - -Additional arguments to pass to the controller manager. - -Default value: `{}` - -##### `ca_cert` - -Data type: `Stdlib::Unixpath` - -The path to the CA certificate. - -Default value: `$k8s::server::tls::ca_cert` - -##### `ca_key` - -Data type: `Stdlib::Unixpath` - -The path to the CA key. - -Default value: `$k8s::server::tls::ca_key` - -##### `cert` - -Data type: `Stdlib::Unixpath` - -The path to the controller manager certificate. - -Default value: `"${cert_path}/kube-controller-manager.pem"` - -##### `cert_path` - -Data type: `Stdlib::Unixpath` - -The path to the TLS certificates. - -Default value: `$k8s::server::tls::cert_path` - -##### `cluster_cidr` - -Data type: `K8s::CIDR` - -The CIDR of the cluster. - -Default value: `$k8s::cluster_cidr` - -##### `container_image` - -Data type: `String[1]` - -The container image to use for the controller manager. - -Default value: `'kube-controller-manager'` - -##### `container_image_tag` - -Data type: `Optional[String[1]]` - -The container image tag to use for the controller manager. - -Default value: `$k8s::container_image_tag` - -##### `container_registry` - -Data type: `String[1]` - -The container registry to pull the controller manager image from. - -Default value: `$k8s::container_registry` - -##### `control_plane_url` - -Data type: `Stdlib::HTTPUrl` - -The URL of the Kubernetes API server. - -Default value: `$k8s::control_plane_url` - -##### `ensure` - -Data type: `K8s::Ensure` - -Whether the controller manager should be configured. - -Default value: `$k8s::server::ensure` - -##### `key` - -Data type: `Stdlib::Unixpath` - -The path to the controller manager key. - -Default value: `"${cert_path}/kube-controller-manager.key"` - -##### `service_cluster_cidr` - -Data type: `K8s::CIDR` - -The CIDR of the service cluster. - -Default value: `$k8s::service_cluster_cidr` - -### `k8s::server::etcd` - -Sets up an etcd cluster node - -#### Parameters - -The following parameters are available in the `k8s::server::etcd` class: - -* [`addn_names`](#-k8s--server--etcd--addn_names) -* [`cert_path`](#-k8s--server--etcd--cert_path) -* [`client_ca_cert`](#-k8s--server--etcd--client_ca_cert) -* [`client_ca_key`](#-k8s--server--etcd--client_ca_key) -* [`cluster_name`](#-k8s--server--etcd--cluster_name) -* [`ensure`](#-k8s--server--etcd--ensure) -* [`firewall_type`](#-k8s--server--etcd--firewall_type) -* [`generate_ca`](#-k8s--server--etcd--generate_ca) -* [`group`](#-k8s--server--etcd--group) -* [`manage_certs`](#-k8s--server--etcd--manage_certs) -* [`manage_firewall`](#-k8s--server--etcd--manage_firewall) -* [`manage_members`](#-k8s--server--etcd--manage_members) -* [`manage_setup`](#-k8s--server--etcd--manage_setup) -* [`peer_ca_cert`](#-k8s--server--etcd--peer_ca_cert) -* [`peer_ca_key`](#-k8s--server--etcd--peer_ca_key) -* [`puppetdb_discovery_tag`](#-k8s--server--etcd--puppetdb_discovery_tag) -* [`self_signed_tls`](#-k8s--server--etcd--self_signed_tls) -* [`user`](#-k8s--server--etcd--user) -* [`version`](#-k8s--server--etcd--version) - -##### `addn_names` - -Data type: `K8s::TLS_altnames` - -additional names for certificates - -Default value: `[]` - -##### `cert_path` - -Data type: `Stdlib::Unixpath` - -path to cert files - -Default value: `'/var/lib/etcd/certs'` - -##### `client_ca_cert` - -Data type: `Stdlib::Unixpath` - -path to the client ca cert - -Default value: `"${cert_path}/client-ca.pem"` - -##### `client_ca_key` - -Data type: `Stdlib::Unixpath` - -path to the client ca key - -Default value: `"${cert_path}/client-ca.key"` - -##### `cluster_name` - -Data type: `String[1]` - -name of the etcd cluster for searching its nodes in the puppetdb - -Default value: `pick($k8s::server::etcd_cluster_name, 'default')` - -##### `ensure` - -Data type: `K8s::Ensure` - -set ensure for installation or deinstallation - -Default value: `'present'` - -##### `firewall_type` - -Data type: `Optional[K8s::Firewall]` - -define the type of firewall to use - -Default value: `$k8s::server::firewall_type` - -##### `generate_ca` - -Data type: `Boolean` - -whether to generate a own ca or not +whether to manage firewall or not Default value: `false` -##### `group` - -Data type: `String[1]` - -group to run etcd as - -Default value: `'etcd'` - -##### `manage_certs` +##### `manage_members` Data type: `Boolean` -whether to manage certs or not - -Default value: `true` - -##### `manage_firewall` - -Data type: `Boolean` - -whether to manage firewall or not - -Default value: `false` - -##### `manage_members` - -Data type: `Boolean` - -whether to manage the ectd cluster member joining or not - -Default value: `false` - -##### `manage_setup` - -Data type: `Boolean` - -whether to manage the setup of etcd or not - -Default value: `true` - -##### `peer_ca_cert` - -Data type: `Stdlib::Unixpath` - -path to the peer ca cert - -Default value: `"${cert_path}/peer-ca.pem"` - -##### `peer_ca_key` - -Data type: `Stdlib::Unixpath` - -path to the peer ca key - -Default value: `"${cert_path}/peer-ca.key"` - -##### `puppetdb_discovery_tag` - -Data type: `String[1]` - -enable puppetdb resource searching - -Default value: `pick($k8s::server::puppetdb_discovery_tag, $cluster_name)` - -##### `self_signed_tls` - -Data type: `Boolean` - -whether to use self signed tls or not - -Default value: `false` - -##### `user` - -Data type: `String[1]` - -user to run etcd as - -Default value: `'etcd'` - -##### `version` - -Data type: `String[1]` - -version of ectd to install - -Default value: `pick($k8s::etcd_version, '3.5.1')` - -### `k8s::server::etcd::setup` - -Installs and configures an etcd instance - -#### Parameters - -The following parameters are available in the `k8s::server::etcd::setup` class: - -* [`advertise_client_urls`](#-k8s--server--etcd--setup--advertise_client_urls) -* [`archive_template`](#-k8s--server--etcd--setup--archive_template) -* [`auto_compaction_retention`](#-k8s--server--etcd--setup--auto_compaction_retention) -* [`auto_tls`](#-k8s--server--etcd--setup--auto_tls) -* [`binary_path`](#-k8s--server--etcd--setup--binary_path) -* [`cert_file`](#-k8s--server--etcd--setup--cert_file) -* [`client_cert_auth`](#-k8s--server--etcd--setup--client_cert_auth) -* [`data_dir`](#-k8s--server--etcd--setup--data_dir) -* [`ensure`](#-k8s--server--etcd--setup--ensure) -* [`etcd_name`](#-k8s--server--etcd--setup--etcd_name) -* [`fqdn`](#-k8s--server--etcd--setup--fqdn) -* [`gid`](#-k8s--server--etcd--setup--gid) -* [`group`](#-k8s--server--etcd--setup--group) -* [`initial_advertise_peer_urls`](#-k8s--server--etcd--setup--initial_advertise_peer_urls) -* [`initial_cluster`](#-k8s--server--etcd--setup--initial_cluster) -* [`initial_cluster_state`](#-k8s--server--etcd--setup--initial_cluster_state) -* [`initial_cluster_token`](#-k8s--server--etcd--setup--initial_cluster_token) -* [`install`](#-k8s--server--etcd--setup--install) -* [`key_file`](#-k8s--server--etcd--setup--key_file) -* [`listen_client_urls`](#-k8s--server--etcd--setup--listen_client_urls) -* [`listen_peer_urls`](#-k8s--server--etcd--setup--listen_peer_urls) -* [`package`](#-k8s--server--etcd--setup--package) -* [`peer_auto_tls`](#-k8s--server--etcd--setup--peer_auto_tls) -* [`peer_cert_file`](#-k8s--server--etcd--setup--peer_cert_file) -* [`peer_client_cert_auth`](#-k8s--server--etcd--setup--peer_client_cert_auth) -* [`peer_key_file`](#-k8s--server--etcd--setup--peer_key_file) -* [`peer_trusted_ca_file`](#-k8s--server--etcd--setup--peer_trusted_ca_file) -* [`proxy`](#-k8s--server--etcd--setup--proxy) -* [`storage_path`](#-k8s--server--etcd--setup--storage_path) -* [`trusted_ca_file`](#-k8s--server--etcd--setup--trusted_ca_file) -* [`uid`](#-k8s--server--etcd--setup--uid) -* [`user`](#-k8s--server--etcd--setup--user) -* [`version`](#-k8s--server--etcd--setup--version) - -##### `advertise_client_urls` - -Data type: `Array[Stdlib::HTTPUrl]` - -The client urls to advertise - -Default value: `["https://${fqdn}:2379"]` - -##### `archive_template` - -Data type: `Stdlib::HTTPUrl` - -The download url template for the etc archive - -Default value: `'https://storage.googleapis.com/etcd/v%{version}/etcd-v%{version}-%{kernel}-%{arch}.%{kernel_ext}'` - -##### `auto_compaction_retention` - -Data type: `Optional[Integer]` - -The auto compaction retention - -Default value: `undef` - -##### `auto_tls` - -Data type: `Boolean` - -Use auto tls - -Default value: `$k8s::server::etcd::self_signed_tls` - -##### `binary_path` - -Data type: `Optional[Stdlib::Unixpath]` - -path to the etcd binary - -Default value: `undef` - -##### `cert_file` - -Data type: `Optional[Stdlib::Unixpath]` - -path to the cert file - -Default value: `undef` - -##### `client_cert_auth` - -Data type: `Boolean` - -Use client cert auth - -Default value: `false` - -##### `data_dir` - -Data type: `String[1]` - -path to the data dir - -Default value: `"${etcd_name}.etcd"` - -##### `ensure` - -Data type: `K8s::Ensure` - -set ensure for installation or deinstallation - -Default value: `$k8s::server::etcd::ensure` - -##### `etcd_name` - -Data type: `String[1]` - -The etcd instance name - -Default value: `$facts['networking']['hostname']` - -##### `fqdn` - -Data type: `String[1]` - -fully qualified domain name - -Default value: `$facts['networking']['fqdn']` - -##### `gid` - -Data type: `Optional[Integer[0, 65535]]` - -The group system id - -Default value: `undef` - -##### `group` - -Data type: `String[1]` - -etcd system user group - -Default value: `$k8s::server::etcd::group` - -##### `initial_advertise_peer_urls` - -Data type: `Array[Stdlib::HTTPUrl]` - -The peer urls to advertise - -Default value: `["https://${fqdn}:2380"]` - -##### `initial_cluster` - -Data type: `Array[String[1]]` - -The initial cluster - -Default value: `[]` - -##### `initial_cluster_state` - -Data type: `Optional[Enum['existing', 'new']]` - -The initial cluster state - -Default value: `undef` - -##### `initial_cluster_token` - -Data type: `Optional[String[1]]` - -The initial cluster token - -Default value: `undef` - -##### `install` - -Data type: `Enum['archive','package']` - -etcd installation method - -Default value: `'archive'` - -##### `key_file` - -Data type: `Optional[Stdlib::Unixpath]` - -path to the key file - -Default value: `undef` - -##### `listen_client_urls` - -Data type: `Array[Stdlib::HTTPUrl]` - -The client urls to listen on - -Default value: `['https://[::]:2379']` - -##### `listen_peer_urls` - -Data type: `Array[Stdlib::HTTPUrl]` - -The peer urls to listen on - -Default value: `['https://[::]:2380']` - -##### `package` - -Data type: `String[1]` - -etcd package name - -Default value: `'etcd'` - -##### `peer_auto_tls` - -Data type: `Boolean` - -Use peer auto tls - -Default value: `$k8s::server::etcd::self_signed_tls` - -##### `peer_cert_file` - -Data type: `Optional[Stdlib::Unixpath]` - -path to the peer cert file - -Default value: `undef` - -##### `peer_client_cert_auth` - -Data type: `Boolean` - -Use peer client cert auth - -Default value: `false` - -##### `peer_key_file` - -Data type: `Optional[Stdlib::Unixpath]` - -path to the peer key file - -Default value: `undef` - -##### `peer_trusted_ca_file` - -Data type: `Optional[Stdlib::Unixpath]` - -path to the peer trusted ca file - -Default value: `undef` - -##### `proxy` - -Data type: `Enum['on','off','readonly']` - -The proxy mode - -Default value: `'off'` - -##### `storage_path` - -Data type: `Stdlib::Unixpath` - -path to the working dir of etcd - -Default value: `'/var/lib/etcd'` - -##### `trusted_ca_file` - -Data type: `Optional[Stdlib::Unixpath]` - -path to the trusted ca file - -Default value: `undef` - -##### `uid` - -Data type: `Optional[Integer[0, 65535]]` - -The user system id - -Default value: `undef` - -##### `user` - -Data type: `String[1]` - -etcd system user - -Default value: `$k8s::server::etcd::user` - -##### `version` - -Data type: `String[1]` - -The ectd version to install - -Default value: `$k8s::server::etcd::version` - -### `k8s::server::resources` - -Generates and deploys standard Kubernetes in-cluster services - -#### Parameters - -The following parameters are available in the `k8s::server::resources` class: - -* [`ca_cert`](#-k8s--server--resources--ca_cert) -* [`cluster_cidr`](#-k8s--server--resources--cluster_cidr) -* [`cluster_domain`](#-k8s--server--resources--cluster_domain) -* [`control_plane_url`](#-k8s--server--resources--control_plane_url) -* [`coredns_deployment_config`](#-k8s--server--resources--coredns_deployment_config) -* [`coredns_image`](#-k8s--server--resources--coredns_image) -* [`coredns_registry`](#-k8s--server--resources--coredns_registry) -* [`coredns_tag`](#-k8s--server--resources--coredns_tag) -* [`dns_service_address`](#-k8s--server--resources--dns_service_address) -* [`extra_kube_proxy_args`](#-k8s--server--resources--extra_kube_proxy_args) -* [`flannel_cni_image`](#-k8s--server--resources--flannel_cni_image) -* [`flannel_cni_registry`](#-k8s--server--resources--flannel_cni_registry) -* [`flannel_cni_tag`](#-k8s--server--resources--flannel_cni_tag) -* [`flannel_daemonset_config`](#-k8s--server--resources--flannel_daemonset_config) -* [`flannel_image`](#-k8s--server--resources--flannel_image) -* [`flannel_registry`](#-k8s--server--resources--flannel_registry) -* [`flannel_tag`](#-k8s--server--resources--flannel_tag) -* [`image_pull_secrets`](#-k8s--server--resources--image_pull_secrets) -* [`kube_proxy_daemonset_config`](#-k8s--server--resources--kube_proxy_daemonset_config) -* [`kube_proxy_image`](#-k8s--server--resources--kube_proxy_image) -* [`kube_proxy_registry`](#-k8s--server--resources--kube_proxy_registry) -* [`kube_proxy_tag`](#-k8s--server--resources--kube_proxy_tag) -* [`kubeconfig`](#-k8s--server--resources--kubeconfig) -* [`manage_bootstrap`](#-k8s--server--resources--manage_bootstrap) -* [`manage_coredns`](#-k8s--server--resources--manage_coredns) -* [`manage_flannel`](#-k8s--server--resources--manage_flannel) -* [`manage_kube_proxy`](#-k8s--server--resources--manage_kube_proxy) - -##### `ca_cert` - -Data type: `Stdlib::Unixpath` - -the path to the CA certificate to use for the cluster - -Default value: `$k8s::server::tls::ca_cert` - -##### `cluster_cidr` - -Data type: `K8s::CIDR` - -the CIDR to use for the cluster - -Default value: `$k8s::server::cluster_cidr` - -##### `cluster_domain` - -Data type: `String[1]` - -the domain to use for the cluster - -Default value: `$k8s::server::cluster_domain` - -##### `control_plane_url` - -Data type: `String[1]` - -the URL to use for the control plane - -Default value: `$k8s::server::control_plane_url` - -##### `coredns_deployment_config` - -Data type: `Hash[String,Data]` - -the configuration to use for the CoreDNS Deployment - -Default value: `{}` - -##### `coredns_image` - -Data type: `String[1]` - -the image to use for the CoreDNS - -Default value: `'coredns/coredns'` - -##### `coredns_registry` - -Data type: `String[1]` - -the registry to use for the CoreDNS image - -Default value: `'docker.io'` - -##### `coredns_tag` - -Data type: `String[1]` - -the tag to use for the CoreDNS image - -Default value: `'1.8.7'` - -##### `dns_service_address` - -Data type: `K8s::IP_addresses` - -the IP address to use for the DNS service - -Default value: `$k8s::server::dns_service_address` - -##### `extra_kube_proxy_args` - -Data type: `Hash[String,Data]` - -the extra arguments to pass to the kube-proxy - -Default value: `{}` - -##### `flannel_cni_image` - -Data type: `String[1]` - -the image to use for the Flannel CNI - -Default value: `'rancher/mirrored-flannelcni-flannel-cni-plugin'` - -##### `flannel_cni_registry` - -Data type: `String[1]` - -the registry to use for the Flannel CNI image - -Default value: `'docker.io'` - -##### `flannel_cni_tag` - -Data type: `String[1]` - -the tag to use for the Flannel CNI image - -Default value: `'v1.0.0'` - -##### `flannel_daemonset_config` - -Data type: `Hash[String,Data]` - -the configuration to use for the Flannel DaemonSet - -Default value: `{}` - -##### `flannel_image` - -Data type: `String[1]` - -the image to use for the Flannel - -Default value: `'rancher/mirrored-flannelcni-flannel'` - -##### `flannel_registry` - -Data type: `String[1]` - -the registry to use for the Flannel image - -Default value: `'docker.io'` - -##### `flannel_tag` - -Data type: `String[1]` - -the tag to use for the Flannel image - -Default value: `'v0.16.1'` - -##### `image_pull_secrets` - -Data type: `Optional[Array]` - -the secrets to pull from private registries - -Default value: `undef` - -##### `kube_proxy_daemonset_config` - -Data type: `Hash[String,Data]` - -the configuration to use for the kube-proxy DaemonSet - -Default value: `{}` - -##### `kube_proxy_image` - -Data type: `String[1]` - -the image to use for the kube-proxy - -Default value: `'kube-proxy'` - -##### `kube_proxy_registry` - -Data type: `String[1]` - -the registry to use for the kube-proxy image - -Default value: `$k8s::container_registry` - -##### `kube_proxy_tag` - -Data type: `String[1]` - -the tag to use for the kube-proxy image - -Default value: `"v${k8s::version}"` - -##### `kubeconfig` - -Data type: `Stdlib::Unixpath` - -the path to the kubeconfig file to use for kubectl - -Default value: `'/root/.kube/config'` - -##### `manage_bootstrap` - -Data type: `Boolean` - -whether to manage the bootstrap resources - -Default value: `true` - -##### `manage_coredns` - -Data type: `Boolean` - -whether to manage the CoreDNS resources - -Default value: `true` - -##### `manage_flannel` - -Data type: `Boolean` - -whether to manage the Flannel resources - -Default value: `true` - -##### `manage_kube_proxy` - -Data type: `K8s::Proxy_method` - -whether to manage the kube-proxy resources - -Default value: `$k8s::manage_kube_proxy` - -### `k8s::server::resources::bootstrap` - -Generates and deploys the default Puppet boostrap configuration into the cluster - -#### Parameters - -The following parameters are available in the `k8s::server::resources::bootstrap` class: - -* [`control_plane_url`](#-k8s--server--resources--bootstrap--control_plane_url) -* [`ensure`](#-k8s--server--resources--bootstrap--ensure) -* [`kubeconfig`](#-k8s--server--resources--bootstrap--kubeconfig) -* [`secret`](#-k8s--server--resources--bootstrap--secret) - -##### `control_plane_url` - -Data type: `String[1]` - -The main API URL to encode in the bootstrap configuration - -Default value: `$k8s::server::resources::control_plane_url` - -##### `ensure` - -Data type: `K8s::Ensure` - -Whether the resources should be present or absent - -Default value: `$k8s::ensure` - -##### `kubeconfig` - -Data type: `Stdlib::Unixpath` - -The path to the kubeconfig file to use for the bootstrap configuration - -Default value: `$k8s::server::resources::kubeconfig` - -##### `secret` - -Data type: `Optional[Sensitive[K8s::Bootstrap_token]]` - -The exact token secret to use, will be generated as a random 16-char string if left blank. -The generated value can be retrieved from the bootstrap-token-puppet Secret in kube-system. - -Default value: `undef` - -### `k8s::server::resources::coredns` - -Generates and deploys the default CoreDNS DNS provider for Kubernetes - -#### Parameters - -The following parameters are available in the `k8s::server::resources::coredns` class: - -* [`cluster_domain`](#-k8s--server--resources--coredns--cluster_domain) -* [`corefile_content`](#-k8s--server--resources--coredns--corefile_content) -* [`deployment_config`](#-k8s--server--resources--coredns--deployment_config) -* [`dns_service_address`](#-k8s--server--resources--coredns--dns_service_address) -* [`ensure`](#-k8s--server--resources--coredns--ensure) -* [`hosts`](#-k8s--server--resources--coredns--hosts) -* [`image`](#-k8s--server--resources--coredns--image) -* [`image_pull_secrets`](#-k8s--server--resources--coredns--image_pull_secrets) -* [`image_tag`](#-k8s--server--resources--coredns--image_tag) -* [`kubeconfig`](#-k8s--server--resources--coredns--kubeconfig) -* [`registry`](#-k8s--server--resources--coredns--registry) -* [`template_path`](#-k8s--server--resources--coredns--template_path) -* [`template_variables`](#-k8s--server--resources--coredns--template_variables) - -##### `cluster_domain` - -Data type: `Stdlib::Fqdn` - -The cluster domain to use for the CoreDNS ConfigMap - -Default value: `$k8s::server::resources::cluster_domain` - -##### `corefile_content` - -Data type: `Optional[String[1]]` - -The content to use for the CoreDNS ConfigMap - -Default value: `undef` - -##### `deployment_config` - -Data type: `Hash[String,Data]` - -Additional configuration to merge into the Kubernetes Deployment object - -Default value: `$k8s::server::resources::coredns_deployment_config` - -##### `dns_service_address` - -Data type: `K8s::IP_addresses` - -The address for the DNS service - -Default value: `$k8s::server::resources::dns_service_address` - -##### `ensure` - -Data type: `K8s::Ensure` - -Whether the resource should be present or absent on the target system - -Default value: `$k8s::ensure` - -##### `hosts` - -Data type: `Array[String[1]]` - -Additional host-style entries for the CoreDNS deployment to serve - -Default value: `[]` - -##### `image` - -Data type: `String[1]` - -The CoreDNS image name to use - -Default value: `$k8s::server::resources::coredns_image` - -##### `image_pull_secrets` - -Data type: `Optional[Array]` - -the secrets to pull from private registries - -Default value: `$k8s::server::resources::image_pull_secrets` - -##### `image_tag` - -Data type: `String[1]` - -The CoreDNS image tag to use - -Default value: `$k8s::server::resources::coredns_tag` - -##### `kubeconfig` - -Data type: `Stdlib::Unixpath` - -The path to the kubeconfig to use for kubectl commands - -Default value: `$k8s::server::resources::kubeconfig` - -##### `registry` - -Data type: `String[1]` - -The CoreDNS image registry to use - -Default value: `$k8s::server::resources::coredns_registry` - -##### `template_path` - -Data type: `String[1]` - -The path to the template to use for the CoreDNS ConfigMap - -Default value: `'k8s/server/resources/coredns_corefile.epp'` - -##### `template_variables` - -Data type: `Hash[String, Any]` - -The variables to use for the CoreDNS ConfigMap template - -Default value: `{ cluster_domain => $cluster_domain }` - -### `k8s::server::resources::flannel` - -Generates and deploys the default CoreDNS DNS provider for Kubernetes - -#### Parameters - -The following parameters are available in the `k8s::server::resources::flannel` class: - -* [`cluster_cidr`](#-k8s--server--resources--flannel--cluster_cidr) -* [`cni_image`](#-k8s--server--resources--flannel--cni_image) -* [`cni_image_tag`](#-k8s--server--resources--flannel--cni_image_tag) -* [`cni_registry`](#-k8s--server--resources--flannel--cni_registry) -* [`daemonset_config`](#-k8s--server--resources--flannel--daemonset_config) -* [`ensure`](#-k8s--server--resources--flannel--ensure) -* [`image`](#-k8s--server--resources--flannel--image) -* [`image_pull_secrets`](#-k8s--server--resources--flannel--image_pull_secrets) -* [`image_tag`](#-k8s--server--resources--flannel--image_tag) -* [`kubeconfig`](#-k8s--server--resources--flannel--kubeconfig) -* [`net_config`](#-k8s--server--resources--flannel--net_config) -* [`registry`](#-k8s--server--resources--flannel--registry) - -##### `cluster_cidr` - -Data type: `K8s::CIDR` - -The internal cluster CIDR to proxy for - -Default value: `$k8s::server::resources::cluster_cidr` - -##### `cni_image` - -Data type: `String[1]` - -The Flannel CNI plugin image name to use - -Default value: `$k8s::server::resources::flannel_cni_image` - -##### `cni_image_tag` - -Data type: `String[1]` - -The Flannel CNI plugin image tag to use - -Default value: `$k8s::server::resources::flannel_cni_tag` - -##### `cni_registry` - -Data type: `String[1]` - -The Flannel CNI plugin image registry to use - -Default value: `$k8s::server::resources::flannel_cni_registry` - -##### `daemonset_config` - -Data type: `Hash[String,Data]` - -Additional configuration to merge into the DaemonSet object +whether to manage the ectd cluster member joining or not -Default value: `$k8s::server::resources::flannel_daemonset_config` +Default value: `false` -##### `ensure` +##### `manage_setup` -Data type: `K8s::Ensure` +Data type: `Boolean` -Whether the resource should be present or absent on the system +whether to manage the setup of etcd or not -Default value: `$k8s::ensure` +Default value: `true` -##### `image` +##### `peer_ca_cert` -Data type: `String[1]` +Data type: `Stdlib::Unixpath` -The Flannel image name to use +path to the peer ca cert -Default value: `$k8s::server::resources::flannel_image` +Default value: `"${cert_path}/peer-ca.pem"` -##### `image_pull_secrets` +##### `peer_ca_key` -Data type: `Optional[Array]` +Data type: `Stdlib::Unixpath` -the secrets to pull from private registries +path to the peer ca key -Default value: `$k8s::server::resources::image_pull_secrets` +Default value: `"${cert_path}/peer-ca.key"` -##### `image_tag` +##### `puppetdb_discovery_tag` -Data type: `String[1]` +Data type: `Optional[String[1]]` -The Flannel image tag to use +enable puppetdb resource searching -Default value: `$k8s::server::resources::flannel_tag` +Default value: `$cluster_name` -##### `kubeconfig` +##### `self_signed_tls` -Data type: `Stdlib::Unixpath` +Data type: `Boolean` -The path to the kubeconfig file to use +whether to use self signed tls or not -Default value: `$k8s::server::resources::kubeconfig` +Default value: `false` -##### `net_config` +##### `user` -Data type: `Hash[String,Data]` +Data type: `String[1]` -Additional configuration to merge into net-conf.json for Flannel +user to run etcd as -Default value: `{}` +Default value: `'etcd'` -##### `registry` +##### `version` Data type: `String[1]` -The Flannel image registry to use +version of ectd to install, will use k8s::etcd_version unless otherwise specified -Default value: `$k8s::server::resources::flannel_registry` +Default value: `$k8s::etcd_version` -### `k8s::server::resources::kube_proxy` +### `k8s::server::etcd::setup` -Generates and deploys the default kube-proxy service for Kubernetes +Installs and configures an etcd instance #### Parameters -The following parameters are available in the `k8s::server::resources::kube_proxy` class: +The following parameters are available in the `k8s::server::etcd::setup` class: -* [`cluster_cidr`](#-k8s--server--resources--kube_proxy--cluster_cidr) -* [`daemonset_config`](#-k8s--server--resources--kube_proxy--daemonset_config) -* [`ensure`](#-k8s--server--resources--kube_proxy--ensure) -* [`extra_args`](#-k8s--server--resources--kube_proxy--extra_args) -* [`extra_config`](#-k8s--server--resources--kube_proxy--extra_config) -* [`image`](#-k8s--server--resources--kube_proxy--image) -* [`image_pull_secrets`](#-k8s--server--resources--kube_proxy--image_pull_secrets) -* [`image_tag`](#-k8s--server--resources--kube_proxy--image_tag) -* [`kubeconfig`](#-k8s--server--resources--kube_proxy--kubeconfig) -* [`registry`](#-k8s--server--resources--kube_proxy--registry) +* [`advertise_client_urls`](#-k8s--server--etcd--setup--advertise_client_urls) +* [`archive_template`](#-k8s--server--etcd--setup--archive_template) +* [`auto_compaction_retention`](#-k8s--server--etcd--setup--auto_compaction_retention) +* [`auto_tls`](#-k8s--server--etcd--setup--auto_tls) +* [`binary_path`](#-k8s--server--etcd--setup--binary_path) +* [`cert_file`](#-k8s--server--etcd--setup--cert_file) +* [`client_cert_auth`](#-k8s--server--etcd--setup--client_cert_auth) +* [`data_dir`](#-k8s--server--etcd--setup--data_dir) +* [`ensure`](#-k8s--server--etcd--setup--ensure) +* [`etcd_name`](#-k8s--server--etcd--setup--etcd_name) +* [`fqdn`](#-k8s--server--etcd--setup--fqdn) +* [`gid`](#-k8s--server--etcd--setup--gid) +* [`group`](#-k8s--server--etcd--setup--group) +* [`initial_advertise_peer_urls`](#-k8s--server--etcd--setup--initial_advertise_peer_urls) +* [`initial_cluster`](#-k8s--server--etcd--setup--initial_cluster) +* [`initial_cluster_state`](#-k8s--server--etcd--setup--initial_cluster_state) +* [`initial_cluster_token`](#-k8s--server--etcd--setup--initial_cluster_token) +* [`install`](#-k8s--server--etcd--setup--install) +* [`key_file`](#-k8s--server--etcd--setup--key_file) +* [`listen_client_urls`](#-k8s--server--etcd--setup--listen_client_urls) +* [`listen_peer_urls`](#-k8s--server--etcd--setup--listen_peer_urls) +* [`package`](#-k8s--server--etcd--setup--package) +* [`peer_auto_tls`](#-k8s--server--etcd--setup--peer_auto_tls) +* [`peer_cert_file`](#-k8s--server--etcd--setup--peer_cert_file) +* [`peer_client_cert_auth`](#-k8s--server--etcd--setup--peer_client_cert_auth) +* [`peer_key_file`](#-k8s--server--etcd--setup--peer_key_file) +* [`peer_trusted_ca_file`](#-k8s--server--etcd--setup--peer_trusted_ca_file) +* [`proxy`](#-k8s--server--etcd--setup--proxy) +* [`storage_path`](#-k8s--server--etcd--setup--storage_path) +* [`trusted_ca_file`](#-k8s--server--etcd--setup--trusted_ca_file) +* [`uid`](#-k8s--server--etcd--setup--uid) +* [`user`](#-k8s--server--etcd--setup--user) +* [`version`](#-k8s--server--etcd--setup--version) -##### `cluster_cidr` +##### `advertise_client_urls` -Data type: `K8s::CIDR` +Data type: `Array[Stdlib::HTTPUrl]` -The internal cluster CIDR to proxy for +The client urls to advertise -Default value: `$k8s::server::resources::cluster_cidr` +Default value: `["https://${fqdn}:2379"]` -##### `daemonset_config` +##### `archive_template` -Data type: `Hash[String,Data]` +Data type: `Stdlib::HTTPUrl` -Additional configuration to merge into the DaemonSet object +The download url template for the etc archive -Default value: `{}` +Default value: `'https://storage.googleapis.com/etcd/v%{version}/etcd-v%{version}-%{kernel}-%{arch}.%{kernel_ext}'` -##### `ensure` +##### `auto_compaction_retention` -Data type: `K8s::Ensure` +Data type: `Optional[Integer]` -Whether the resource should be present or absent +The auto compaction retention -Default value: `$k8s::ensure` +Default value: `undef` -##### `extra_args` +##### `auto_tls` -Data type: `Hash[String,Data]` +Data type: `Optional[Boolean]` -Additional arguments to specify to the kube-proxy application +Use auto tls -Default value: `{}` +Default value: `undef` -##### `extra_config` +##### `binary_path` -Data type: `Hash[String,Data]` +Data type: `Optional[Stdlib::Unixpath]` -Additional configuration data to apply to the kube-proxy configuration file +path to the etcd binary -Default value: `{}` +Default value: `undef` -##### `image` +##### `cert_file` -Data type: `String[1]` +Data type: `Optional[Stdlib::Unixpath]` -The kube-proxy image name to use +path to the cert file -Default value: `$k8s::server::resources::kube_proxy_image` +Default value: `undef` -##### `image_pull_secrets` +##### `client_cert_auth` -Data type: `Optional[Array]` +Data type: `Boolean` -the secrets to pull from private registries +Use client cert auth -Default value: `$k8s::server::resources::image_pull_secrets` +Default value: `false` -##### `image_tag` +##### `data_dir` Data type: `String[1]` -The kube-proxy image tag to use +path to the data dir -Default value: `$k8s::server::resources::kube_proxy_tag` +Default value: `"${etcd_name}.etcd"` -##### `kubeconfig` +##### `ensure` -Data type: `Stdlib::Unixpath` +Data type: `K8s::Ensure` -The path to the kubeconfig file to use +set ensure for installation or deinstallation -Default value: `$k8s::server::resources::kubeconfig` +Default value: `'present'` -##### `registry` +##### `etcd_name` Data type: `String[1]` -The kube-proxy image registry to use - -Default value: `$k8s::server::resources::kube_proxy_registry` - -### `k8s::server::scheduler` +The etcd instance name -Installs and configures a Kubernetes scheduler +Default value: `$facts['networking']['hostname']` -#### Parameters +##### `fqdn` -The following parameters are available in the `k8s::server::scheduler` class: +Data type: `String[1]` -* [`ensure`](#-k8s--server--scheduler--ensure) -* [`control_plane_url`](#-k8s--server--scheduler--control_plane_url) -* [`arguments`](#-k8s--server--scheduler--arguments) -* [`cert_path`](#-k8s--server--scheduler--cert_path) -* [`ca_cert`](#-k8s--server--scheduler--ca_cert) -* [`cert`](#-k8s--server--scheduler--cert) -* [`key`](#-k8s--server--scheduler--key) -* [`container_registry`](#-k8s--server--scheduler--container_registry) -* [`container_image`](#-k8s--server--scheduler--container_image) -* [`container_image_tag`](#-k8s--server--scheduler--container_image_tag) +fully qualified domain name -##### `ensure` +Default value: `$facts['networking']['fqdn']` -Data type: `K8s::Ensure` +##### `gid` -Whether the scheduler should be configured. +Data type: `Optional[Integer[0, 65535]]` -Default value: `$k8s::server::ensure` +The group system id -##### `control_plane_url` +Default value: `undef` -Data type: `Stdlib::HTTPUrl` +##### `group` -The URL of the Kubernetes API server. +Data type: `String[1]` -Default value: `$k8s::control_plane_url` +etcd system user group -##### `arguments` +Default value: `'etcd'` -Data type: `Hash[String, Data]` +##### `initial_advertise_peer_urls` -Additional arguments to pass to the scheduler. +Data type: `Array[Stdlib::HTTPUrl]` -Default value: `{}` +The peer urls to advertise -##### `cert_path` +Default value: `["https://${fqdn}:2380"]` -Data type: `Stdlib::Unixpath` +##### `initial_cluster` -The path to the directory containing the TLS certificates. +Data type: `Array[String[1]]` -Default value: `$k8s::server::tls::cert_path` +The initial cluster -##### `ca_cert` +Default value: `[]` -Data type: `Stdlib::Unixpath` +##### `initial_cluster_state` -The path to the CA certificate. +Data type: `Optional[Enum['existing', 'new']]` -Default value: `$k8s::server::tls::ca_cert` +The initial cluster state -##### `cert` +Default value: `undef` -Data type: `Stdlib::Unixpath` +##### `initial_cluster_token` -The path to the scheduler certificate. +Data type: `Optional[String[1]]` -Default value: `"${cert_path}/kube-scheduler.pem"` +The initial cluster token -##### `key` +Default value: `undef` -Data type: `Stdlib::Unixpath` +##### `install` -The path to the scheduler key. +Data type: `Enum['archive','package']` -Default value: `"${cert_path}/kube-scheduler.key"` +etcd installation method -##### `container_registry` +Default value: `'archive'` -Data type: `String[1]` +##### `key_file` -The container registry to pull images from. +Data type: `Optional[Stdlib::Unixpath]` -Default value: `$k8s::container_registry` +path to the key file -##### `container_image` +Default value: `undef` -Data type: `String[1]` +##### `listen_client_urls` -The container image to use for the scheduler. +Data type: `Array[Stdlib::HTTPUrl]` -Default value: `'kube-scheduler'` +The client urls to listen on -##### `container_image_tag` +Default value: `['https://[::]:2379']` -Data type: `Optional[String[1]]` +##### `listen_peer_urls` -The container image tag to use for the scheduler. +Data type: `Array[Stdlib::HTTPUrl]` -Default value: `$k8s::container_image_tag` +The peer urls to listen on -### `k8s::server::tls` +Default value: `['https://[::]:2380']` -Generates the necessary Kubernetes certificates for a server +##### `package` -#### Parameters +Data type: `String[1]` -The following parameters are available in the `k8s::server::tls` class: +etcd package name -* [`aggregator_ca_cert`](#-k8s--server--tls--aggregator_ca_cert) -* [`aggregator_ca_key`](#-k8s--server--tls--aggregator_ca_key) -* [`api_addn_names`](#-k8s--server--tls--api_addn_names) -* [`api_service_address`](#-k8s--server--tls--api_service_address) -* [`ca_cert`](#-k8s--server--tls--ca_cert) -* [`ca_key`](#-k8s--server--tls--ca_key) -* [`cert_path`](#-k8s--server--tls--cert_path) -* [`cluster_domain`](#-k8s--server--tls--cluster_domain) -* [`ensure`](#-k8s--server--tls--ensure) -* [`generate_ca`](#-k8s--server--tls--generate_ca) -* [`key_bits`](#-k8s--server--tls--key_bits) -* [`manage_certs`](#-k8s--server--tls--manage_certs) -* [`valid_days`](#-k8s--server--tls--valid_days) +Default value: `'etcd'` -##### `aggregator_ca_cert` +##### `peer_auto_tls` -Data type: `Stdlib::Unixpath` +Data type: `Optional[Boolean]` -The path to the aggregator CA certificate +Use peer auto tls -Default value: `$k8s::server::aggregator_ca_cert` +Default value: `undef` -##### `aggregator_ca_key` +##### `peer_cert_file` -Data type: `Stdlib::Unixpath` +Data type: `Optional[Stdlib::Unixpath]` -The path to the aggregator CA key +path to the peer cert file -Default value: `$k8s::server::aggregator_ca_key` +Default value: `undef` -##### `api_addn_names` +##### `peer_client_cert_auth` -Data type: `K8s::TLS_altnames` +Data type: `Boolean` -Additional names to add to the API server certificate +Use peer client cert auth -Default value: `[]` +Default value: `false` -##### `api_service_address` +##### `peer_key_file` -Data type: `Stdlib::IP::Address::Nosubnet` +Data type: `Optional[Stdlib::Unixpath]` -The API service address +path to the peer key file -Default value: `$k8s::api_service_address` +Default value: `undef` -##### `ca_cert` +##### `peer_trusted_ca_file` -Data type: `Stdlib::Unixpath` +Data type: `Optional[Stdlib::Unixpath]` -The path to the CA certificate +path to the peer trusted ca file -Default value: `$k8s::server::ca_cert` +Default value: `undef` -##### `ca_key` +##### `proxy` -Data type: `Stdlib::Unixpath` +Data type: `Enum['on','off','readonly']` -The path to the CA key +The proxy mode -Default value: `$k8s::server::ca_key` +Default value: `'off'` -##### `cert_path` +##### `storage_path` Data type: `Stdlib::Unixpath` -The path to the certificates - -Default value: `$k8s::server::cert_path` - -##### `cluster_domain` - -Data type: `String[1]` - -The cluster domain - -Default value: `$k8s::cluster_domain` - -##### `ensure` - -Data type: `K8s::Ensure` - -Whether to generate the certificates or not +path to the working dir of etcd -Default value: `'present'` +Default value: `'/var/lib/etcd'` -##### `generate_ca` +##### `trusted_ca_file` -Data type: `Boolean` +Data type: `Optional[Stdlib::Unixpath]` -Whether to generate the CA or not +path to the trusted ca file -Default value: `$k8s::server::generate_ca` +Default value: `undef` -##### `key_bits` +##### `uid` -Data type: `Integer[512]` +Data type: `Optional[Integer[0, 65535]]` -The number of bits to use for the key +The user system id -Default value: `2048` +Default value: `undef` -##### `manage_certs` +##### `user` -Data type: `Boolean` +Data type: `String[1]` -Whether to manage the certificates or not +etcd system user -Default value: `$k8s::server::manage_certs` +Default value: `'etcd'` -##### `valid_days` +##### `version` -Data type: `Integer[1]` +Data type: `String[1]` -The number of days the certificate is valid for +The ectd version to install -Default value: `10000` +Default value: `$k8s::etcd_version` ### `k8s::server::wait_online` @@ -4178,6 +2645,14 @@ a type to describe node/kubelet authentication methods Alias of `Enum['cert', 'token', 'bootstrap']` +### `K8s::Node_role` + +a type to describe a type of Kubernetes node + +* **Note** server/control-plane are identical, one using the Puppet term, the other the Kubernetes term + +Alias of `Enum['node', 'server', 'control-plane', 'etcd-replica', 'none']` + ### `K8s::PortRange` This regexp matches port range values diff --git a/manifests/common.pp b/manifests/common.pp new file mode 100644 index 0000000..b077320 --- /dev/null +++ b/manifests/common.pp @@ -0,0 +1,74 @@ +# @summary Sets up common Kubernetes components - users/groups/folders/etc +# @api private +class k8s::common { + assert_private() + + group { $k8s::group: + ensure => present, + system => true, + gid => $k8s::gid, + } + + user { $k8s::user: + ensure => present, + comment => 'Kubernetes user', + gid => $k8s::group, + home => '/srv/kubernetes', + managehome => false, + shell => (fact('os.family') ? { + 'Debian' => '/usr/sbin/nologin', + default => '/sbin/nologin', + }), + system => true, + uid => $k8s::uid, + } + + file { + default: + ensure => directory, + force => true, + purge => true, + recurse => true; + + '/opt/k8s': ; + '/opt/k8s/bin': ; + } + + file { '/var/run/kubernetes': + ensure => directory, + owner => $k8s::user, + group => $k8s::group, + } + + file { "${k8s::sysconfig_path}/kube-common": + ensure => file, + content => epp('k8s/sysconfig.epp', { + comment => 'General Kubernetes Configuration', + environment_variables => { + 'KUBE_LOG_LEVEL' => '', + }, + }), + } + + file { + default: + ensure => directory; + + '/etc/kubernetes': ; + '/etc/kubernetes/certs': ; + '/etc/kubernetes/manifests': + purge => $k8s::purge_manifests, + recurse => true; + '/root/.kube': ; + '/srv/kubernetes': + owner => $k8s::user, + group => $k8s::group; + '/usr/libexec/kubernetes': ; + '/var/lib/kubelet': ; + '/var/lib/kubelet/pki': ; + + '/usr/share/containers/': ; + '/usr/share/containers/oci/': ; + '/usr/share/containers/oci/hooks.d': ; + } +} diff --git a/manifests/init.pp b/manifests/init.pp index c5965be..0a47466 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -37,10 +37,10 @@ # @param puppetdb_discovery whether to use puppetdb for node discovery # @param puppetdb_discovery_tag tag to use for puppetdb node discovery # @param purge_manifests whether to purge manifests -# @param role role of the node +# @param role the role of the node # @param runc_version version of runc to install # @param service_cluster_cidr CIDR for the service network -# @param sysconfig_path path to the sysconfig directory +# @param sysconfig_path path to the sysconfig directory, per-OS values are configured in hiera # @param tarball_url_template template for tarball packaging # @param uid user id for kubernetes files and services # @param user username for kubernetes files and services @@ -82,7 +82,7 @@ String[1] $tarball_url_template = 'https://dl.k8s.io/release/v%{version}/kubernetes-%{component}-%{kernel}-%{arch}.tar.gz', String[1] $package_template = 'kubernetes-%{component}', String[1] $hyperkube_name = 'hyperkube', - Optional[Stdlib::Unixpath] $sysconfig_path = undef, + Stdlib::Unixpath $sysconfig_path = '/etc/sysconfig', K8s::Node_auth $node_auth = 'bootstrap', @@ -95,7 +95,7 @@ Stdlib::Fqdn $cluster_domain = 'cluster.local', String[1] $etcd_cluster_name = 'default', - Enum['node','server','none'] $role = 'none', + Optional[K8s::Node_role] $role = undef, Optional[K8s::Firewall] $firewall_type = undef, String[1] $user = 'kube', @@ -103,100 +103,11 @@ Integer[0, 65535] $uid = 888, Integer[0, 65535] $gid = 888, ) { - if $manage_container_manager { - include k8s::install::container_runtime - } - - group { $group: - ensure => present, - system => true, - gid => $gid, - } - - user { $user: - ensure => present, - comment => 'Kubernetes user', - gid => $group, - home => '/srv/kubernetes', - managehome => false, - shell => (fact('os.family') ? { - 'Debian' => '/usr/sbin/nologin', - default => '/sbin/nologin', - }), - system => true, - uid => $uid, - } - - file { - default: - ensure => directory, - force => true, - purge => true, - recurse => true; - - '/opt/k8s': ; - '/opt/k8s/bin': ; - } - - file { '/var/run/kubernetes': - ensure => directory, - owner => $user, - group => $group, - } - - $_sysconfig_path = pick($sysconfig_path, '/etc/sysconfig') - file { "${_sysconfig_path}/kube-common": - ensure => file, - content => epp('k8s/sysconfig.epp', { - comment => 'General Kubernetes Configuration', - environment_variables => { - 'KUBE_LOG_LEVEL' => '', - }, - }), - } - - file { - default: - ensure => directory; - - '/etc/kubernetes': ; - '/etc/kubernetes/certs': ; - '/etc/kubernetes/manifests': - purge => $purge_manifests, - recurse => true; - '/root/.kube': ; - '/srv/kubernetes': - owner => $user, - group => $group; - '/usr/libexec/kubernetes': ; - '/var/lib/kubelet': ; - '/var/lib/kubelet/pki': ; - - '/usr/share/containers/': ; - '/usr/share/containers/oci/': ; - '/usr/share/containers/oci/hooks.d': ; - } - - if $manage_repo { - include k8s::repo - } - - if $manage_packages { - # Ensure conntrack is installed to properly handle networking cleanup - if fact('os.family') == 'Debian' { - $_conntrack = 'conntrack' - } else { - $_conntrack = 'conntrack-tools' - } - - ensure_packages([$_conntrack,]) - } - - include k8s::install::cni_plugins - - if $role == 'server' { - include k8s::server + if $role == 'server' or $role == 'control-plane' { + contain k8s::server } elsif $role == 'node' { - include k8s::node + contain k8s::node + } elsif $role == 'etcd-replica' { + contain k8s::server::etcd } } diff --git a/manifests/install/container_runtime.pp b/manifests/install/container_runtime.pp index ff28af1..e7a7e10 100644 --- a/manifests/install/container_runtime.pp +++ b/manifests/install/container_runtime.pp @@ -87,6 +87,6 @@ } if $manage_repo { - Class['k8s::repo'] -> Package['k8s container manager'] + require k8s::repo } } diff --git a/manifests/install/crictl.pp b/manifests/install/crictl.pp index 9abd559..9fd4f93 100644 --- a/manifests/install/crictl.pp +++ b/manifests/install/crictl.pp @@ -21,8 +21,9 @@ Stdlib::HTTPUrl $download_url_template = 'https://github.com/kubernetes-sigs/cri-tools/releases/download/%{version}/crictl-%{version}-linux-%{arch}.tar.gz', ) { if $manage_repo { - $pkg = pick($crictl_package, 'cri-tools') + include k8s::repo + $pkg = pick($crictl_package, 'cri-tools') package { $pkg: ensure => stdlib::ensure($ensure, 'package'), } diff --git a/manifests/node.pp b/manifests/node.pp index 001988e..117bbbd 100644 --- a/manifests/node.pp +++ b/manifests/node.pp @@ -54,6 +54,24 @@ Optional[K8s::Firewall] $firewall_type = $k8s::firewall_type, ) { + include k8s::common + include k8s::install::cni_plugins + + if $k8s::manage_container_manager { + include k8s::install::container_runtime + } + if $k8s::manage_repo { + include k8s::repo + } + if $k8s::manage_packages { + # Ensure conntrack is installed to properly handle networking cleanup + $_conntrack = fact('os.family') ? { + 'Debian' => 'conntrack', + default => 'conntrack-tools', + } + ensure_packages([$_conntrack,]) + } + if $manage_crictl { include k8s::install::crictl } diff --git a/manifests/node/kube_proxy.pp b/manifests/node/kube_proxy.pp index 0cc79b4..ac1c1b5 100644 --- a/manifests/node/kube_proxy.pp +++ b/manifests/node/kube_proxy.pp @@ -1,4 +1,5 @@ # @summary Sets up a on-node kube-proxy instance +# @api private # # For most use-cases, running kube-proxy inside the cluster itself is recommended # @@ -100,8 +101,7 @@ if $k8s::packaging == 'container' { } else { - $_sysconfig_path = pick($k8s::sysconfig_path, '/etc/sysconfig') - file { "${_sysconfig_path}/kube-proxy": + file { "${k8s::sysconfig_path}/kube-proxy": ensure => $_ensure, content => epp('k8s/sysconfig.epp', { comment => 'Kubernetes kube-proxy configuration', @@ -122,7 +122,7 @@ bin => 'kube-proxy', }), require => [ - File["${_sysconfig_path}/kube-proxy"], + File["${k8s::sysconfig_path}/kube-proxy"], User[$k8s::user], ], notify => Service['kube-proxy'], diff --git a/manifests/node/kubelet.pp b/manifests/node/kubelet.pp index 04dc3fa..706e567 100644 --- a/manifests/node/kubelet.pp +++ b/manifests/node/kubelet.pp @@ -1,4 +1,5 @@ # @summary Installs and configures kubelet +# @api private # # @param arguments additional arguments to pass to kubelet # @param auth type of node authentication @@ -52,6 +53,8 @@ Optional[K8s::Firewall] $firewall_type = $k8s::node::firewall_type, ) { + assert_private() + k8s::binary { 'kubelet': ensure => $ensure, notify => Service['kubelet'], @@ -231,8 +234,7 @@ node_ip => $_node_ip, } + $arguments) - $_sysconfig_path = pick($k8s::sysconfig_path, '/etc/sysconfig') - file { "${_sysconfig_path}/kubelet": + file { "${k8s::sysconfig_path}/kubelet": content => epp('k8s/sysconfig.epp', { comment => 'Kubernetes Kubelet configuration', environment_variables => { @@ -252,7 +254,7 @@ bin => 'kubelet', }), require => [ - File["${_sysconfig_path}/kubelet", '/etc/kubernetes/kubelet.conf'], + File["${k8s::sysconfig_path}/kubelet", '/etc/kubernetes/kubelet.conf'], User[$k8s::user], ], notify => Service['kubelet'], diff --git a/manifests/server.pp b/manifests/server.pp index 0d504a7..b9758b5 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -59,6 +59,8 @@ Optional[K8s::Firewall] $firewall_type = $k8s::firewall_type, String[1] $etcd_cluster_name = $k8s::etcd_cluster_name, ) { + include k8s::common + if $manage_etcd { class { 'k8s::server::etcd': ensure => $ensure, diff --git a/manifests/server/apiserver.pp b/manifests/server/apiserver.pp index 920dd87..55c3beb 100644 --- a/manifests/server/apiserver.pp +++ b/manifests/server/apiserver.pp @@ -1,4 +1,5 @@ # @summary Installs and configures a Kubernetes apiserver +# @api private # # @param advertise_address bind address of the apiserver # @param aggregator_ca_cert path to the aggregator ca cert file @@ -263,8 +264,7 @@ } # TODO: Create a dummy kube-apiserver service that just requires kubelet } else { - $_sysconfig_path = pick($k8s::sysconfig_path, '/etc/sysconfig') - file { "${_sysconfig_path}/kube-apiserver": + file { "${k8s::sysconfig_path}/kube-apiserver": content => epp('k8s/sysconfig.epp', { comment => 'Kubernetes API Server configuration', environment_variables => { @@ -287,7 +287,7 @@ group => $k8s::group, }), require => [ - File["${_sysconfig_path}/kube-apiserver"], + File["${k8s::sysconfig_path}/kube-apiserver"], User[$k8s::user], ], notify => Service['kube-apiserver'], diff --git a/manifests/server/controller_manager.pp b/manifests/server/controller_manager.pp index 08860a4..afbe003 100644 --- a/manifests/server/controller_manager.pp +++ b/manifests/server/controller_manager.pp @@ -1,4 +1,5 @@ # @summary Installs and configures a Kubernetes controller manager +# @api private # # @param arguments Additional arguments to pass to the controller manager. # @param ca_cert The path to the CA certificate. @@ -90,8 +91,7 @@ client_key => $key, } - $_sysconfig_path = pick($k8s::sysconfig_path, '/etc/sysconfig') - file { "${_sysconfig_path}/kube-controller-manager": + file { "${k8s::sysconfig_path}/kube-controller-manager": content => epp('k8s/sysconfig.epp', { comment => 'Kubernetes Controller Manager configuration', environment_variables => { @@ -115,7 +115,7 @@ group => $k8s::group, }), require => [ - File["${_sysconfig_path}/kube-controller-manager"], + File["${k8s::sysconfig_path}/kube-controller-manager"], User[$k8s::user], ], notify => Service['kube-controller-manager'], diff --git a/manifests/server/etcd.pp b/manifests/server/etcd.pp index 8dc4375..08f2a74 100644 --- a/manifests/server/etcd.pp +++ b/manifests/server/etcd.pp @@ -4,7 +4,7 @@ # @param cert_path path to cert files # @param client_ca_cert path to the client ca cert # @param client_ca_key path to the client ca key -# @param cluster_name name of the etcd cluster for searching its nodes in the puppetdb +# @param cluster_name name of the etcd cluster for searching its nodes in the puppetdb, will use k8s::etcd_cluster_name unless otherwise specified # @param ensure set ensure for installation or deinstallation # @param firewall_type define the type of firewall to use # @param generate_ca whether to generate a own ca or not @@ -18,17 +18,17 @@ # @param puppetdb_discovery_tag enable puppetdb resource searching # @param self_signed_tls whether to use self signed tls or not # @param user user to run etcd as -# @param version version of ectd to install +# @param version version of ectd to install, will use k8s::etcd_version unless otherwise specified # class k8s::server::etcd ( K8s::Ensure $ensure = 'present', - String[1] $version = pick($k8s::etcd_version, '3.5.1'), + String[1] $version = $k8s::etcd_version, - Boolean $manage_setup = true, - Boolean $manage_firewall = false, - Boolean $manage_members = false, - String[1] $cluster_name = pick($k8s::server::etcd_cluster_name, 'default'), - String[1] $puppetdb_discovery_tag = pick($k8s::server::puppetdb_discovery_tag, $cluster_name), + Boolean $manage_setup = true, + Boolean $manage_firewall = false, + Boolean $manage_members = false, + Optional[String[1]] $cluster_name = undef, + Optional[String[1]] $puppetdb_discovery_tag = $cluster_name, Boolean $self_signed_tls = false, Boolean $manage_certs = true, @@ -42,7 +42,8 @@ Stdlib::Unixpath $client_ca_key = "${cert_path}/client-ca.key", Stdlib::Unixpath $client_ca_cert = "${cert_path}/client-ca.pem", - Optional[K8s::Firewall] $firewall_type = $k8s::server::firewall_type, + Optional[K8s::Firewall] $firewall_type = undef, + String[1] $user = 'etcd', String[1] $group = 'etcd', ) { @@ -117,11 +118,10 @@ } } - if $manage_setup and !$manage_members { - include k8s::server::etcd::setup - } - if $ensure == 'present' and $manage_members { + $_cluster_name = pick($cluster_name, $k8s::etcd_cluster_name, 'default') + $_puppetdb_discovery_tag = pick($puppetdb_discovery_tag, $cluster_name, $k8s::puppetdb_discovery_tag, 'default') + # Needs the PuppetDB terminus installed $pql_query = [ 'resources[certname,parameters] {', @@ -131,8 +131,8 @@ ' resources {', ' type = \'Class\' and', ' title = \'K8s::Server::Etcd\' and', - " parameters.cluster_name = '${cluster_name}' and", - " parameters.puppetdb_discovery_tag = '${puppetdb_discovery_tag}' and", + " parameters.cluster_name = '${_cluster_name}' and", + " parameters.puppetdb_discovery_tag = '${_puppetdb_discovery_tag}' and", " certname != '${trusted[certname]}'", ' }', ' }', @@ -140,16 +140,14 @@ ].join(' ') $cluster_nodes = puppetdb_query($pql_query) - if $manage_setup { - class { 'k8s::server::etcd::setup': - initial_cluster => $cluster_nodes.map |$node| { - "${node['parameters']['etcd_name']}=${node['parameters']['initial_advertise_peer_urls'][0]}" - }, - initial_cluster_state => ($cluster_nodes.size() ? { - 0 => 'new', - default => 'existing', - }), - } + $_setup_splat = { + initial_cluster => $cluster_nodes.map |$node| { + "${node['parameters']['etcd_name']}=${node['parameters']['initial_advertise_peer_urls'][0]}" + }, + initial_cluster_state => ($cluster_nodes.size() ? { + 0 => 'new', + default => 'existing', + }), } $cluster_nodes.each |$node| { @@ -161,17 +159,31 @@ cluster_key => "${cert_path}/etcd-client.key", } } + } else { + $_setup_splat = {} + } + + if $manage_setup { + class { 'k8s::server::etcd::setup': + ensure => $ensure, + version => $version, + user => $user, + group => $group, + * => $_setup_splat, + } } if $manage_firewall { if $facts['firewalld_version'] { - $_firewall_type = pick($firewall_type, 'firewalld') + $_firewall_type = pick($firewall_type, $k8s::firewall_type, 'firewalld') } else { - $_firewall_type = pick($firewall_type, 'iptables') + $_firewall_type = pick($firewall_type, $k8s::firewall_type, 'iptables') } case $_firewall_type { 'firewalld' : { + include firewalld + firewalld_service { default: ensure => $ensure, diff --git a/manifests/server/etcd/setup.pp b/manifests/server/etcd/setup.pp index da774e3..5e03b68 100644 --- a/manifests/server/etcd/setup.pp +++ b/manifests/server/etcd/setup.pp @@ -35,10 +35,10 @@ # @param version The ectd version to install # class k8s::server::etcd::setup ( - K8s::Ensure $ensure = $k8s::server::etcd::ensure, + K8s::Ensure $ensure = 'present', Enum['archive','package'] $install = 'archive', String[1] $package = 'etcd', - String[1] $version = $k8s::server::etcd::version, + String[1] $version = $k8s::etcd_version, String[1] $etcd_name = $facts['networking']['hostname'], String[1] $fqdn = $facts['networking']['fqdn'], @@ -56,14 +56,14 @@ Optional[Stdlib::Unixpath] $peer_cert_file = undef, Optional[Stdlib::Unixpath] $peer_key_file = undef, Optional[Stdlib::Unixpath] $peer_trusted_ca_file = undef, + Optional[Boolean] $peer_auto_tls = undef, Boolean $peer_client_cert_auth = false, - Boolean $peer_auto_tls = $k8s::server::etcd::self_signed_tls, Optional[Stdlib::Unixpath] $cert_file = undef, Optional[Stdlib::Unixpath] $key_file = undef, Optional[Stdlib::Unixpath] $trusted_ca_file = undef, + Optional[Boolean] $auto_tls = undef, Boolean $client_cert_auth = false, - Boolean $auto_tls = $k8s::server::etcd::self_signed_tls, Optional[Integer] $auto_compaction_retention = undef, Optional[Enum['existing', 'new']] $initial_cluster_state = undef, @@ -72,11 +72,21 @@ Optional[Stdlib::Unixpath] $binary_path = undef, Stdlib::Unixpath $storage_path = '/var/lib/etcd', - String[1] $user = $k8s::server::etcd::user, - String[1] $group = $k8s::server::etcd::group, + String[1] $user = 'etcd', + String[1] $group = 'etcd', Optional[Integer[0, 65535]] $uid = undef, Optional[Integer[0, 65535]] $gid = undef, ) { + if defined(Class['k8s::server::etcd']) { + $_k8s_server_etcd_self_signed_tls = $k8s::server::etcd::self_signed_tls + $_k8s_server_etcd_manage_certs = $k8s::server::etcd::manage_certs + } else { + $_k8s_server_etcd_self_signed_tls = lookup('k8s::server::etcd::self_signed_tls', default_value => undef) + $_k8s_server_etcd_manage_certs = lookup('k8s::server::etcd::manage_certs', default_value => undef) + } + $_peer_auto_tls = pick($peer_auto_tls, $_k8s_server_etcd_self_signed_tls, false) + $_auto_tls = pick($auto_tls, $_k8s_server_etcd_self_signed_tls, false) + if $install == 'archive' { $_url = k8s::format_url($archive_template, { version => $version, }) $_file = basename($_url) @@ -134,7 +144,7 @@ } # Use generated certs by default - if !$k8s::server::etcd::self_signed_tls and $k8s::server::etcd::manage_certs { + if !$_k8s_server_etcd_self_signed_tls and $_k8s_server_etcd_manage_certs { $_dir = "${storage_path}/certs" $_cert_file = pick($cert_file, "${_dir}/etcd-server.pem") $_key_file = pick($key_file, "${_dir}/etcd-server.key") @@ -178,10 +188,12 @@ key_file => $_key_file, trusted_ca_file => $_trusted_ca_file, client_cert_auth => $_client_cert_auth, + auto_tls => $_auto_tls, peer_cert_file => $_peer_cert_file, peer_key_file => $_peer_key_file, peer_trusted_ca_file => $_peer_trusted_ca_file, peer_client_cert_auth => $_peer_client_cert_auth, + peer_auto_tls => $_peer_auto_tls, auto_compaction_retention => $auto_compaction_retention, initial_cluster_state => $initial_cluster_state, initial_cluster_token => $initial_cluster_token, diff --git a/manifests/server/resources.pp b/manifests/server/resources.pp index cf9f28e..36e84b1 100644 --- a/manifests/server/resources.pp +++ b/manifests/server/resources.pp @@ -1,4 +1,5 @@ # @summary Generates and deploys standard Kubernetes in-cluster services +# @api private # # @param ca_cert the path to the CA certificate to use for the cluster # @param cluster_cidr the CIDR to use for the cluster diff --git a/manifests/server/resources/bootstrap.pp b/manifests/server/resources/bootstrap.pp index 2815581..8244db5 100644 --- a/manifests/server/resources/bootstrap.pp +++ b/manifests/server/resources/bootstrap.pp @@ -1,4 +1,5 @@ # @summary Generates and deploys the default Puppet boostrap configuration into the cluster +# @api private # # @param control_plane_url The main API URL to encode in the bootstrap configuration # @param ensure Whether the resources should be present or absent diff --git a/manifests/server/resources/coredns.pp b/manifests/server/resources/coredns.pp index 1c18b62..f0b8120 100644 --- a/manifests/server/resources/coredns.pp +++ b/manifests/server/resources/coredns.pp @@ -1,4 +1,5 @@ # @summary Generates and deploys the default CoreDNS DNS provider for Kubernetes +# @api private # # @param cluster_domain The cluster domain to use for the CoreDNS ConfigMap # @param corefile_content The content to use for the CoreDNS ConfigMap diff --git a/manifests/server/resources/flannel.pp b/manifests/server/resources/flannel.pp index 19a0d8b..22da3a9 100644 --- a/manifests/server/resources/flannel.pp +++ b/manifests/server/resources/flannel.pp @@ -1,4 +1,5 @@ # @summary Generates and deploys the default CoreDNS DNS provider for Kubernetes +# @api private # # @param cluster_cidr The internal cluster CIDR to proxy for # @param cni_image The Flannel CNI plugin image name to use diff --git a/manifests/server/resources/kube_proxy.pp b/manifests/server/resources/kube_proxy.pp index 81d935e..a161e65 100644 --- a/manifests/server/resources/kube_proxy.pp +++ b/manifests/server/resources/kube_proxy.pp @@ -1,4 +1,5 @@ # @summary Generates and deploys the default kube-proxy service for Kubernetes +# @api private # # @param cluster_cidr The internal cluster CIDR to proxy for # @param daemonset_config Additional configuration to merge into the DaemonSet object diff --git a/manifests/server/scheduler.pp b/manifests/server/scheduler.pp index ab96dff..6b8b640 100644 --- a/manifests/server/scheduler.pp +++ b/manifests/server/scheduler.pp @@ -1,4 +1,5 @@ # @summary Installs and configures a Kubernetes scheduler +# @api private # # @param ensure Whether the scheduler should be configured. # @param control_plane_url The URL of the Kubernetes API server. @@ -68,8 +69,7 @@ client_cert => $cert, client_key => $key, } - $_sysconfig_path = pick($k8s::sysconfig_path, '/etc/sysconfig') - file { "${_sysconfig_path}/kube-scheduler": + file { "${k8s::sysconfig_path}/kube-scheduler": content => epp('k8s/sysconfig.epp', { comment => 'Kubernetes Scheduler configuration', environment_variables => { @@ -93,7 +93,7 @@ group => $k8s::group, }), require => [ - File["${_sysconfig_path}/kube-scheduler"], + File["${k8s::sysconfig_path}/kube-scheduler"], User[$k8s::user], ], notify => Service['kube-scheduler'], diff --git a/manifests/server/tls.pp b/manifests/server/tls.pp index a89c334..a27f374 100644 --- a/manifests/server/tls.pp +++ b/manifests/server/tls.pp @@ -1,4 +1,5 @@ # @summary Generates the necessary Kubernetes certificates for a server +# @api private # # @param aggregator_ca_cert The path to the aggregator CA certificate # @param aggregator_ca_key The path to the aggregator CA key @@ -32,6 +33,7 @@ Stdlib::Unixpath $aggregator_ca_key = $k8s::server::aggregator_ca_key, Stdlib::Unixpath $aggregator_ca_cert = $k8s::server::aggregator_ca_cert, ) { + assert_private() if $manage_certs or $ensure == 'absent' { if !defined(File[$cert_path]) { file { $cert_path: diff --git a/spec/classes/k8s_spec.rb b/spec/classes/k8s_spec.rb index 1473ccb..bd1bf48 100644 --- a/spec/classes/k8s_spec.rb +++ b/spec/classes/k8s_spec.rb @@ -10,7 +10,7 @@ it { is_expected.to compile } - %w[node server].each do |role| + %w[node server etcd-replica].each do |role| context "with role #{role}" do let(:params) do { diff --git a/spec/classes/node_spec.rb b/spec/classes/node_spec.rb index aedb226..637d23c 100644 --- a/spec/classes/node_spec.rb +++ b/spec/classes/node_spec.rb @@ -14,6 +14,12 @@ let(:facts) { os_facts } it { is_expected.to compile } + + if os_facts.dig('os', 'family') == 'Debian' + it { is_expected.to contain_package 'conntrack' } + else + it { is_expected.to contain_package 'conntrack-tools' } + end end end end diff --git a/spec/classes/server/etcd_spec.rb b/spec/classes/server/etcd_spec.rb index 888a7c1..780916f 100644 --- a/spec/classes/server/etcd_spec.rb +++ b/spec/classes/server/etcd_spec.rb @@ -10,51 +10,97 @@ manage_members: true } end - let(:pre_condition) do - <<~PUPPET - function puppetdb_query(String[1] $data) { - return [ - { - certname => 'node.example.com', - parameters => { - etcd_name => 'node', - initial_advertise_peer_urls => ['https://node.example.com:2380'], + + context "with k8s included in server mode" do + let(:pre_condition) do + <<~PUPPET + function puppetdb_query(String[1] $data) { + return [ + { + certname => 'node.example.com', + parameters => { + etcd_name => 'node', + initial_advertise_peer_urls => ['https://node.example.com:2380'], + } } - } - ] - } - - include ::k8s - class { '::k8s::server': - manage_etcd => false, - manage_certs => false, - manage_components => false, - manage_resources => false, - node_on_server => false, - } - PUPPET - end + ] + } - on_supported_os.each do |os, os_facts| - context "on #{os}" do - let(:facts) { os_facts } + include ::k8s + class { '::k8s::server': + manage_etcd => false, + manage_certs => false, + manage_components => false, + manage_resources => false, + node_on_server => false, + } + PUPPET + end - it { is_expected.to compile } + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } - it do - %w[etcd-peer-ca etcd-client-ca].each do |ca| - is_expected.to contain_k8s__server__tls__ca(ca) + it { is_expected.to compile } + + it do + %w[etcd-peer-ca etcd-client-ca].each do |ca| + is_expected.to contain_k8s__server__tls__ca(ca) + end end - end - it do - %w[etcd-peer etcd-client].each do |cert| - is_expected.to contain_k8s__server__tls__cert(cert) + it do + %w[etcd-peer etcd-client].each do |cert| + is_expected.to contain_k8s__server__tls__cert(cert) + end end + + it { is_expected.to contain_class('k8s::server::etcd::setup') } + it { is_expected.to contain_k8s__server__etcd__member('node').with_peer_urls(['https://node.example.com:2380']) } end + end + end + + context "with k8s included" do + let(:pre_condition) do + <<~PUPPET + function puppetdb_query(String[1] $data) { + return [ + { + certname => 'node.example.com', + parameters => { + etcd_name => 'node', + initial_advertise_peer_urls => ['https://node.example.com:2380'], + } + } + ] + } - it { is_expected.to contain_class('k8s::server::etcd::setup') } - it { is_expected.to contain_k8s__server__etcd__member('node').with_peer_urls(['https://node.example.com:2380']) } + include ::k8s + PUPPET + end + + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } + + it { is_expected.to compile } + + it do + %w[etcd-peer-ca etcd-client-ca].each do |ca| + is_expected.to contain_k8s__server__tls__ca(ca) + end + end + + it do + %w[etcd-peer etcd-client].each do |cert| + is_expected.to contain_k8s__server__tls__cert(cert) + end + end + + it { is_expected.to contain_class('k8s::server::etcd::setup') } + it { is_expected.to contain_k8s__server__etcd__member('node').with_peer_urls(['https://node.example.com:2380']) } + end end end end diff --git a/spec/classes/server/tls_spec.rb b/spec/classes/server/tls_spec.rb index 42610da..e004ce0 100644 --- a/spec/classes/server/tls_spec.rb +++ b/spec/classes/server/tls_spec.rb @@ -11,6 +11,8 @@ end let(:pre_condition) do <<~PUPPET + function assert_private() {} + include ::k8s class { '::k8s::server': manage_etcd => false, diff --git a/spec/type_aliases/node_role_spec.rb b/spec/type_aliases/node_role_spec.rb new file mode 100644 index 0000000..1fa44de --- /dev/null +++ b/spec/type_aliases/node_role_spec.rb @@ -0,0 +1,40 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'K8s::Node_role' do + describe 'valid node_role' do + %w[ + node + server + control-plane + etcd-replica + none + ].each do |value| + describe value.inspect do + it { is_expected.to allow_value(value) } + end + end + end + + describe 'invalid node_role' do + [ + nil, + [nil], + [nil, nil], + { 'foo' => 'bar' }, + {}, + '', + 's', + 'mailto:', + 'blah', + '199', + 600, + 1_000, + ].each do |value| + describe value.inspect do + it { is_expected.not_to allow_value(value) } + end + end + end +end diff --git a/types/node_role.pp b/types/node_role.pp new file mode 100644 index 0000000..bf656ad --- /dev/null +++ b/types/node_role.pp @@ -0,0 +1,11 @@ +# @summary a type to describe a type of Kubernetes node +# +# @note server/control-plane are identical, one using the Puppet term, the other the Kubernetes term +# @note none will install basic components, but not activate any services +type K8s::Node_role = Enum[ + 'node', + 'server', + 'control-plane', + 'etcd-replica', + 'none' +]