From d17cd6ad11b8fe2dc86b07c346e30a3c318f8671 Mon Sep 17 00:00:00 2001 From: Alexander Olofsson Date: Mon, 10 Jul 2023 16:21:22 +0200 Subject: [PATCH 01/10] Initial work on hiera-ifying and Puppet 8 support The code is ugly, but should mean that etcd can still be installed both as part of the control-plane as well as on standalone nodes --- REFERENCE.md | 42 +++++------ manifests/init.pp | 4 +- manifests/server/etcd.pp | 45 ++++++++---- manifests/server/etcd/setup.pp | 69 ++++++++++++------ spec/classes/server/etcd_spec.rb | 116 +++++++++++++++++++++---------- 5 files changed, 184 insertions(+), 92 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 5909ef9..34d278f 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -1960,11 +1960,11 @@ Default value: `"${cert_path}/client-ca.key"` ##### `cluster_name` -Data type: `String[1]` +Data type: `Optional[String[1]]` -name of the etcd cluster for searching its nodes in the puppetdb +name of the etcd cluster for searching its nodes in the puppetdb, will use k8s::etcd_cluster_name unless otherwise specified -Default value: `pick($k8s::server::etcd_cluster_name, 'default')` +Default value: `undef` ##### `ensure` @@ -1980,7 +1980,7 @@ Data type: `Optional[K8s::Firewall]` define the type of firewall to use -Default value: `$k8s::server::firewall_type` +Default value: `undef` ##### `generate_ca` @@ -2048,11 +2048,11 @@ Default value: `"${cert_path}/peer-ca.key"` ##### `puppetdb_discovery_tag` -Data type: `String[1]` +Data type: `Optional[String[1]]` enable puppetdb resource searching -Default value: `pick($k8s::server::puppetdb_discovery_tag, $cluster_name)` +Default value: `$cluster_name` ##### `self_signed_tls` @@ -2072,11 +2072,11 @@ Default value: `'etcd'` ##### `version` -Data type: `String[1]` +Data type: `Optional[String[1]]` -version of ectd to install +version of ectd to install, will use k8s::etcd_version unless otherwise specified -Default value: `pick($k8s::etcd_version, '3.5.1')` +Default value: `undef` ### `k8s::server::etcd::setup` @@ -2146,11 +2146,11 @@ Default value: `undef` ##### `auto_tls` -Data type: `Boolean` +Data type: `Optional[Boolean]` Use auto tls -Default value: `$k8s::server::etcd::self_signed_tls` +Default value: `undef` ##### `binary_path` @@ -2186,11 +2186,11 @@ Default value: `"${etcd_name}.etcd"` ##### `ensure` -Data type: `K8s::Ensure` +Data type: `Optional[K8s::Ensure]` set ensure for installation or deinstallation -Default value: `$k8s::server::etcd::ensure` +Default value: `undef` ##### `etcd_name` @@ -2218,11 +2218,11 @@ Default value: `undef` ##### `group` -Data type: `String[1]` +Data type: `Optional[String[1]]` etcd system user group -Default value: `$k8s::server::etcd::group` +Default value: `undef` ##### `initial_advertise_peer_urls` @@ -2298,11 +2298,11 @@ Default value: `'etcd'` ##### `peer_auto_tls` -Data type: `Boolean` +Data type: `Optional[Boolean]` Use peer auto tls -Default value: `$k8s::server::etcd::self_signed_tls` +Default value: `undef` ##### `peer_cert_file` @@ -2370,19 +2370,19 @@ Default value: `undef` ##### `user` -Data type: `String[1]` +Data type: `Optional[String[1]]` etcd system user -Default value: `$k8s::server::etcd::user` +Default value: `undef` ##### `version` -Data type: `String[1]` +Data type: `Optional[String[1]]` The ectd version to install -Default value: `$k8s::server::etcd::version` +Default value: `undef` ### `k8s::server::resources` diff --git a/manifests/init.pp b/manifests/init.pp index c5965be..eb62fa3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -192,7 +192,9 @@ ensure_packages([$_conntrack,]) } - include k8s::install::cni_plugins + if $role != 'none' { + include k8s::install::cni_plugins + } if $role == 'server' { include k8s::server diff --git a/manifests/server/etcd.pp b/manifests/server/etcd.pp index 8dc4375..ef4c8db 100644 --- a/manifests/server/etcd.pp +++ b/manifests/server/etcd.pp @@ -4,7 +4,7 @@ # @param cert_path path to cert files # @param client_ca_cert path to the client ca cert # @param client_ca_key path to the client ca key -# @param cluster_name name of the etcd cluster for searching its nodes in the puppetdb +# @param cluster_name name of the etcd cluster for searching its nodes in the puppetdb, will use k8s::etcd_cluster_name unless otherwise specified # @param ensure set ensure for installation or deinstallation # @param firewall_type define the type of firewall to use # @param generate_ca whether to generate a own ca or not @@ -18,17 +18,17 @@ # @param puppetdb_discovery_tag enable puppetdb resource searching # @param self_signed_tls whether to use self signed tls or not # @param user user to run etcd as -# @param version version of ectd to install +# @param version version of ectd to install, will use k8s::etcd_version unless otherwise specified # class k8s::server::etcd ( - K8s::Ensure $ensure = 'present', - String[1] $version = pick($k8s::etcd_version, '3.5.1'), + K8s::Ensure $ensure = 'present', + Optional[String[1]] $version = undef, - Boolean $manage_setup = true, - Boolean $manage_firewall = false, - Boolean $manage_members = false, - String[1] $cluster_name = pick($k8s::server::etcd_cluster_name, 'default'), - String[1] $puppetdb_discovery_tag = pick($k8s::server::puppetdb_discovery_tag, $cluster_name), + Boolean $manage_setup = true, + Boolean $manage_firewall = false, + Boolean $manage_members = false, + Optional[String[1]] $cluster_name = undef, + Optional[String[1]] $puppetdb_discovery_tag = $cluster_name, Boolean $self_signed_tls = false, Boolean $manage_certs = true, @@ -42,7 +42,8 @@ Stdlib::Unixpath $client_ca_key = "${cert_path}/client-ca.key", Stdlib::Unixpath $client_ca_cert = "${cert_path}/client-ca.pem", - Optional[K8s::Firewall] $firewall_type = $k8s::server::firewall_type, + Optional[K8s::Firewall] $firewall_type = undef, + String[1] $user = 'etcd', String[1] $group = 'etcd', ) { @@ -122,6 +123,17 @@ } if $ensure == 'present' and $manage_members { + if defined(Class['k8s']) { + $_k8s_cluster_name = $k8s::etcd_cluster_name + $_k8s_puppetdb_discovery_tag = $k8s::puppetdb_discovery_tag + } else { + $_k8s_cluster_name = lookup('k8s::cluster_name', undef, undef, undef) + $_k8s_puppetdb_discovery_tag = lookup('k8s::puppetdb_discovery_tag', undef, undef, undef) + } + + $_cluster_name = pick($cluster_name, $_k8s_cluster_name, 'default') + $_puppetdb_discovery_tag = pick($puppetdb_discovery_tag, $cluster_name, $_k8s_puppetdb_discovery_tag, 'default') + # Needs the PuppetDB terminus installed $pql_query = [ 'resources[certname,parameters] {', @@ -131,8 +143,8 @@ ' resources {', ' type = \'Class\' and', ' title = \'K8s::Server::Etcd\' and', - " parameters.cluster_name = '${cluster_name}' and", - " parameters.puppetdb_discovery_tag = '${puppetdb_discovery_tag}' and", + " parameters.cluster_name = '${_cluster_name}' and", + " parameters.puppetdb_discovery_tag = '${_puppetdb_discovery_tag}' and", " certname != '${trusted[certname]}'", ' }', ' }', @@ -164,10 +176,15 @@ } if $manage_firewall { + if defined(Class['k8s']) { + $_k8s_firewall_type = $k8s::firewall_type + } else { + $_k8s_firewall_type = lookup('k8s::firewall_type', undef, undef, undef) + } if $facts['firewalld_version'] { - $_firewall_type = pick($firewall_type, 'firewalld') + $_firewall_type = pick($firewall_type, $_k8s_firewall_type, 'firewalld') } else { - $_firewall_type = pick($firewall_type, 'iptables') + $_firewall_type = pick($firewall_type, $_k8s_firewall_type, 'iptables') } case $_firewall_type { diff --git a/manifests/server/etcd/setup.pp b/manifests/server/etcd/setup.pp index da774e3..88b840f 100644 --- a/manifests/server/etcd/setup.pp +++ b/manifests/server/etcd/setup.pp @@ -35,10 +35,10 @@ # @param version The ectd version to install # class k8s::server::etcd::setup ( - K8s::Ensure $ensure = $k8s::server::etcd::ensure, + Optional[K8s::Ensure] $ensure = undef, Enum['archive','package'] $install = 'archive', String[1] $package = 'etcd', - String[1] $version = $k8s::server::etcd::version, + Optional[String[1]] $version = undef, String[1] $etcd_name = $facts['networking']['hostname'], String[1] $fqdn = $facts['networking']['fqdn'], @@ -56,14 +56,14 @@ Optional[Stdlib::Unixpath] $peer_cert_file = undef, Optional[Stdlib::Unixpath] $peer_key_file = undef, Optional[Stdlib::Unixpath] $peer_trusted_ca_file = undef, + Optional[Boolean] $peer_auto_tls = undef, Boolean $peer_client_cert_auth = false, - Boolean $peer_auto_tls = $k8s::server::etcd::self_signed_tls, Optional[Stdlib::Unixpath] $cert_file = undef, Optional[Stdlib::Unixpath] $key_file = undef, Optional[Stdlib::Unixpath] $trusted_ca_file = undef, + Optional[Boolean] $auto_tls = undef, Boolean $client_cert_auth = false, - Boolean $auto_tls = $k8s::server::etcd::self_signed_tls, Optional[Integer] $auto_compaction_retention = undef, Optional[Enum['existing', 'new']] $initial_cluster_state = undef, @@ -72,17 +72,44 @@ Optional[Stdlib::Unixpath] $binary_path = undef, Stdlib::Unixpath $storage_path = '/var/lib/etcd', - String[1] $user = $k8s::server::etcd::user, - String[1] $group = $k8s::server::etcd::group, + Optional[String[1]] $user = undef, + Optional[String[1]] $group = undef, Optional[Integer[0, 65535]] $uid = undef, Optional[Integer[0, 65535]] $gid = undef, ) { + if defined(Class['k8s']) { + $_k8s_etcd_version = $k8s::etcd_version + } else { + $_k8s_etcd_version = lookup('k8s::etcd_version') + } + if defined(Class['k8s::server::etcd']) { + $_k8s_server_etcd_ensure = $k8s::server::etcd::ensure + $_k8s_server_etcd_version = $k8s::server::etcd::version + $_k8s_server_etcd_self_signed_tls = $k8s::server::etcd::self_signed_tls + $_k8s_server_etcd_manage_certs = $k8s::server::etcd::manage_certs + $_k8s_server_etcd_user = $k8s::server::etcd::user + $_k8s_server_etcd_group = $k8s::server::etcd::group + } else { + $_k8s_server_etcd_ensure = lookup('k8s::server::etcd::ensure', undef, undef, undef) + $_k8s_server_etcd_version = lookup('k8s::server::etcd::version', undef, undef, undef) + $_k8s_server_etcd_self_signed_tls = lookup('k8s::server::etcd::self_signed_tls', undef, undef, undef) + $_k8s_server_etcd_manage_certs = lookup('k8s::server::etcd::manage_certs', undef, undef, undef) + $_k8s_server_etcd_user = lookup('k8s::server::etcd::user', undef, undef, undef) + $_k8s_server_etcd_group = lookup('k8s::server::etcd::group', undef, undef, undef) + } + $_ensure = pick($ensure, $_k8s_server_etcd_ensure, 'present') + $_peer_auto_tls = pick($peer_auto_tls, $_k8s_server_etcd_self_signed_tls, false) + $_auto_tls = pick($auto_tls, $_k8s_server_etcd_self_signed_tls, false) + $_version = pick($version, $_k8s_server_etcd_version, $_k8s_etcd_version) + $_user = pick($user, $_k8s_server_etcd_user, 'etcd') + $_group = pick($group, $_k8s_server_etcd_group, 'etcd') + if $install == 'archive' { $_url = k8s::format_url($archive_template, { version => $version, }) $_file = basename($_url) archive { "/var/tmp/${_file}": - ensure => $ensure, + ensure => $_ensure, source => $_url, extract => true, extract_command => 'tar xfz %s --strip-components=1', @@ -92,20 +119,20 @@ notify => Service['etcd'], } - if $ensure == 'absent' { + if $_ensure == 'absent' { file { ['/usr/local/bin/etcd', '/usr/local/bin/etcdctl']: ensure => 'absent', } } - group { $group: - ensure => $ensure, + group { $_group: + ensure => $_ensure, system => true, gid => $gid, } - user { $user: - ensure => $ensure, + user { $_user: + ensure => $_ensure, comment => 'etcd user', gid => $gid, home => $storage_path, @@ -119,13 +146,13 @@ } } else { package { $package: - ensure => stdlib::ensure($ensure, 'package'), + ensure => stdlib::ensure($_ensure, 'package'), } } file { default: - ensure => stdlib::ensure($ensure, 'directory'); + ensure => stdlib::ensure($_ensure, 'directory'); '/etc/etcd': ; $storage_path: @@ -134,7 +161,7 @@ } # Use generated certs by default - if !$k8s::server::etcd::self_signed_tls and $k8s::server::etcd::manage_certs { + if !$_k8s_server_etcd_self_signed_tls and $_k8s_server_etcd_manage_certs { $_dir = "${storage_path}/certs" $_cert_file = pick($cert_file, "${_dir}/etcd-server.pem") $_key_file = pick($key_file, "${_dir}/etcd-server.key") @@ -161,7 +188,7 @@ file { default: - ensure => stdlib::ensure($ensure, 'file'), + ensure => stdlib::ensure($_ensure, 'file'), owner => 'root', group => 'root'; @@ -178,10 +205,12 @@ key_file => $_key_file, trusted_ca_file => $_trusted_ca_file, client_cert_auth => $_client_cert_auth, + auto_tls => $_auto_tls, peer_cert_file => $_peer_cert_file, peer_key_file => $_peer_key_file, peer_trusted_ca_file => $_peer_trusted_ca_file, peer_client_cert_auth => $_peer_client_cert_auth, + peer_auto_tls => $_peer_auto_tls, auto_compaction_retention => $auto_compaction_retention, initial_cluster_state => $initial_cluster_state, initial_cluster_token => $initial_cluster_token, @@ -202,21 +231,21 @@ $service_require = Package[$package] } else { $_binary_path = pick($binary_path, '/usr/local/bin/etcd') - $service_require = User[$user] + $service_require = User[$_user] } systemd::unit_file { 'etcd.service': - ensure => $ensure, + ensure => $_ensure, content => epp('k8s/etcd.service.epp', { binary_path => $_binary_path, workdir_path => $storage_path, - user => $user, + user => $_user, }), notify => Service['etcd'], } service { 'etcd': - ensure => stdlib::ensure($ensure, 'service'), + ensure => stdlib::ensure($_ensure, 'service'), enable => true, require => $service_require, subscribe => File['/etc/etcd/etcd.conf'], diff --git a/spec/classes/server/etcd_spec.rb b/spec/classes/server/etcd_spec.rb index 888a7c1..59f3369 100644 --- a/spec/classes/server/etcd_spec.rb +++ b/spec/classes/server/etcd_spec.rb @@ -10,51 +10,95 @@ manage_members: true } end - let(:pre_condition) do - <<~PUPPET - function puppetdb_query(String[1] $data) { - return [ - { - certname => 'node.example.com', - parameters => { - etcd_name => 'node', - initial_advertise_peer_urls => ['https://node.example.com:2380'], + + context "with k8s included" do + let(:pre_condition) do + <<~PUPPET + function puppetdb_query(String[1] $data) { + return [ + { + certname => 'node.example.com', + parameters => { + etcd_name => 'node', + initial_advertise_peer_urls => ['https://node.example.com:2380'], + } } - } - ] - } - - include ::k8s - class { '::k8s::server': - manage_etcd => false, - manage_certs => false, - manage_components => false, - manage_resources => false, - node_on_server => false, - } - PUPPET - end + ] + } - on_supported_os.each do |os, os_facts| - context "on #{os}" do - let(:facts) { os_facts } + include ::k8s + class { '::k8s::server': + manage_etcd => false, + manage_certs => false, + manage_components => false, + manage_resources => false, + node_on_server => false, + } + PUPPET + end - it { is_expected.to compile } + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } - it do - %w[etcd-peer-ca etcd-client-ca].each do |ca| - is_expected.to contain_k8s__server__tls__ca(ca) + it { is_expected.to compile } + + it do + %w[etcd-peer-ca etcd-client-ca].each do |ca| + is_expected.to contain_k8s__server__tls__ca(ca) + end end - end - it do - %w[etcd-peer etcd-client].each do |cert| - is_expected.to contain_k8s__server__tls__cert(cert) + it do + %w[etcd-peer etcd-client].each do |cert| + is_expected.to contain_k8s__server__tls__cert(cert) + end end + + it { is_expected.to contain_class('k8s::server::etcd::setup') } + it { is_expected.to contain_k8s__server__etcd__member('node').with_peer_urls(['https://node.example.com:2380']) } end + end + end + + context "without k8s included" do + let(:pre_condition) do + <<~PUPPET + function puppetdb_query(String[1] $data) { + return [ + { + certname => 'node.example.com', + parameters => { + etcd_name => 'node', + initial_advertise_peer_urls => ['https://node.example.com:2380'], + } + } + ] + } + PUPPET + end + + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } - it { is_expected.to contain_class('k8s::server::etcd::setup') } - it { is_expected.to contain_k8s__server__etcd__member('node').with_peer_urls(['https://node.example.com:2380']) } + it { is_expected.to compile } + + it do + %w[etcd-peer-ca etcd-client-ca].each do |ca| + is_expected.to contain_k8s__server__tls__ca(ca) + end + end + + it do + %w[etcd-peer etcd-client].each do |cert| + is_expected.to contain_k8s__server__tls__cert(cert) + end + end + + it { is_expected.to contain_class('k8s::server::etcd::setup') } + it { is_expected.to contain_k8s__server__etcd__member('node').with_peer_urls(['https://node.example.com:2380']) } + end end end end From 66bbb18764fd0cbd4a5b80f7c68e07ff94938ac4 Mon Sep 17 00:00:00 2001 From: Alexander Olofsson Date: Fri, 14 Jul 2023 13:56:25 +0200 Subject: [PATCH 02/10] Split actionable code from parameter definitions --- REFERENCE.md | 27 ++++--- data/common.yaml | 3 +- manifests/common.pp | 71 +++++++++++++++++++ manifests/init.pp | 97 +------------------------- manifests/install/container_runtime.pp | 1 + manifests/install/crictl.pp | 3 +- manifests/node.pp | 20 ++++++ manifests/server.pp | 2 + manifests/server/etcd.pp | 61 ++++++++-------- manifests/server/etcd/setup.pp | 55 +++++---------- spec/classes/k8s_spec.rb | 2 +- spec/classes/server/etcd_spec.rb | 6 +- 12 files changed, 169 insertions(+), 179 deletions(-) create mode 100644 manifests/common.pp diff --git a/REFERENCE.md b/REFERENCE.md index 34d278f..d3ee93e 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -7,6 +7,7 @@ ### Classes * [`k8s`](#k8s): Sets up a Kubernetes instance - either as a node or as a server +* [`k8s::common`](#k8s--common): Sets up common Kubernetes components - users/groups/folders/etc * [`k8s::install::cni_plugins`](#k8s--install--cni_plugins): Manages the installation of CNI plugins * [`k8s::install::container_runtime`](#k8s--install--container_runtime): Manages the installation of a container runtime / CRI * [`k8s::install::crictl`](#k8s--install--crictl): installs the crictl debugging tool @@ -429,7 +430,7 @@ Default value: `true` ##### `role` -Data type: `Enum['node','server','none']` +Data type: `Enum['node','server','etcd-replica','none']` role of the node @@ -491,6 +492,10 @@ version of kubernetes to install Default value: `'1.28.14'` +### `k8s::common` + +Sets up common Kubernetes components - users/groups/folders/etc + ### `k8s::install::cni_plugins` Manages the installation of CNI plugins @@ -2072,11 +2077,11 @@ Default value: `'etcd'` ##### `version` -Data type: `Optional[String[1]]` +Data type: `String[1]` version of ectd to install, will use k8s::etcd_version unless otherwise specified -Default value: `undef` +Default value: `$k8s::etcd_version` ### `k8s::server::etcd::setup` @@ -2186,11 +2191,11 @@ Default value: `"${etcd_name}.etcd"` ##### `ensure` -Data type: `Optional[K8s::Ensure]` +Data type: `K8s::Ensure` set ensure for installation or deinstallation -Default value: `undef` +Default value: `'present'` ##### `etcd_name` @@ -2218,11 +2223,11 @@ Default value: `undef` ##### `group` -Data type: `Optional[String[1]]` +Data type: `String[1]` etcd system user group -Default value: `undef` +Default value: `'etcd'` ##### `initial_advertise_peer_urls` @@ -2370,19 +2375,19 @@ Default value: `undef` ##### `user` -Data type: `Optional[String[1]]` +Data type: `String[1]` etcd system user -Default value: `undef` +Default value: `'etcd'` ##### `version` -Data type: `Optional[String[1]]` +Data type: `String[1]` The ectd version to install -Default value: `undef` +Default value: `$k8s::etcd_version` ### `k8s::server::resources` diff --git a/data/common.yaml b/data/common.yaml index 2fbf0ff..ac7cd48 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -1 +1,2 @@ ---- {} +--- +k8s::sysconfig_path: '/etc/sysconfig' diff --git a/manifests/common.pp b/manifests/common.pp new file mode 100644 index 0000000..39ef5b3 --- /dev/null +++ b/manifests/common.pp @@ -0,0 +1,71 @@ +# @summary Sets up common Kubernetes components - users/groups/folders/etc +class k8s::common { + group { $k8s::group: + ensure => present, + system => true, + gid => $k8s::gid, + } + + user { $k8s::user: + ensure => present, + comment => 'Kubernetes user', + gid => $k8s::group, + home => '/srv/kubernetes', + managehome => false, + shell => (fact('os.family') ? { + 'Debian' => '/usr/sbin/nologin', + default => '/sbin/nologin', + }), + system => true, + uid => $k8s::uid, + } + + file { + default: + ensure => directory, + force => true, + purge => true, + recurse => true; + + '/opt/k8s': ; + '/opt/k8s/bin': ; + } + + file { '/var/run/kubernetes': + ensure => directory, + owner => $k8s::user, + group => $k8s::group, + } + + file { "${k8s::sysconfig_path}/kube-common": + ensure => file, + content => epp('k8s/sysconfig.epp', { + comment => 'General Kubernetes Configuration', + environment_variables => { + 'KUBE_LOG_LEVEL' => '', + }, + }), + } + + file { + default: + ensure => directory; + + '/etc/kubernetes': ; + '/etc/kubernetes/certs': ; + '/etc/kubernetes/manifests': + purge => $k8s::purge_manifests, + recurse => true; + '/root/.kube': ; + '/srv/kubernetes': + owner => $k8s::user, + group => $k8s::group; + '/usr/libexec/kubernetes': ; + '/var/lib/kubelet': ; + '/var/lib/kubelet/pki': ; + + '/usr/share/containers/': ; + '/usr/share/containers/oci/': ; + '/usr/share/containers/oci/hooks.d': ; + } +} diff --git a/manifests/init.pp b/manifests/init.pp index eb62fa3..f11de32 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -95,7 +95,7 @@ Stdlib::Fqdn $cluster_domain = 'cluster.local', String[1] $etcd_cluster_name = 'default', - Enum['node','server','none'] $role = 'none', + Enum['node','server','etcd-replica','none'] $role = 'none', Optional[K8s::Firewall] $firewall_type = undef, String[1] $user = 'kube', @@ -103,102 +103,11 @@ Integer[0, 65535] $uid = 888, Integer[0, 65535] $gid = 888, ) { - if $manage_container_manager { - include k8s::install::container_runtime - } - - group { $group: - ensure => present, - system => true, - gid => $gid, - } - - user { $user: - ensure => present, - comment => 'Kubernetes user', - gid => $group, - home => '/srv/kubernetes', - managehome => false, - shell => (fact('os.family') ? { - 'Debian' => '/usr/sbin/nologin', - default => '/sbin/nologin', - }), - system => true, - uid => $uid, - } - - file { - default: - ensure => directory, - force => true, - purge => true, - recurse => true; - - '/opt/k8s': ; - '/opt/k8s/bin': ; - } - - file { '/var/run/kubernetes': - ensure => directory, - owner => $user, - group => $group, - } - - $_sysconfig_path = pick($sysconfig_path, '/etc/sysconfig') - file { "${_sysconfig_path}/kube-common": - ensure => file, - content => epp('k8s/sysconfig.epp', { - comment => 'General Kubernetes Configuration', - environment_variables => { - 'KUBE_LOG_LEVEL' => '', - }, - }), - } - - file { - default: - ensure => directory; - - '/etc/kubernetes': ; - '/etc/kubernetes/certs': ; - '/etc/kubernetes/manifests': - purge => $purge_manifests, - recurse => true; - '/root/.kube': ; - '/srv/kubernetes': - owner => $user, - group => $group; - '/usr/libexec/kubernetes': ; - '/var/lib/kubelet': ; - '/var/lib/kubelet/pki': ; - - '/usr/share/containers/': ; - '/usr/share/containers/oci/': ; - '/usr/share/containers/oci/hooks.d': ; - } - - if $manage_repo { - include k8s::repo - } - - if $manage_packages { - # Ensure conntrack is installed to properly handle networking cleanup - if fact('os.family') == 'Debian' { - $_conntrack = 'conntrack' - } else { - $_conntrack = 'conntrack-tools' - } - - ensure_packages([$_conntrack,]) - } - - if $role != 'none' { - include k8s::install::cni_plugins - } - if $role == 'server' { include k8s::server } elsif $role == 'node' { include k8s::node + } elsif $role == 'etcd-replica' { + include k8s::server::etcd } } diff --git a/manifests/install/container_runtime.pp b/manifests/install/container_runtime.pp index ff28af1..bffedc5 100644 --- a/manifests/install/container_runtime.pp +++ b/manifests/install/container_runtime.pp @@ -87,6 +87,7 @@ } if $manage_repo { + include k8s::repo Class['k8s::repo'] -> Package['k8s container manager'] } } diff --git a/manifests/install/crictl.pp b/manifests/install/crictl.pp index 9abd559..9fd4f93 100644 --- a/manifests/install/crictl.pp +++ b/manifests/install/crictl.pp @@ -21,8 +21,9 @@ Stdlib::HTTPUrl $download_url_template = 'https://github.com/kubernetes-sigs/cri-tools/releases/download/%{version}/crictl-%{version}-linux-%{arch}.tar.gz', ) { if $manage_repo { - $pkg = pick($crictl_package, 'cri-tools') + include k8s::repo + $pkg = pick($crictl_package, 'cri-tools') package { $pkg: ensure => stdlib::ensure($ensure, 'package'), } diff --git a/manifests/node.pp b/manifests/node.pp index 001988e..e197cff 100644 --- a/manifests/node.pp +++ b/manifests/node.pp @@ -54,6 +54,26 @@ Optional[K8s::Firewall] $firewall_type = $k8s::firewall_type, ) { + include k8s::common + include k8s::install::cni_plugins + + if $k8s::manage_container_manager { + include k8s::install::container_runtime + } + if $k8s::manage_repo { + include k8s::repo + } + if $k8s::manage_packages { + # Ensure conntrack is installed to properly handle networking cleanup + if fact('os.family') == 'Debian' { + $_conntrack = 'conntrack' + } else { + $_conntrack = 'conntrack-tools' + } + + ensure_packages([$_conntrack,]) + } + if $manage_crictl { include k8s::install::crictl } diff --git a/manifests/server.pp b/manifests/server.pp index 0d504a7..b9758b5 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -59,6 +59,8 @@ Optional[K8s::Firewall] $firewall_type = $k8s::firewall_type, String[1] $etcd_cluster_name = $k8s::etcd_cluster_name, ) { + include k8s::common + if $manage_etcd { class { 'k8s::server::etcd': ensure => $ensure, diff --git a/manifests/server/etcd.pp b/manifests/server/etcd.pp index ef4c8db..08f2a74 100644 --- a/manifests/server/etcd.pp +++ b/manifests/server/etcd.pp @@ -21,8 +21,8 @@ # @param version version of ectd to install, will use k8s::etcd_version unless otherwise specified # class k8s::server::etcd ( - K8s::Ensure $ensure = 'present', - Optional[String[1]] $version = undef, + K8s::Ensure $ensure = 'present', + String[1] $version = $k8s::etcd_version, Boolean $manage_setup = true, Boolean $manage_firewall = false, @@ -118,21 +118,9 @@ } } - if $manage_setup and !$manage_members { - include k8s::server::etcd::setup - } - if $ensure == 'present' and $manage_members { - if defined(Class['k8s']) { - $_k8s_cluster_name = $k8s::etcd_cluster_name - $_k8s_puppetdb_discovery_tag = $k8s::puppetdb_discovery_tag - } else { - $_k8s_cluster_name = lookup('k8s::cluster_name', undef, undef, undef) - $_k8s_puppetdb_discovery_tag = lookup('k8s::puppetdb_discovery_tag', undef, undef, undef) - } - - $_cluster_name = pick($cluster_name, $_k8s_cluster_name, 'default') - $_puppetdb_discovery_tag = pick($puppetdb_discovery_tag, $cluster_name, $_k8s_puppetdb_discovery_tag, 'default') + $_cluster_name = pick($cluster_name, $k8s::etcd_cluster_name, 'default') + $_puppetdb_discovery_tag = pick($puppetdb_discovery_tag, $cluster_name, $k8s::puppetdb_discovery_tag, 'default') # Needs the PuppetDB terminus installed $pql_query = [ @@ -152,16 +140,14 @@ ].join(' ') $cluster_nodes = puppetdb_query($pql_query) - if $manage_setup { - class { 'k8s::server::etcd::setup': - initial_cluster => $cluster_nodes.map |$node| { - "${node['parameters']['etcd_name']}=${node['parameters']['initial_advertise_peer_urls'][0]}" - }, - initial_cluster_state => ($cluster_nodes.size() ? { - 0 => 'new', - default => 'existing', - }), - } + $_setup_splat = { + initial_cluster => $cluster_nodes.map |$node| { + "${node['parameters']['etcd_name']}=${node['parameters']['initial_advertise_peer_urls'][0]}" + }, + initial_cluster_state => ($cluster_nodes.size() ? { + 0 => 'new', + default => 'existing', + }), } $cluster_nodes.each |$node| { @@ -173,22 +159,31 @@ cluster_key => "${cert_path}/etcd-client.key", } } + } else { + $_setup_splat = {} } - if $manage_firewall { - if defined(Class['k8s']) { - $_k8s_firewall_type = $k8s::firewall_type - } else { - $_k8s_firewall_type = lookup('k8s::firewall_type', undef, undef, undef) + if $manage_setup { + class { 'k8s::server::etcd::setup': + ensure => $ensure, + version => $version, + user => $user, + group => $group, + * => $_setup_splat, } + } + + if $manage_firewall { if $facts['firewalld_version'] { - $_firewall_type = pick($firewall_type, $_k8s_firewall_type, 'firewalld') + $_firewall_type = pick($firewall_type, $k8s::firewall_type, 'firewalld') } else { - $_firewall_type = pick($firewall_type, $_k8s_firewall_type, 'iptables') + $_firewall_type = pick($firewall_type, $k8s::firewall_type, 'iptables') } case $_firewall_type { 'firewalld' : { + include firewalld + firewalld_service { default: ensure => $ensure, diff --git a/manifests/server/etcd/setup.pp b/manifests/server/etcd/setup.pp index 88b840f..5e03b68 100644 --- a/manifests/server/etcd/setup.pp +++ b/manifests/server/etcd/setup.pp @@ -35,10 +35,10 @@ # @param version The ectd version to install # class k8s::server::etcd::setup ( - Optional[K8s::Ensure] $ensure = undef, + K8s::Ensure $ensure = 'present', Enum['archive','package'] $install = 'archive', String[1] $package = 'etcd', - Optional[String[1]] $version = undef, + String[1] $version = $k8s::etcd_version, String[1] $etcd_name = $facts['networking']['hostname'], String[1] $fqdn = $facts['networking']['fqdn'], @@ -72,44 +72,27 @@ Optional[Stdlib::Unixpath] $binary_path = undef, Stdlib::Unixpath $storage_path = '/var/lib/etcd', - Optional[String[1]] $user = undef, - Optional[String[1]] $group = undef, + String[1] $user = 'etcd', + String[1] $group = 'etcd', Optional[Integer[0, 65535]] $uid = undef, Optional[Integer[0, 65535]] $gid = undef, ) { - if defined(Class['k8s']) { - $_k8s_etcd_version = $k8s::etcd_version - } else { - $_k8s_etcd_version = lookup('k8s::etcd_version') - } if defined(Class['k8s::server::etcd']) { - $_k8s_server_etcd_ensure = $k8s::server::etcd::ensure - $_k8s_server_etcd_version = $k8s::server::etcd::version $_k8s_server_etcd_self_signed_tls = $k8s::server::etcd::self_signed_tls $_k8s_server_etcd_manage_certs = $k8s::server::etcd::manage_certs - $_k8s_server_etcd_user = $k8s::server::etcd::user - $_k8s_server_etcd_group = $k8s::server::etcd::group } else { - $_k8s_server_etcd_ensure = lookup('k8s::server::etcd::ensure', undef, undef, undef) - $_k8s_server_etcd_version = lookup('k8s::server::etcd::version', undef, undef, undef) - $_k8s_server_etcd_self_signed_tls = lookup('k8s::server::etcd::self_signed_tls', undef, undef, undef) - $_k8s_server_etcd_manage_certs = lookup('k8s::server::etcd::manage_certs', undef, undef, undef) - $_k8s_server_etcd_user = lookup('k8s::server::etcd::user', undef, undef, undef) - $_k8s_server_etcd_group = lookup('k8s::server::etcd::group', undef, undef, undef) + $_k8s_server_etcd_self_signed_tls = lookup('k8s::server::etcd::self_signed_tls', default_value => undef) + $_k8s_server_etcd_manage_certs = lookup('k8s::server::etcd::manage_certs', default_value => undef) } - $_ensure = pick($ensure, $_k8s_server_etcd_ensure, 'present') $_peer_auto_tls = pick($peer_auto_tls, $_k8s_server_etcd_self_signed_tls, false) $_auto_tls = pick($auto_tls, $_k8s_server_etcd_self_signed_tls, false) - $_version = pick($version, $_k8s_server_etcd_version, $_k8s_etcd_version) - $_user = pick($user, $_k8s_server_etcd_user, 'etcd') - $_group = pick($group, $_k8s_server_etcd_group, 'etcd') if $install == 'archive' { $_url = k8s::format_url($archive_template, { version => $version, }) $_file = basename($_url) archive { "/var/tmp/${_file}": - ensure => $_ensure, + ensure => $ensure, source => $_url, extract => true, extract_command => 'tar xfz %s --strip-components=1', @@ -119,20 +102,20 @@ notify => Service['etcd'], } - if $_ensure == 'absent' { + if $ensure == 'absent' { file { ['/usr/local/bin/etcd', '/usr/local/bin/etcdctl']: ensure => 'absent', } } - group { $_group: - ensure => $_ensure, + group { $group: + ensure => $ensure, system => true, gid => $gid, } - user { $_user: - ensure => $_ensure, + user { $user: + ensure => $ensure, comment => 'etcd user', gid => $gid, home => $storage_path, @@ -146,13 +129,13 @@ } } else { package { $package: - ensure => stdlib::ensure($_ensure, 'package'), + ensure => stdlib::ensure($ensure, 'package'), } } file { default: - ensure => stdlib::ensure($_ensure, 'directory'); + ensure => stdlib::ensure($ensure, 'directory'); '/etc/etcd': ; $storage_path: @@ -188,7 +171,7 @@ file { default: - ensure => stdlib::ensure($_ensure, 'file'), + ensure => stdlib::ensure($ensure, 'file'), owner => 'root', group => 'root'; @@ -231,21 +214,21 @@ $service_require = Package[$package] } else { $_binary_path = pick($binary_path, '/usr/local/bin/etcd') - $service_require = User[$_user] + $service_require = User[$user] } systemd::unit_file { 'etcd.service': - ensure => $_ensure, + ensure => $ensure, content => epp('k8s/etcd.service.epp', { binary_path => $_binary_path, workdir_path => $storage_path, - user => $_user, + user => $user, }), notify => Service['etcd'], } service { 'etcd': - ensure => stdlib::ensure($_ensure, 'service'), + ensure => stdlib::ensure($ensure, 'service'), enable => true, require => $service_require, subscribe => File['/etc/etcd/etcd.conf'], diff --git a/spec/classes/k8s_spec.rb b/spec/classes/k8s_spec.rb index 1473ccb..bd1bf48 100644 --- a/spec/classes/k8s_spec.rb +++ b/spec/classes/k8s_spec.rb @@ -10,7 +10,7 @@ it { is_expected.to compile } - %w[node server].each do |role| + %w[node server etcd-replica].each do |role| context "with role #{role}" do let(:params) do { diff --git a/spec/classes/server/etcd_spec.rb b/spec/classes/server/etcd_spec.rb index 59f3369..780916f 100644 --- a/spec/classes/server/etcd_spec.rb +++ b/spec/classes/server/etcd_spec.rb @@ -11,7 +11,7 @@ } end - context "with k8s included" do + context "with k8s included in server mode" do let(:pre_condition) do <<~PUPPET function puppetdb_query(String[1] $data) { @@ -61,7 +61,7 @@ class { '::k8s::server': end end - context "without k8s included" do + context "with k8s included" do let(:pre_condition) do <<~PUPPET function puppetdb_query(String[1] $data) { @@ -75,6 +75,8 @@ class { '::k8s::server': } ] } + + include ::k8s PUPPET end From 5a5a083196e30046cd4b447ad5165b52b4af08d8 Mon Sep 17 00:00:00 2001 From: Alexander Olofsson Date: Tue, 24 Sep 2024 12:35:39 +0200 Subject: [PATCH 03/10] Separate role definition into a type alias For ease of understanding, it also accepts control-plane to describe a K8s server - since that's the name that's used internally in Kubernetes to describe the function of such a node. --- REFERENCE.md | 15 ++++++++--- manifests/init.pp | 6 ++--- spec/type_aliases/node_role_spec.rb | 40 +++++++++++++++++++++++++++++ types/node_role.pp | 11 ++++++++ 4 files changed, 66 insertions(+), 6 deletions(-) create mode 100644 spec/type_aliases/node_role_spec.rb create mode 100644 types/node_role.pp diff --git a/REFERENCE.md b/REFERENCE.md index d3ee93e..e359390 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -67,6 +67,7 @@ Uses the cni-plugins bridge binary to create a bridge interface to connect the c * [`K8s::IP_addresses`](#K8s--IP_addresses): a type to describe multiple IP addresses without subnet sizes * [`K8s::Native_packaging`](#K8s--Native_packaging): a type to describe Kubernetes native packaging methods * [`K8s::Node_auth`](#K8s--Node_auth): a type to describe node/kubelet authentication methods +* [`K8s::Node_role`](#K8s--Node_role): a type to describe a type of Kubernetes node * [`K8s::PortRange`](#K8s--PortRange): This regexp matches port range values * [`K8s::Proxy_auth`](#K8s--Proxy_auth): a type to describe kube-proxy authentication methods * [`K8s::Proxy_method`](#K8s--Proxy_method): a type to describe how kube-proxy should be deployed @@ -430,11 +431,11 @@ Default value: `true` ##### `role` -Data type: `Enum['node','server','etcd-replica','none']` +Data type: `Optional[K8s::Node_role]` -role of the node +the role of the node -Default value: `'none'` +Default value: `undef` ##### `runc_version` @@ -4183,6 +4184,14 @@ a type to describe node/kubelet authentication methods Alias of `Enum['cert', 'token', 'bootstrap']` +### `K8s::Node_role` + +a type to describe a type of Kubernetes node + +* **Note** server/control-plane are identical, one using the Puppet term, the other the Kubernetes term + +Alias of `Enum['node', 'server', 'control-plane', 'etcd-replica', 'none']` + ### `K8s::PortRange` This regexp matches port range values diff --git a/manifests/init.pp b/manifests/init.pp index f11de32..b7d0fe6 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -37,7 +37,7 @@ # @param puppetdb_discovery whether to use puppetdb for node discovery # @param puppetdb_discovery_tag tag to use for puppetdb node discovery # @param purge_manifests whether to purge manifests -# @param role role of the node +# @param role the role of the node # @param runc_version version of runc to install # @param service_cluster_cidr CIDR for the service network # @param sysconfig_path path to the sysconfig directory @@ -95,7 +95,7 @@ Stdlib::Fqdn $cluster_domain = 'cluster.local', String[1] $etcd_cluster_name = 'default', - Enum['node','server','etcd-replica','none'] $role = 'none', + Optional[K8s::Node_role] $role = undef, Optional[K8s::Firewall] $firewall_type = undef, String[1] $user = 'kube', @@ -103,7 +103,7 @@ Integer[0, 65535] $uid = 888, Integer[0, 65535] $gid = 888, ) { - if $role == 'server' { + if $role == 'server' or $role == 'control-plane' { include k8s::server } elsif $role == 'node' { include k8s::node diff --git a/spec/type_aliases/node_role_spec.rb b/spec/type_aliases/node_role_spec.rb new file mode 100644 index 0000000..1fa44de --- /dev/null +++ b/spec/type_aliases/node_role_spec.rb @@ -0,0 +1,40 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'K8s::Node_role' do + describe 'valid node_role' do + %w[ + node + server + control-plane + etcd-replica + none + ].each do |value| + describe value.inspect do + it { is_expected.to allow_value(value) } + end + end + end + + describe 'invalid node_role' do + [ + nil, + [nil], + [nil, nil], + { 'foo' => 'bar' }, + {}, + '', + 's', + 'mailto:', + 'blah', + '199', + 600, + 1_000, + ].each do |value| + describe value.inspect do + it { is_expected.not_to allow_value(value) } + end + end + end +end diff --git a/types/node_role.pp b/types/node_role.pp new file mode 100644 index 0000000..bf656ad --- /dev/null +++ b/types/node_role.pp @@ -0,0 +1,11 @@ +# @summary a type to describe a type of Kubernetes node +# +# @note server/control-plane are identical, one using the Puppet term, the other the Kubernetes term +# @note none will install basic components, but not activate any services +type K8s::Node_role = Enum[ + 'node', + 'server', + 'control-plane', + 'etcd-replica', + 'none' +] From 3a054e6ffb97243b08bd22c5dd2f5d36d69517bf Mon Sep 17 00:00:00 2001 From: Alexander Olofsson Date: Wed, 25 Sep 2024 10:50:15 +0200 Subject: [PATCH 04/10] Unify handling of sysconfig path --- data/common.yaml | 3 +-- manifests/init.pp | 4 ++-- manifests/node/kube_proxy.pp | 5 ++--- manifests/node/kubelet.pp | 5 ++--- manifests/server/apiserver.pp | 5 ++--- manifests/server/controller_manager.pp | 5 ++--- manifests/server/scheduler.pp | 5 ++--- 7 files changed, 13 insertions(+), 19 deletions(-) diff --git a/data/common.yaml b/data/common.yaml index ac7cd48..2fbf0ff 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -1,2 +1 @@ ---- -k8s::sysconfig_path: '/etc/sysconfig' +--- {} diff --git a/manifests/init.pp b/manifests/init.pp index b7d0fe6..15f5e97 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -40,7 +40,7 @@ # @param role the role of the node # @param runc_version version of runc to install # @param service_cluster_cidr CIDR for the service network -# @param sysconfig_path path to the sysconfig directory +# @param sysconfig_path path to the sysconfig directory, per-OS values are configured in hiera # @param tarball_url_template template for tarball packaging # @param uid user id for kubernetes files and services # @param user username for kubernetes files and services @@ -82,7 +82,7 @@ String[1] $tarball_url_template = 'https://dl.k8s.io/release/v%{version}/kubernetes-%{component}-%{kernel}-%{arch}.tar.gz', String[1] $package_template = 'kubernetes-%{component}', String[1] $hyperkube_name = 'hyperkube', - Optional[Stdlib::Unixpath] $sysconfig_path = undef, + Stdlib::Unixpath $sysconfig_path = '/etc/sysconfig', K8s::Node_auth $node_auth = 'bootstrap', diff --git a/manifests/node/kube_proxy.pp b/manifests/node/kube_proxy.pp index 0cc79b4..255ef45 100644 --- a/manifests/node/kube_proxy.pp +++ b/manifests/node/kube_proxy.pp @@ -100,8 +100,7 @@ if $k8s::packaging == 'container' { } else { - $_sysconfig_path = pick($k8s::sysconfig_path, '/etc/sysconfig') - file { "${_sysconfig_path}/kube-proxy": + file { "${k8s::sysconfig_path}/kube-proxy": ensure => $_ensure, content => epp('k8s/sysconfig.epp', { comment => 'Kubernetes kube-proxy configuration', @@ -122,7 +121,7 @@ bin => 'kube-proxy', }), require => [ - File["${_sysconfig_path}/kube-proxy"], + File["${k8s::sysconfig_path}/kube-proxy"], User[$k8s::user], ], notify => Service['kube-proxy'], diff --git a/manifests/node/kubelet.pp b/manifests/node/kubelet.pp index 04dc3fa..bfb94d5 100644 --- a/manifests/node/kubelet.pp +++ b/manifests/node/kubelet.pp @@ -231,8 +231,7 @@ node_ip => $_node_ip, } + $arguments) - $_sysconfig_path = pick($k8s::sysconfig_path, '/etc/sysconfig') - file { "${_sysconfig_path}/kubelet": + file { "${k8s::sysconfig_path}/kubelet": content => epp('k8s/sysconfig.epp', { comment => 'Kubernetes Kubelet configuration', environment_variables => { @@ -252,7 +251,7 @@ bin => 'kubelet', }), require => [ - File["${_sysconfig_path}/kubelet", '/etc/kubernetes/kubelet.conf'], + File["${k8s::sysconfig_path}/kubelet", '/etc/kubernetes/kubelet.conf'], User[$k8s::user], ], notify => Service['kubelet'], diff --git a/manifests/server/apiserver.pp b/manifests/server/apiserver.pp index 920dd87..e3fc51e 100644 --- a/manifests/server/apiserver.pp +++ b/manifests/server/apiserver.pp @@ -263,8 +263,7 @@ } # TODO: Create a dummy kube-apiserver service that just requires kubelet } else { - $_sysconfig_path = pick($k8s::sysconfig_path, '/etc/sysconfig') - file { "${_sysconfig_path}/kube-apiserver": + file { "${k8s::sysconfig_path}/kube-apiserver": content => epp('k8s/sysconfig.epp', { comment => 'Kubernetes API Server configuration', environment_variables => { @@ -287,7 +286,7 @@ group => $k8s::group, }), require => [ - File["${_sysconfig_path}/kube-apiserver"], + File["${k8s::sysconfig_path}/kube-apiserver"], User[$k8s::user], ], notify => Service['kube-apiserver'], diff --git a/manifests/server/controller_manager.pp b/manifests/server/controller_manager.pp index 08860a4..7e17b74 100644 --- a/manifests/server/controller_manager.pp +++ b/manifests/server/controller_manager.pp @@ -90,8 +90,7 @@ client_key => $key, } - $_sysconfig_path = pick($k8s::sysconfig_path, '/etc/sysconfig') - file { "${_sysconfig_path}/kube-controller-manager": + file { "${k8s::sysconfig_path}/kube-controller-manager": content => epp('k8s/sysconfig.epp', { comment => 'Kubernetes Controller Manager configuration', environment_variables => { @@ -115,7 +114,7 @@ group => $k8s::group, }), require => [ - File["${_sysconfig_path}/kube-controller-manager"], + File["${k8s::sysconfig_path}/kube-controller-manager"], User[$k8s::user], ], notify => Service['kube-controller-manager'], diff --git a/manifests/server/scheduler.pp b/manifests/server/scheduler.pp index ab96dff..00dd282 100644 --- a/manifests/server/scheduler.pp +++ b/manifests/server/scheduler.pp @@ -68,8 +68,7 @@ client_cert => $cert, client_key => $key, } - $_sysconfig_path = pick($k8s::sysconfig_path, '/etc/sysconfig') - file { "${_sysconfig_path}/kube-scheduler": + file { "${k8s::sysconfig_path}/kube-scheduler": content => epp('k8s/sysconfig.epp', { comment => 'Kubernetes Scheduler configuration', environment_variables => { @@ -93,7 +92,7 @@ group => $k8s::group, }), require => [ - File["${_sysconfig_path}/kube-scheduler"], + File["${k8s::sysconfig_path}/kube-scheduler"], User[$k8s::user], ], notify => Service['kube-scheduler'], From dfa82f4045326a0dabc3485e7e6c881e67f4b865 Mon Sep 17 00:00:00 2001 From: Alexander Olofsson Date: Wed, 25 Sep 2024 10:52:31 +0200 Subject: [PATCH 05/10] Add REFERENCE.md changes --- REFERENCE.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index e359390..319ab9d 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -455,11 +455,11 @@ Default value: `'10.1.0.0/24'` ##### `sysconfig_path` -Data type: `Optional[Stdlib::Unixpath]` +Data type: `Stdlib::Unixpath` -path to the sysconfig directory +path to the sysconfig directory, per-OS values are configured in hiera -Default value: `undef` +Default value: `'/etc/sysconfig'` ##### `tarball_url_template` From 26e878f488c4c083cc52aca0d357e4e9a0ffb97f Mon Sep 17 00:00:00 2001 From: Alexander Olofsson Date: Fri, 27 Sep 2024 07:54:37 +0200 Subject: [PATCH 06/10] Fixup private api markings across the line --- REFERENCE.md | 2087 +++------------------- manifests/common.pp | 3 + manifests/node/kube_proxy.pp | 1 + manifests/node/kubelet.pp | 3 + manifests/server/apiserver.pp | 1 + manifests/server/controller_manager.pp | 1 + manifests/server/resources.pp | 1 + manifests/server/resources/bootstrap.pp | 1 + manifests/server/resources/coredns.pp | 1 + manifests/server/resources/flannel.pp | 1 + manifests/server/resources/kube_proxy.pp | 1 + manifests/server/scheduler.pp | 1 + manifests/server/tls.pp | 2 + 13 files changed, 291 insertions(+), 1813 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 319ab9d..b829d80 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -6,35 +6,40 @@ ### Classes +#### Public Classes + * [`k8s`](#k8s): Sets up a Kubernetes instance - either as a node or as a server -* [`k8s::common`](#k8s--common): Sets up common Kubernetes components - users/groups/folders/etc * [`k8s::install::cni_plugins`](#k8s--install--cni_plugins): Manages the installation of CNI plugins * [`k8s::install::container_runtime`](#k8s--install--container_runtime): Manages the installation of a container runtime / CRI * [`k8s::install::crictl`](#k8s--install--crictl): installs the crictl debugging tool * [`k8s::install::kubeadm`](#k8s--install--kubeadm): Installs the kubeadm binary * [`k8s::install::kubectl`](#k8s--install--kubectl): Installs the kubectl binary * [`k8s::node`](#k8s--node): Installs a Kubernetes node -* [`k8s::node::kube_proxy`](#k8s--node--kube_proxy): Sets up a on-node kube-proxy instance * [`k8s::node::kubectl`](#k8s--node--kubectl): Installs the kubectl binary -* [`k8s::node::kubelet`](#k8s--node--kubelet): Installs and configures kubelet * [`k8s::node::simple_cni`](#k8s--node--simple_cni): Provide a simple bridged standard network interface. For basic usage if one does not have flannel, cilium, calico or something else yet. Uses the cni-plugins bridge binary to create a bridge interface to connect the containers * [`k8s::repo`](#k8s--repo): Handles repositories for the container runtime * [`k8s::server`](#k8s--server): Sets up a Kubernetes server instance -* [`k8s::server::apiserver`](#k8s--server--apiserver): Installs and configures a Kubernetes apiserver -* [`k8s::server::controller_manager`](#k8s--server--controller_manager): Installs and configures a Kubernetes controller manager * [`k8s::server::etcd`](#k8s--server--etcd): Sets up an etcd cluster node * [`k8s::server::etcd::setup`](#k8s--server--etcd--setup): Installs and configures an etcd instance -* [`k8s::server::resources`](#k8s--server--resources): Generates and deploys standard Kubernetes in-cluster services -* [`k8s::server::resources::bootstrap`](#k8s--server--resources--bootstrap): Generates and deploys the default Puppet boostrap configuration into the cluster -* [`k8s::server::resources::coredns`](#k8s--server--resources--coredns): Generates and deploys the default CoreDNS DNS provider for Kubernetes -* [`k8s::server::resources::flannel`](#k8s--server--resources--flannel): Generates and deploys the default CoreDNS DNS provider for Kubernetes -* [`k8s::server::resources::kube_proxy`](#k8s--server--resources--kube_proxy): Generates and deploys the default kube-proxy service for Kubernetes -* [`k8s::server::scheduler`](#k8s--server--scheduler): Installs and configures a Kubernetes scheduler -* [`k8s::server::tls`](#k8s--server--tls): Generates the necessary Kubernetes certificates for a server * [`k8s::server::wait_online`](#k8s--server--wait_online): Creates a dummy exec to allow deferring applies until the Kubernetes API server has started +#### Private Classes + +* `k8s::common`: Sets up common Kubernetes components - users/groups/folders/etc +* `k8s::node::kube_proxy`: Sets up a on-node kube-proxy instance +* `k8s::node::kubelet`: Installs and configures kubelet +* `k8s::server::apiserver`: Installs and configures a Kubernetes apiserver +* `k8s::server::controller_manager`: Installs and configures a Kubernetes controller manager +* `k8s::server::resources`: Generates and deploys standard Kubernetes in-cluster services +* `k8s::server::resources::bootstrap`: Generates and deploys the default Puppet boostrap configuration into the cluster +* `k8s::server::resources::coredns`: Generates and deploys the default CoreDNS DNS provider for Kubernetes +* `k8s::server::resources::flannel`: Generates and deploys the default CoreDNS DNS provider for Kubernetes +* `k8s::server::resources::kube_proxy`: Generates and deploys the default kube-proxy service for Kubernetes +* `k8s::server::scheduler`: Installs and configures a Kubernetes scheduler +* `k8s::server::tls`: Generates the necessary Kubernetes certificates for a server + ### Defined types * [`k8s::binary`](#k8s--binary): Deploys a Kubernetes binary @@ -493,10 +498,6 @@ version of kubernetes to install Default value: `'1.28.14'` -### `k8s::common` - -Sets up common Kubernetes components - users/groups/folders/etc - ### `k8s::install::cni_plugins` Manages the installation of CNI plugins @@ -914,114 +915,6 @@ enable puppetdb resource searching Default value: `$k8s::puppetdb_discovery_tag` -### `k8s::node::kube_proxy` - -For most use-cases, running kube-proxy inside the cluster itself is recommended - -#### Parameters - -The following parameters are available in the `k8s::node::kube_proxy` class: - -* [`arguments`](#-k8s--node--kube_proxy--arguments) -* [`auth`](#-k8s--node--kube_proxy--auth) -* [`ca_cert`](#-k8s--node--kube_proxy--ca_cert) -* [`cert`](#-k8s--node--kube_proxy--cert) -* [`cluster_cidr`](#-k8s--node--kube_proxy--cluster_cidr) -* [`config`](#-k8s--node--kube_proxy--config) -* [`control_plane_url`](#-k8s--node--kube_proxy--control_plane_url) -* [`ensure`](#-k8s--node--kube_proxy--ensure) -* [`key`](#-k8s--node--kube_proxy--key) -* [`puppetdb_discovery_tag`](#-k8s--node--kube_proxy--puppetdb_discovery_tag) -* [`token`](#-k8s--node--kube_proxy--token) - -##### `arguments` - -Data type: `Hash[String, Data]` - -A hash of additional arguments to pass to kube-proxy - -Default value: `{}` - -##### `auth` - -Data type: `K8s::Proxy_auth` - -The authentication method to use for the API server - -Default value: `$k8s::node::proxy_auth` - -##### `ca_cert` - -Data type: `Optional[Stdlib::Unixpath]` - -The path to the CA certificate to use for the API server - -Default value: `$k8s::node::ca_cert` - -##### `cert` - -Data type: `Optional[Stdlib::Unixpath]` - -The path to the client certificate to use for the API server - -Default value: `$k8s::node::proxy_cert` - -##### `cluster_cidr` - -Data type: `K8s::CIDR` - -The CIDR range of the cluster - -Default value: `$k8s::cluster_cidr` - -##### `config` - -Data type: `Hash[String, Data]` - -A hash of additional configuration options to pass to kube-proxy - -Default value: `{}` - -##### `control_plane_url` - -Data type: `Stdlib::HTTPUrl` - -The URL of the Kubernetes API server - -Default value: `$k8s::node::control_plane_url` - -##### `ensure` - -Data type: `K8s::Ensure` - -Whether the kube-proxy service should be configured - -Default value: `$k8s::node::ensure` - -##### `key` - -Data type: `Optional[Stdlib::Unixpath]` - -The path to the client key to use for the API server - -Default value: `$k8s::node::proxy_key` - -##### `puppetdb_discovery_tag` - -Data type: `String` - -The tag to use for PuppetDB service discovery - -Default value: `$k8s::node::puppetdb_discovery_tag` - -##### `token` - -Data type: `Optional[Sensitive[String]]` - -The token to use for the API server - -Default value: `$k8s::node::proxy_token` - ### `k8s::node::kubectl` Installs the kubectl binary @@ -1040,195 +933,6 @@ Whether to install the binary Default value: `$k8s::ensure` -### `k8s::node::kubelet` - -Installs and configures kubelet - -#### Parameters - -The following parameters are available in the `k8s::node::kubelet` class: - -* [`arguments`](#-k8s--node--kubelet--arguments) -* [`auth`](#-k8s--node--kubelet--auth) -* [`ca_cert`](#-k8s--node--kubelet--ca_cert) -* [`cert`](#-k8s--node--kubelet--cert) -* [`cert_path`](#-k8s--node--kubelet--cert_path) -* [`config`](#-k8s--node--kubelet--config) -* [`control_plane_url`](#-k8s--node--kubelet--control_plane_url) -* [`ensure`](#-k8s--node--kubelet--ensure) -* [`firewall_type`](#-k8s--node--kubelet--firewall_type) -* [`key`](#-k8s--node--kubelet--key) -* [`kubeconfig`](#-k8s--node--kubelet--kubeconfig) -* [`manage_firewall`](#-k8s--node--kubelet--manage_firewall) -* [`manage_kernel_modules`](#-k8s--node--kubelet--manage_kernel_modules) -* [`manage_sysctl_settings`](#-k8s--node--kubelet--manage_sysctl_settings) -* [`puppetdb_discovery_tag`](#-k8s--node--kubelet--puppetdb_discovery_tag) -* [`rotate_server_tls`](#-k8s--node--kubelet--rotate_server_tls) -* [`runtime`](#-k8s--node--kubelet--runtime) -* [`runtime_service`](#-k8s--node--kubelet--runtime_service) -* [`support_dualstack`](#-k8s--node--kubelet--support_dualstack) -* [`token`](#-k8s--node--kubelet--token) - -##### `arguments` - -Data type: `Hash[String, Data]` - -additional arguments to pass to kubelet - -Default value: `{}` - -##### `auth` - -Data type: `K8s::Node_auth` - -type of node authentication - -Default value: `$k8s::node::node_auth` - -##### `ca_cert` - -Data type: `Optional[Stdlib::Unixpath]` - -path to the ca cert - -Default value: `$k8s::node::ca_cert` - -##### `cert` - -Data type: `Optional[Stdlib::Unixpath]` - -path to node cert file - -Default value: `$k8s::node::node_cert` - -##### `cert_path` - -Data type: `Stdlib::Unixpath` - -path to cert files - -Default value: `$k8s::node::cert_path` - -##### `config` - -Data type: `Hash[String, Data]` - -additional config to pass to kubelet - -Default value: `{}` - -##### `control_plane_url` - -Data type: `Stdlib::HTTPUrl` - -cluster API connection - -Default value: `$k8s::node::control_plane_url` - -##### `ensure` - -Data type: `K8s::Ensure` - -set ensure for installation or deinstallation - -Default value: `$k8s::node::ensure` - -##### `firewall_type` - -Data type: `Optional[K8s::Firewall]` - -define the type of firewall to use - -Default value: `$k8s::node::firewall_type` - -##### `key` - -Data type: `Optional[Stdlib::Unixpath]` - -path to node key file - -Default value: `$k8s::node::node_key` - -##### `kubeconfig` - -Data type: `Stdlib::Unixpath` - -path to kubeconfig - -Default value: `'/srv/kubernetes/kubelet.kubeconf'` - -##### `manage_firewall` - -Data type: `Boolean` - -whether to manage firewall or not - -Default value: `$k8s::node::manage_firewall` - -##### `manage_kernel_modules` - -Data type: `Boolean` - -whether to load kernel modules or not - -Default value: `$k8s::node::manage_kernel_modules` - -##### `manage_sysctl_settings` - -Data type: `Boolean` - -whether to manage sysctl settings or not - -Default value: `$k8s::node::manage_sysctl_settings` - -##### `puppetdb_discovery_tag` - -Data type: `String[1]` - -enable puppetdb resource searching - -Default value: `$k8s::node::puppetdb_discovery_tag` - -##### `rotate_server_tls` - -Data type: `Boolean` - -whether to rotate server tls or not - -Default value: `$auth == 'bootstrap'` - -##### `runtime` - -Data type: `String` - -which container runtime to use - -Default value: `$k8s::container_manager` - -##### `runtime_service` - -Data type: `String` - -name of the service of the container runtime - -Default value: `$k8s::container_runtime_service` - -##### `support_dualstack` - -Data type: `Boolean` - -whether to support dualstack or not - -Default value: `$k8s::cluster_cidr =~ Array[Data, 2]` - -##### `token` - -Data type: `Optional[Sensitive[String]]` - -k8s token to join a cluster - -Default value: `$k8s::node::node_token` - ### `k8s::node::simple_cni` Class: k8s::node::simple_cni @@ -1526,1734 +1230,491 @@ enable puppetdb resource searching Default value: `$k8s::puppetdb_discovery_tag` -### `k8s::server::apiserver` +### `k8s::server::etcd` -Installs and configures a Kubernetes apiserver +Sets up an etcd cluster node #### Parameters -The following parameters are available in the `k8s::server::apiserver` class: - -* [`advertise_address`](#-k8s--server--apiserver--advertise_address) -* [`aggregator_ca_cert`](#-k8s--server--apiserver--aggregator_ca_cert) -* [`apiserver_cert`](#-k8s--server--apiserver--apiserver_cert) -* [`apiserver_client_cert`](#-k8s--server--apiserver--apiserver_client_cert) -* [`apiserver_client_key`](#-k8s--server--apiserver--apiserver_client_key) -* [`apiserver_key`](#-k8s--server--apiserver--apiserver_key) -* [`arguments`](#-k8s--server--apiserver--arguments) -* [`ca_cert`](#-k8s--server--apiserver--ca_cert) -* [`cert_path`](#-k8s--server--apiserver--cert_path) -* [`container_image`](#-k8s--server--apiserver--container_image) -* [`container_image_tag`](#-k8s--server--apiserver--container_image_tag) -* [`container_registry`](#-k8s--server--apiserver--container_registry) -* [`discover_etcd_servers`](#-k8s--server--apiserver--discover_etcd_servers) -* [`ensure`](#-k8s--server--apiserver--ensure) -* [`etcd_ca`](#-k8s--server--apiserver--etcd_ca) -* [`etcd_cert`](#-k8s--server--apiserver--etcd_cert) -* [`etcd_cluster_name`](#-k8s--server--apiserver--etcd_cluster_name) -* [`etcd_key`](#-k8s--server--apiserver--etcd_key) -* [`etcd_servers`](#-k8s--server--apiserver--etcd_servers) -* [`firewall_type`](#-k8s--server--apiserver--firewall_type) -* [`front_proxy_cert`](#-k8s--server--apiserver--front_proxy_cert) -* [`front_proxy_key`](#-k8s--server--apiserver--front_proxy_key) -* [`manage_firewall`](#-k8s--server--apiserver--manage_firewall) -* [`puppetdb_discovery_tag`](#-k8s--server--apiserver--puppetdb_discovery_tag) -* [`service_cluster_cidr`](#-k8s--server--apiserver--service_cluster_cidr) -* [`serviceaccount_private`](#-k8s--server--apiserver--serviceaccount_private) -* [`serviceaccount_public`](#-k8s--server--apiserver--serviceaccount_public) - -##### `advertise_address` - -Data type: `Stdlib::IP::Address::Nosubnet` - -bind address of the apiserver +The following parameters are available in the `k8s::server::etcd` class: -Default value: `fact('networking.ip')` +* [`addn_names`](#-k8s--server--etcd--addn_names) +* [`cert_path`](#-k8s--server--etcd--cert_path) +* [`client_ca_cert`](#-k8s--server--etcd--client_ca_cert) +* [`client_ca_key`](#-k8s--server--etcd--client_ca_key) +* [`cluster_name`](#-k8s--server--etcd--cluster_name) +* [`ensure`](#-k8s--server--etcd--ensure) +* [`firewall_type`](#-k8s--server--etcd--firewall_type) +* [`generate_ca`](#-k8s--server--etcd--generate_ca) +* [`group`](#-k8s--server--etcd--group) +* [`manage_certs`](#-k8s--server--etcd--manage_certs) +* [`manage_firewall`](#-k8s--server--etcd--manage_firewall) +* [`manage_members`](#-k8s--server--etcd--manage_members) +* [`manage_setup`](#-k8s--server--etcd--manage_setup) +* [`peer_ca_cert`](#-k8s--server--etcd--peer_ca_cert) +* [`peer_ca_key`](#-k8s--server--etcd--peer_ca_key) +* [`puppetdb_discovery_tag`](#-k8s--server--etcd--puppetdb_discovery_tag) +* [`self_signed_tls`](#-k8s--server--etcd--self_signed_tls) +* [`user`](#-k8s--server--etcd--user) +* [`version`](#-k8s--server--etcd--version) -##### `aggregator_ca_cert` +##### `addn_names` -Data type: `Stdlib::Unixpath` +Data type: `K8s::TLS_altnames` -path to the aggregator ca cert file +additional names for certificates -Default value: `$k8s::server::tls::aggregator_ca_cert` +Default value: `[]` -##### `apiserver_cert` +##### `cert_path` Data type: `Stdlib::Unixpath` -path to the apiserver cert file +path to cert files -Default value: `"${cert_path}/kube-apiserver.pem"` +Default value: `'/var/lib/etcd/certs'` -##### `apiserver_client_cert` +##### `client_ca_cert` Data type: `Stdlib::Unixpath` -path to the apiserver client cert file +path to the client ca cert -Default value: `"${cert_path}/apiserver-kubelet-client.pem"` +Default value: `"${cert_path}/client-ca.pem"` -##### `apiserver_client_key` +##### `client_ca_key` Data type: `Stdlib::Unixpath` -path to the apiserver client key file +path to the client ca key -Default value: `"${cert_path}/apiserver-kubelet-client.key"` +Default value: `"${cert_path}/client-ca.key"` -##### `apiserver_key` +##### `cluster_name` -Data type: `Stdlib::Unixpath` +Data type: `Optional[String[1]]` -path to the apiserver cert file +name of the etcd cluster for searching its nodes in the puppetdb, will use k8s::etcd_cluster_name unless otherwise specified -Default value: `"${cert_path}/kube-apiserver.key"` +Default value: `undef` -##### `arguments` +##### `ensure` -Data type: `Hash[String, Data]` +Data type: `K8s::Ensure` -additional arguments for the apiserver +set ensure for installation or deinstallation -Default value: `{}` +Default value: `'present'` -##### `ca_cert` +##### `firewall_type` -Data type: `Stdlib::Unixpath` +Data type: `Optional[K8s::Firewall]` -path to the ca cert +define the type of firewall to use -Default value: `$k8s::server::tls::ca_cert` +Default value: `undef` -##### `cert_path` +##### `generate_ca` -Data type: `Stdlib::Unixpath` +Data type: `Boolean` -path to cert files +whether to generate a own ca or not -Default value: `$k8s::server::tls::cert_path` +Default value: `false` -##### `container_image` +##### `group` Data type: `String[1]` -container image to use for the apiserver +group to run etcd as -Default value: `'kube-apiserver'` +Default value: `'etcd'` -##### `container_image_tag` +##### `manage_certs` -Data type: `Optional[String[1]]` +Data type: `Boolean` -container image tag to use for the apiserver +whether to manage certs or not -Default value: `$k8s::container_image_tag` +Default value: `true` -##### `container_registry` +##### `manage_firewall` -Data type: `String[1]` +Data type: `Boolean` -container registry to pull the image from +whether to manage firewall or not -Default value: `$k8s::container_registry` +Default value: `false` -##### `discover_etcd_servers` - -Data type: `Boolean` - -enable puppetdb resource searching - -Default value: `$k8s::puppetdb_discovery` - -##### `ensure` - -Data type: `K8s::Ensure` - -set ensure for installation or deinstallation - -Default value: `$k8s::server::ensure` - -##### `etcd_ca` - -Data type: `Stdlib::Unixpath` - -path to the etcd ca cert file - -Default value: `"${cert_path}/etcd-ca.pem"` - -##### `etcd_cert` - -Data type: `Stdlib::Unixpath` - -path to the etcd cert file - -Default value: `"${cert_path}/etcd.pem"` - -##### `etcd_cluster_name` - -Data type: `String[1]` - -name of the etcd cluster for searching its nodes in the puppetdb - -Default value: `$k8s::server::etcd_cluster_name` - -##### `etcd_key` - -Data type: `Stdlib::Unixpath` - -path to the etcd key file - -Default value: `"${cert_path}/etcd.key"` - -##### `etcd_servers` - -Data type: `Optional[Array[Stdlib::HTTPUrl]]` - -list etcd servers if no puppetdb is used - -Default value: `$k8s::server::etcd_servers` - -##### `firewall_type` - -Data type: `Optional[K8s::Firewall]` - -define the type of firewall to use - -Default value: `$k8s::server::firewall_type` - -##### `front_proxy_cert` - -Data type: `Stdlib::Unixpath` - -path to the front proxy cert file - -Default value: `"${cert_path}/front-proxy-client.pem"` - -##### `front_proxy_key` - -Data type: `Stdlib::Unixpath` - -path to the front proxy key file - -Default value: `"${cert_path}/front-proxy-client.key"` - -##### `manage_firewall` - -Data type: `Boolean` - -whether to manage firewall or not - -Default value: `$k8s::server::manage_firewall` - -##### `puppetdb_discovery_tag` - -Data type: `String` - -enable puppetdb resource searching - -Default value: `$k8s::server::puppetdb_discovery_tag` - -##### `service_cluster_cidr` - -Data type: `K8s::CIDR` - -cidr of the service cluster - -Default value: `$k8s::service_cluster_cidr` - -##### `serviceaccount_private` - -Data type: `Stdlib::Unixpath` - -path to the service account private key file - -Default value: `"${cert_path}/service-account.key"` - -##### `serviceaccount_public` - -Data type: `Stdlib::Unixpath` - -path to the service account public key file - -Default value: `"${cert_path}/service-account.pub"` - -### `k8s::server::controller_manager` - -Installs and configures a Kubernetes controller manager - -#### Parameters - -The following parameters are available in the `k8s::server::controller_manager` class: - -* [`arguments`](#-k8s--server--controller_manager--arguments) -* [`ca_cert`](#-k8s--server--controller_manager--ca_cert) -* [`ca_key`](#-k8s--server--controller_manager--ca_key) -* [`cert`](#-k8s--server--controller_manager--cert) -* [`cert_path`](#-k8s--server--controller_manager--cert_path) -* [`cluster_cidr`](#-k8s--server--controller_manager--cluster_cidr) -* [`container_image`](#-k8s--server--controller_manager--container_image) -* [`container_image_tag`](#-k8s--server--controller_manager--container_image_tag) -* [`container_registry`](#-k8s--server--controller_manager--container_registry) -* [`control_plane_url`](#-k8s--server--controller_manager--control_plane_url) -* [`ensure`](#-k8s--server--controller_manager--ensure) -* [`key`](#-k8s--server--controller_manager--key) -* [`service_cluster_cidr`](#-k8s--server--controller_manager--service_cluster_cidr) - -##### `arguments` - -Data type: `Hash[String, Data]` - -Additional arguments to pass to the controller manager. - -Default value: `{}` - -##### `ca_cert` - -Data type: `Stdlib::Unixpath` - -The path to the CA certificate. - -Default value: `$k8s::server::tls::ca_cert` - -##### `ca_key` - -Data type: `Stdlib::Unixpath` - -The path to the CA key. - -Default value: `$k8s::server::tls::ca_key` - -##### `cert` - -Data type: `Stdlib::Unixpath` - -The path to the controller manager certificate. - -Default value: `"${cert_path}/kube-controller-manager.pem"` - -##### `cert_path` - -Data type: `Stdlib::Unixpath` - -The path to the TLS certificates. - -Default value: `$k8s::server::tls::cert_path` - -##### `cluster_cidr` - -Data type: `K8s::CIDR` - -The CIDR of the cluster. - -Default value: `$k8s::cluster_cidr` - -##### `container_image` - -Data type: `String[1]` - -The container image to use for the controller manager. - -Default value: `'kube-controller-manager'` - -##### `container_image_tag` - -Data type: `Optional[String[1]]` - -The container image tag to use for the controller manager. - -Default value: `$k8s::container_image_tag` - -##### `container_registry` - -Data type: `String[1]` - -The container registry to pull the controller manager image from. - -Default value: `$k8s::container_registry` - -##### `control_plane_url` - -Data type: `Stdlib::HTTPUrl` - -The URL of the Kubernetes API server. - -Default value: `$k8s::control_plane_url` - -##### `ensure` - -Data type: `K8s::Ensure` - -Whether the controller manager should be configured. - -Default value: `$k8s::server::ensure` - -##### `key` - -Data type: `Stdlib::Unixpath` - -The path to the controller manager key. - -Default value: `"${cert_path}/kube-controller-manager.key"` - -##### `service_cluster_cidr` - -Data type: `K8s::CIDR` - -The CIDR of the service cluster. - -Default value: `$k8s::service_cluster_cidr` - -### `k8s::server::etcd` - -Sets up an etcd cluster node - -#### Parameters - -The following parameters are available in the `k8s::server::etcd` class: - -* [`addn_names`](#-k8s--server--etcd--addn_names) -* [`cert_path`](#-k8s--server--etcd--cert_path) -* [`client_ca_cert`](#-k8s--server--etcd--client_ca_cert) -* [`client_ca_key`](#-k8s--server--etcd--client_ca_key) -* [`cluster_name`](#-k8s--server--etcd--cluster_name) -* [`ensure`](#-k8s--server--etcd--ensure) -* [`firewall_type`](#-k8s--server--etcd--firewall_type) -* [`generate_ca`](#-k8s--server--etcd--generate_ca) -* [`group`](#-k8s--server--etcd--group) -* [`manage_certs`](#-k8s--server--etcd--manage_certs) -* [`manage_firewall`](#-k8s--server--etcd--manage_firewall) -* [`manage_members`](#-k8s--server--etcd--manage_members) -* [`manage_setup`](#-k8s--server--etcd--manage_setup) -* [`peer_ca_cert`](#-k8s--server--etcd--peer_ca_cert) -* [`peer_ca_key`](#-k8s--server--etcd--peer_ca_key) -* [`puppetdb_discovery_tag`](#-k8s--server--etcd--puppetdb_discovery_tag) -* [`self_signed_tls`](#-k8s--server--etcd--self_signed_tls) -* [`user`](#-k8s--server--etcd--user) -* [`version`](#-k8s--server--etcd--version) - -##### `addn_names` - -Data type: `K8s::TLS_altnames` - -additional names for certificates - -Default value: `[]` - -##### `cert_path` - -Data type: `Stdlib::Unixpath` - -path to cert files - -Default value: `'/var/lib/etcd/certs'` - -##### `client_ca_cert` - -Data type: `Stdlib::Unixpath` - -path to the client ca cert - -Default value: `"${cert_path}/client-ca.pem"` - -##### `client_ca_key` - -Data type: `Stdlib::Unixpath` - -path to the client ca key - -Default value: `"${cert_path}/client-ca.key"` - -##### `cluster_name` - -Data type: `Optional[String[1]]` - -name of the etcd cluster for searching its nodes in the puppetdb, will use k8s::etcd_cluster_name unless otherwise specified - -Default value: `undef` - -##### `ensure` - -Data type: `K8s::Ensure` - -set ensure for installation or deinstallation - -Default value: `'present'` - -##### `firewall_type` - -Data type: `Optional[K8s::Firewall]` - -define the type of firewall to use - -Default value: `undef` - -##### `generate_ca` - -Data type: `Boolean` - -whether to generate a own ca or not - -Default value: `false` - -##### `group` - -Data type: `String[1]` - -group to run etcd as - -Default value: `'etcd'` - -##### `manage_certs` - -Data type: `Boolean` - -whether to manage certs or not - -Default value: `true` - -##### `manage_firewall` - -Data type: `Boolean` - -whether to manage firewall or not - -Default value: `false` - -##### `manage_members` - -Data type: `Boolean` - -whether to manage the ectd cluster member joining or not - -Default value: `false` - -##### `manage_setup` - -Data type: `Boolean` - -whether to manage the setup of etcd or not - -Default value: `true` - -##### `peer_ca_cert` - -Data type: `Stdlib::Unixpath` - -path to the peer ca cert - -Default value: `"${cert_path}/peer-ca.pem"` - -##### `peer_ca_key` - -Data type: `Stdlib::Unixpath` - -path to the peer ca key - -Default value: `"${cert_path}/peer-ca.key"` - -##### `puppetdb_discovery_tag` - -Data type: `Optional[String[1]]` - -enable puppetdb resource searching - -Default value: `$cluster_name` - -##### `self_signed_tls` - -Data type: `Boolean` - -whether to use self signed tls or not - -Default value: `false` - -##### `user` - -Data type: `String[1]` - -user to run etcd as - -Default value: `'etcd'` - -##### `version` - -Data type: `String[1]` - -version of ectd to install, will use k8s::etcd_version unless otherwise specified - -Default value: `$k8s::etcd_version` - -### `k8s::server::etcd::setup` - -Installs and configures an etcd instance - -#### Parameters - -The following parameters are available in the `k8s::server::etcd::setup` class: - -* [`advertise_client_urls`](#-k8s--server--etcd--setup--advertise_client_urls) -* [`archive_template`](#-k8s--server--etcd--setup--archive_template) -* [`auto_compaction_retention`](#-k8s--server--etcd--setup--auto_compaction_retention) -* [`auto_tls`](#-k8s--server--etcd--setup--auto_tls) -* [`binary_path`](#-k8s--server--etcd--setup--binary_path) -* [`cert_file`](#-k8s--server--etcd--setup--cert_file) -* [`client_cert_auth`](#-k8s--server--etcd--setup--client_cert_auth) -* [`data_dir`](#-k8s--server--etcd--setup--data_dir) -* [`ensure`](#-k8s--server--etcd--setup--ensure) -* [`etcd_name`](#-k8s--server--etcd--setup--etcd_name) -* [`fqdn`](#-k8s--server--etcd--setup--fqdn) -* [`gid`](#-k8s--server--etcd--setup--gid) -* [`group`](#-k8s--server--etcd--setup--group) -* [`initial_advertise_peer_urls`](#-k8s--server--etcd--setup--initial_advertise_peer_urls) -* [`initial_cluster`](#-k8s--server--etcd--setup--initial_cluster) -* [`initial_cluster_state`](#-k8s--server--etcd--setup--initial_cluster_state) -* [`initial_cluster_token`](#-k8s--server--etcd--setup--initial_cluster_token) -* [`install`](#-k8s--server--etcd--setup--install) -* [`key_file`](#-k8s--server--etcd--setup--key_file) -* [`listen_client_urls`](#-k8s--server--etcd--setup--listen_client_urls) -* [`listen_peer_urls`](#-k8s--server--etcd--setup--listen_peer_urls) -* [`package`](#-k8s--server--etcd--setup--package) -* [`peer_auto_tls`](#-k8s--server--etcd--setup--peer_auto_tls) -* [`peer_cert_file`](#-k8s--server--etcd--setup--peer_cert_file) -* [`peer_client_cert_auth`](#-k8s--server--etcd--setup--peer_client_cert_auth) -* [`peer_key_file`](#-k8s--server--etcd--setup--peer_key_file) -* [`peer_trusted_ca_file`](#-k8s--server--etcd--setup--peer_trusted_ca_file) -* [`proxy`](#-k8s--server--etcd--setup--proxy) -* [`storage_path`](#-k8s--server--etcd--setup--storage_path) -* [`trusted_ca_file`](#-k8s--server--etcd--setup--trusted_ca_file) -* [`uid`](#-k8s--server--etcd--setup--uid) -* [`user`](#-k8s--server--etcd--setup--user) -* [`version`](#-k8s--server--etcd--setup--version) - -##### `advertise_client_urls` - -Data type: `Array[Stdlib::HTTPUrl]` - -The client urls to advertise - -Default value: `["https://${fqdn}:2379"]` - -##### `archive_template` - -Data type: `Stdlib::HTTPUrl` - -The download url template for the etc archive - -Default value: `'https://storage.googleapis.com/etcd/v%{version}/etcd-v%{version}-%{kernel}-%{arch}.%{kernel_ext}'` - -##### `auto_compaction_retention` - -Data type: `Optional[Integer]` - -The auto compaction retention - -Default value: `undef` - -##### `auto_tls` - -Data type: `Optional[Boolean]` - -Use auto tls - -Default value: `undef` - -##### `binary_path` - -Data type: `Optional[Stdlib::Unixpath]` - -path to the etcd binary - -Default value: `undef` - -##### `cert_file` - -Data type: `Optional[Stdlib::Unixpath]` - -path to the cert file - -Default value: `undef` - -##### `client_cert_auth` - -Data type: `Boolean` - -Use client cert auth - -Default value: `false` - -##### `data_dir` - -Data type: `String[1]` - -path to the data dir - -Default value: `"${etcd_name}.etcd"` - -##### `ensure` - -Data type: `K8s::Ensure` - -set ensure for installation or deinstallation - -Default value: `'present'` - -##### `etcd_name` - -Data type: `String[1]` - -The etcd instance name - -Default value: `$facts['networking']['hostname']` - -##### `fqdn` - -Data type: `String[1]` - -fully qualified domain name - -Default value: `$facts['networking']['fqdn']` - -##### `gid` - -Data type: `Optional[Integer[0, 65535]]` - -The group system id - -Default value: `undef` - -##### `group` - -Data type: `String[1]` - -etcd system user group - -Default value: `'etcd'` - -##### `initial_advertise_peer_urls` - -Data type: `Array[Stdlib::HTTPUrl]` - -The peer urls to advertise - -Default value: `["https://${fqdn}:2380"]` - -##### `initial_cluster` - -Data type: `Array[String[1]]` - -The initial cluster - -Default value: `[]` - -##### `initial_cluster_state` - -Data type: `Optional[Enum['existing', 'new']]` - -The initial cluster state - -Default value: `undef` - -##### `initial_cluster_token` - -Data type: `Optional[String[1]]` - -The initial cluster token - -Default value: `undef` - -##### `install` - -Data type: `Enum['archive','package']` - -etcd installation method - -Default value: `'archive'` - -##### `key_file` - -Data type: `Optional[Stdlib::Unixpath]` - -path to the key file - -Default value: `undef` - -##### `listen_client_urls` - -Data type: `Array[Stdlib::HTTPUrl]` - -The client urls to listen on - -Default value: `['https://[::]:2379']` - -##### `listen_peer_urls` - -Data type: `Array[Stdlib::HTTPUrl]` - -The peer urls to listen on - -Default value: `['https://[::]:2380']` - -##### `package` - -Data type: `String[1]` - -etcd package name - -Default value: `'etcd'` - -##### `peer_auto_tls` - -Data type: `Optional[Boolean]` - -Use peer auto tls - -Default value: `undef` - -##### `peer_cert_file` - -Data type: `Optional[Stdlib::Unixpath]` - -path to the peer cert file - -Default value: `undef` - -##### `peer_client_cert_auth` - -Data type: `Boolean` - -Use peer client cert auth - -Default value: `false` - -##### `peer_key_file` - -Data type: `Optional[Stdlib::Unixpath]` - -path to the peer key file - -Default value: `undef` - -##### `peer_trusted_ca_file` - -Data type: `Optional[Stdlib::Unixpath]` - -path to the peer trusted ca file - -Default value: `undef` - -##### `proxy` - -Data type: `Enum['on','off','readonly']` - -The proxy mode - -Default value: `'off'` - -##### `storage_path` - -Data type: `Stdlib::Unixpath` - -path to the working dir of etcd - -Default value: `'/var/lib/etcd'` - -##### `trusted_ca_file` - -Data type: `Optional[Stdlib::Unixpath]` - -path to the trusted ca file - -Default value: `undef` - -##### `uid` - -Data type: `Optional[Integer[0, 65535]]` - -The user system id - -Default value: `undef` - -##### `user` - -Data type: `String[1]` - -etcd system user - -Default value: `'etcd'` - -##### `version` - -Data type: `String[1]` - -The ectd version to install - -Default value: `$k8s::etcd_version` - -### `k8s::server::resources` - -Generates and deploys standard Kubernetes in-cluster services - -#### Parameters - -The following parameters are available in the `k8s::server::resources` class: - -* [`ca_cert`](#-k8s--server--resources--ca_cert) -* [`cluster_cidr`](#-k8s--server--resources--cluster_cidr) -* [`cluster_domain`](#-k8s--server--resources--cluster_domain) -* [`control_plane_url`](#-k8s--server--resources--control_plane_url) -* [`coredns_deployment_config`](#-k8s--server--resources--coredns_deployment_config) -* [`coredns_image`](#-k8s--server--resources--coredns_image) -* [`coredns_registry`](#-k8s--server--resources--coredns_registry) -* [`coredns_tag`](#-k8s--server--resources--coredns_tag) -* [`dns_service_address`](#-k8s--server--resources--dns_service_address) -* [`extra_kube_proxy_args`](#-k8s--server--resources--extra_kube_proxy_args) -* [`flannel_cni_image`](#-k8s--server--resources--flannel_cni_image) -* [`flannel_cni_registry`](#-k8s--server--resources--flannel_cni_registry) -* [`flannel_cni_tag`](#-k8s--server--resources--flannel_cni_tag) -* [`flannel_daemonset_config`](#-k8s--server--resources--flannel_daemonset_config) -* [`flannel_image`](#-k8s--server--resources--flannel_image) -* [`flannel_registry`](#-k8s--server--resources--flannel_registry) -* [`flannel_tag`](#-k8s--server--resources--flannel_tag) -* [`image_pull_secrets`](#-k8s--server--resources--image_pull_secrets) -* [`kube_proxy_daemonset_config`](#-k8s--server--resources--kube_proxy_daemonset_config) -* [`kube_proxy_image`](#-k8s--server--resources--kube_proxy_image) -* [`kube_proxy_registry`](#-k8s--server--resources--kube_proxy_registry) -* [`kube_proxy_tag`](#-k8s--server--resources--kube_proxy_tag) -* [`kubeconfig`](#-k8s--server--resources--kubeconfig) -* [`manage_bootstrap`](#-k8s--server--resources--manage_bootstrap) -* [`manage_coredns`](#-k8s--server--resources--manage_coredns) -* [`manage_flannel`](#-k8s--server--resources--manage_flannel) -* [`manage_kube_proxy`](#-k8s--server--resources--manage_kube_proxy) - -##### `ca_cert` - -Data type: `Stdlib::Unixpath` - -the path to the CA certificate to use for the cluster - -Default value: `$k8s::server::tls::ca_cert` - -##### `cluster_cidr` - -Data type: `K8s::CIDR` - -the CIDR to use for the cluster - -Default value: `$k8s::server::cluster_cidr` - -##### `cluster_domain` - -Data type: `String[1]` - -the domain to use for the cluster - -Default value: `$k8s::server::cluster_domain` - -##### `control_plane_url` - -Data type: `String[1]` - -the URL to use for the control plane - -Default value: `$k8s::server::control_plane_url` - -##### `coredns_deployment_config` - -Data type: `Hash[String,Data]` - -the configuration to use for the CoreDNS Deployment - -Default value: `{}` - -##### `coredns_image` - -Data type: `String[1]` - -the image to use for the CoreDNS - -Default value: `'coredns/coredns'` - -##### `coredns_registry` - -Data type: `String[1]` - -the registry to use for the CoreDNS image - -Default value: `'docker.io'` - -##### `coredns_tag` - -Data type: `String[1]` - -the tag to use for the CoreDNS image - -Default value: `'1.8.7'` - -##### `dns_service_address` - -Data type: `K8s::IP_addresses` - -the IP address to use for the DNS service - -Default value: `$k8s::server::dns_service_address` - -##### `extra_kube_proxy_args` - -Data type: `Hash[String,Data]` - -the extra arguments to pass to the kube-proxy - -Default value: `{}` - -##### `flannel_cni_image` - -Data type: `String[1]` - -the image to use for the Flannel CNI - -Default value: `'rancher/mirrored-flannelcni-flannel-cni-plugin'` - -##### `flannel_cni_registry` - -Data type: `String[1]` - -the registry to use for the Flannel CNI image - -Default value: `'docker.io'` - -##### `flannel_cni_tag` - -Data type: `String[1]` - -the tag to use for the Flannel CNI image - -Default value: `'v1.0.0'` - -##### `flannel_daemonset_config` - -Data type: `Hash[String,Data]` - -the configuration to use for the Flannel DaemonSet - -Default value: `{}` - -##### `flannel_image` - -Data type: `String[1]` - -the image to use for the Flannel - -Default value: `'rancher/mirrored-flannelcni-flannel'` - -##### `flannel_registry` - -Data type: `String[1]` - -the registry to use for the Flannel image - -Default value: `'docker.io'` - -##### `flannel_tag` - -Data type: `String[1]` - -the tag to use for the Flannel image - -Default value: `'v0.16.1'` - -##### `image_pull_secrets` - -Data type: `Optional[Array]` - -the secrets to pull from private registries - -Default value: `undef` - -##### `kube_proxy_daemonset_config` - -Data type: `Hash[String,Data]` - -the configuration to use for the kube-proxy DaemonSet - -Default value: `{}` - -##### `kube_proxy_image` - -Data type: `String[1]` - -the image to use for the kube-proxy - -Default value: `'kube-proxy'` - -##### `kube_proxy_registry` - -Data type: `String[1]` - -the registry to use for the kube-proxy image - -Default value: `$k8s::container_registry` - -##### `kube_proxy_tag` - -Data type: `String[1]` - -the tag to use for the kube-proxy image - -Default value: `"v${k8s::version}"` - -##### `kubeconfig` - -Data type: `Stdlib::Unixpath` - -the path to the kubeconfig file to use for kubectl - -Default value: `'/root/.kube/config'` - -##### `manage_bootstrap` - -Data type: `Boolean` - -whether to manage the bootstrap resources - -Default value: `true` - -##### `manage_coredns` - -Data type: `Boolean` - -whether to manage the CoreDNS resources - -Default value: `true` - -##### `manage_flannel` +##### `manage_members` Data type: `Boolean` -whether to manage the Flannel resources - -Default value: `true` - -##### `manage_kube_proxy` - -Data type: `K8s::Proxy_method` - -whether to manage the kube-proxy resources - -Default value: `$k8s::manage_kube_proxy` - -### `k8s::server::resources::bootstrap` - -Generates and deploys the default Puppet boostrap configuration into the cluster - -#### Parameters - -The following parameters are available in the `k8s::server::resources::bootstrap` class: - -* [`control_plane_url`](#-k8s--server--resources--bootstrap--control_plane_url) -* [`ensure`](#-k8s--server--resources--bootstrap--ensure) -* [`kubeconfig`](#-k8s--server--resources--bootstrap--kubeconfig) -* [`secret`](#-k8s--server--resources--bootstrap--secret) - -##### `control_plane_url` - -Data type: `String[1]` - -The main API URL to encode in the bootstrap configuration - -Default value: `$k8s::server::resources::control_plane_url` - -##### `ensure` - -Data type: `K8s::Ensure` - -Whether the resources should be present or absent - -Default value: `$k8s::ensure` - -##### `kubeconfig` - -Data type: `Stdlib::Unixpath` - -The path to the kubeconfig file to use for the bootstrap configuration - -Default value: `$k8s::server::resources::kubeconfig` - -##### `secret` - -Data type: `Optional[Sensitive[K8s::Bootstrap_token]]` - -The exact token secret to use, will be generated as a random 16-char string if left blank. -The generated value can be retrieved from the bootstrap-token-puppet Secret in kube-system. - -Default value: `undef` - -### `k8s::server::resources::coredns` - -Generates and deploys the default CoreDNS DNS provider for Kubernetes - -#### Parameters - -The following parameters are available in the `k8s::server::resources::coredns` class: - -* [`cluster_domain`](#-k8s--server--resources--coredns--cluster_domain) -* [`corefile_content`](#-k8s--server--resources--coredns--corefile_content) -* [`deployment_config`](#-k8s--server--resources--coredns--deployment_config) -* [`dns_service_address`](#-k8s--server--resources--coredns--dns_service_address) -* [`ensure`](#-k8s--server--resources--coredns--ensure) -* [`hosts`](#-k8s--server--resources--coredns--hosts) -* [`image`](#-k8s--server--resources--coredns--image) -* [`image_pull_secrets`](#-k8s--server--resources--coredns--image_pull_secrets) -* [`image_tag`](#-k8s--server--resources--coredns--image_tag) -* [`kubeconfig`](#-k8s--server--resources--coredns--kubeconfig) -* [`registry`](#-k8s--server--resources--coredns--registry) -* [`template_path`](#-k8s--server--resources--coredns--template_path) -* [`template_variables`](#-k8s--server--resources--coredns--template_variables) - -##### `cluster_domain` - -Data type: `Stdlib::Fqdn` - -The cluster domain to use for the CoreDNS ConfigMap - -Default value: `$k8s::server::resources::cluster_domain` - -##### `corefile_content` - -Data type: `Optional[String[1]]` - -The content to use for the CoreDNS ConfigMap - -Default value: `undef` - -##### `deployment_config` - -Data type: `Hash[String,Data]` - -Additional configuration to merge into the Kubernetes Deployment object - -Default value: `$k8s::server::resources::coredns_deployment_config` - -##### `dns_service_address` - -Data type: `K8s::IP_addresses` - -The address for the DNS service - -Default value: `$k8s::server::resources::dns_service_address` - -##### `ensure` - -Data type: `K8s::Ensure` - -Whether the resource should be present or absent on the target system - -Default value: `$k8s::ensure` - -##### `hosts` - -Data type: `Array[String[1]]` - -Additional host-style entries for the CoreDNS deployment to serve - -Default value: `[]` - -##### `image` - -Data type: `String[1]` - -The CoreDNS image name to use - -Default value: `$k8s::server::resources::coredns_image` - -##### `image_pull_secrets` - -Data type: `Optional[Array]` - -the secrets to pull from private registries - -Default value: `$k8s::server::resources::image_pull_secrets` - -##### `image_tag` - -Data type: `String[1]` - -The CoreDNS image tag to use - -Default value: `$k8s::server::resources::coredns_tag` - -##### `kubeconfig` - -Data type: `Stdlib::Unixpath` - -The path to the kubeconfig to use for kubectl commands - -Default value: `$k8s::server::resources::kubeconfig` - -##### `registry` - -Data type: `String[1]` - -The CoreDNS image registry to use - -Default value: `$k8s::server::resources::coredns_registry` - -##### `template_path` - -Data type: `String[1]` - -The path to the template to use for the CoreDNS ConfigMap - -Default value: `'k8s/server/resources/coredns_corefile.epp'` - -##### `template_variables` - -Data type: `Hash[String, Any]` - -The variables to use for the CoreDNS ConfigMap template - -Default value: `{ cluster_domain => $cluster_domain }` - -### `k8s::server::resources::flannel` - -Generates and deploys the default CoreDNS DNS provider for Kubernetes - -#### Parameters - -The following parameters are available in the `k8s::server::resources::flannel` class: - -* [`cluster_cidr`](#-k8s--server--resources--flannel--cluster_cidr) -* [`cni_image`](#-k8s--server--resources--flannel--cni_image) -* [`cni_image_tag`](#-k8s--server--resources--flannel--cni_image_tag) -* [`cni_registry`](#-k8s--server--resources--flannel--cni_registry) -* [`daemonset_config`](#-k8s--server--resources--flannel--daemonset_config) -* [`ensure`](#-k8s--server--resources--flannel--ensure) -* [`image`](#-k8s--server--resources--flannel--image) -* [`image_pull_secrets`](#-k8s--server--resources--flannel--image_pull_secrets) -* [`image_tag`](#-k8s--server--resources--flannel--image_tag) -* [`kubeconfig`](#-k8s--server--resources--flannel--kubeconfig) -* [`net_config`](#-k8s--server--resources--flannel--net_config) -* [`registry`](#-k8s--server--resources--flannel--registry) - -##### `cluster_cidr` - -Data type: `K8s::CIDR` - -The internal cluster CIDR to proxy for - -Default value: `$k8s::server::resources::cluster_cidr` - -##### `cni_image` - -Data type: `String[1]` - -The Flannel CNI plugin image name to use - -Default value: `$k8s::server::resources::flannel_cni_image` - -##### `cni_image_tag` - -Data type: `String[1]` - -The Flannel CNI plugin image tag to use - -Default value: `$k8s::server::resources::flannel_cni_tag` - -##### `cni_registry` - -Data type: `String[1]` - -The Flannel CNI plugin image registry to use - -Default value: `$k8s::server::resources::flannel_cni_registry` - -##### `daemonset_config` - -Data type: `Hash[String,Data]` - -Additional configuration to merge into the DaemonSet object +whether to manage the ectd cluster member joining or not -Default value: `$k8s::server::resources::flannel_daemonset_config` +Default value: `false` -##### `ensure` +##### `manage_setup` -Data type: `K8s::Ensure` +Data type: `Boolean` -Whether the resource should be present or absent on the system +whether to manage the setup of etcd or not -Default value: `$k8s::ensure` +Default value: `true` -##### `image` +##### `peer_ca_cert` -Data type: `String[1]` +Data type: `Stdlib::Unixpath` -The Flannel image name to use +path to the peer ca cert -Default value: `$k8s::server::resources::flannel_image` +Default value: `"${cert_path}/peer-ca.pem"` -##### `image_pull_secrets` +##### `peer_ca_key` -Data type: `Optional[Array]` +Data type: `Stdlib::Unixpath` -the secrets to pull from private registries +path to the peer ca key -Default value: `$k8s::server::resources::image_pull_secrets` +Default value: `"${cert_path}/peer-ca.key"` -##### `image_tag` +##### `puppetdb_discovery_tag` -Data type: `String[1]` +Data type: `Optional[String[1]]` -The Flannel image tag to use +enable puppetdb resource searching -Default value: `$k8s::server::resources::flannel_tag` +Default value: `$cluster_name` -##### `kubeconfig` +##### `self_signed_tls` -Data type: `Stdlib::Unixpath` +Data type: `Boolean` -The path to the kubeconfig file to use +whether to use self signed tls or not -Default value: `$k8s::server::resources::kubeconfig` +Default value: `false` -##### `net_config` +##### `user` -Data type: `Hash[String,Data]` +Data type: `String[1]` -Additional configuration to merge into net-conf.json for Flannel +user to run etcd as -Default value: `{}` +Default value: `'etcd'` -##### `registry` +##### `version` Data type: `String[1]` -The Flannel image registry to use +version of ectd to install, will use k8s::etcd_version unless otherwise specified -Default value: `$k8s::server::resources::flannel_registry` +Default value: `$k8s::etcd_version` -### `k8s::server::resources::kube_proxy` +### `k8s::server::etcd::setup` -Generates and deploys the default kube-proxy service for Kubernetes +Installs and configures an etcd instance #### Parameters -The following parameters are available in the `k8s::server::resources::kube_proxy` class: +The following parameters are available in the `k8s::server::etcd::setup` class: -* [`cluster_cidr`](#-k8s--server--resources--kube_proxy--cluster_cidr) -* [`daemonset_config`](#-k8s--server--resources--kube_proxy--daemonset_config) -* [`ensure`](#-k8s--server--resources--kube_proxy--ensure) -* [`extra_args`](#-k8s--server--resources--kube_proxy--extra_args) -* [`extra_config`](#-k8s--server--resources--kube_proxy--extra_config) -* [`image`](#-k8s--server--resources--kube_proxy--image) -* [`image_pull_secrets`](#-k8s--server--resources--kube_proxy--image_pull_secrets) -* [`image_tag`](#-k8s--server--resources--kube_proxy--image_tag) -* [`kubeconfig`](#-k8s--server--resources--kube_proxy--kubeconfig) -* [`registry`](#-k8s--server--resources--kube_proxy--registry) +* [`advertise_client_urls`](#-k8s--server--etcd--setup--advertise_client_urls) +* [`archive_template`](#-k8s--server--etcd--setup--archive_template) +* [`auto_compaction_retention`](#-k8s--server--etcd--setup--auto_compaction_retention) +* [`auto_tls`](#-k8s--server--etcd--setup--auto_tls) +* [`binary_path`](#-k8s--server--etcd--setup--binary_path) +* [`cert_file`](#-k8s--server--etcd--setup--cert_file) +* [`client_cert_auth`](#-k8s--server--etcd--setup--client_cert_auth) +* [`data_dir`](#-k8s--server--etcd--setup--data_dir) +* [`ensure`](#-k8s--server--etcd--setup--ensure) +* [`etcd_name`](#-k8s--server--etcd--setup--etcd_name) +* [`fqdn`](#-k8s--server--etcd--setup--fqdn) +* [`gid`](#-k8s--server--etcd--setup--gid) +* [`group`](#-k8s--server--etcd--setup--group) +* [`initial_advertise_peer_urls`](#-k8s--server--etcd--setup--initial_advertise_peer_urls) +* [`initial_cluster`](#-k8s--server--etcd--setup--initial_cluster) +* [`initial_cluster_state`](#-k8s--server--etcd--setup--initial_cluster_state) +* [`initial_cluster_token`](#-k8s--server--etcd--setup--initial_cluster_token) +* [`install`](#-k8s--server--etcd--setup--install) +* [`key_file`](#-k8s--server--etcd--setup--key_file) +* [`listen_client_urls`](#-k8s--server--etcd--setup--listen_client_urls) +* [`listen_peer_urls`](#-k8s--server--etcd--setup--listen_peer_urls) +* [`package`](#-k8s--server--etcd--setup--package) +* [`peer_auto_tls`](#-k8s--server--etcd--setup--peer_auto_tls) +* [`peer_cert_file`](#-k8s--server--etcd--setup--peer_cert_file) +* [`peer_client_cert_auth`](#-k8s--server--etcd--setup--peer_client_cert_auth) +* [`peer_key_file`](#-k8s--server--etcd--setup--peer_key_file) +* [`peer_trusted_ca_file`](#-k8s--server--etcd--setup--peer_trusted_ca_file) +* [`proxy`](#-k8s--server--etcd--setup--proxy) +* [`storage_path`](#-k8s--server--etcd--setup--storage_path) +* [`trusted_ca_file`](#-k8s--server--etcd--setup--trusted_ca_file) +* [`uid`](#-k8s--server--etcd--setup--uid) +* [`user`](#-k8s--server--etcd--setup--user) +* [`version`](#-k8s--server--etcd--setup--version) -##### `cluster_cidr` +##### `advertise_client_urls` -Data type: `K8s::CIDR` +Data type: `Array[Stdlib::HTTPUrl]` -The internal cluster CIDR to proxy for +The client urls to advertise -Default value: `$k8s::server::resources::cluster_cidr` +Default value: `["https://${fqdn}:2379"]` -##### `daemonset_config` +##### `archive_template` -Data type: `Hash[String,Data]` +Data type: `Stdlib::HTTPUrl` -Additional configuration to merge into the DaemonSet object +The download url template for the etc archive -Default value: `{}` +Default value: `'https://storage.googleapis.com/etcd/v%{version}/etcd-v%{version}-%{kernel}-%{arch}.%{kernel_ext}'` -##### `ensure` +##### `auto_compaction_retention` -Data type: `K8s::Ensure` +Data type: `Optional[Integer]` -Whether the resource should be present or absent +The auto compaction retention -Default value: `$k8s::ensure` +Default value: `undef` -##### `extra_args` +##### `auto_tls` -Data type: `Hash[String,Data]` +Data type: `Optional[Boolean]` -Additional arguments to specify to the kube-proxy application +Use auto tls -Default value: `{}` +Default value: `undef` -##### `extra_config` +##### `binary_path` -Data type: `Hash[String,Data]` +Data type: `Optional[Stdlib::Unixpath]` -Additional configuration data to apply to the kube-proxy configuration file +path to the etcd binary -Default value: `{}` +Default value: `undef` -##### `image` +##### `cert_file` -Data type: `String[1]` +Data type: `Optional[Stdlib::Unixpath]` -The kube-proxy image name to use +path to the cert file -Default value: `$k8s::server::resources::kube_proxy_image` +Default value: `undef` -##### `image_pull_secrets` +##### `client_cert_auth` -Data type: `Optional[Array]` +Data type: `Boolean` -the secrets to pull from private registries +Use client cert auth -Default value: `$k8s::server::resources::image_pull_secrets` +Default value: `false` -##### `image_tag` +##### `data_dir` Data type: `String[1]` -The kube-proxy image tag to use +path to the data dir -Default value: `$k8s::server::resources::kube_proxy_tag` +Default value: `"${etcd_name}.etcd"` -##### `kubeconfig` +##### `ensure` -Data type: `Stdlib::Unixpath` +Data type: `K8s::Ensure` -The path to the kubeconfig file to use +set ensure for installation or deinstallation -Default value: `$k8s::server::resources::kubeconfig` +Default value: `'present'` -##### `registry` +##### `etcd_name` Data type: `String[1]` -The kube-proxy image registry to use - -Default value: `$k8s::server::resources::kube_proxy_registry` - -### `k8s::server::scheduler` +The etcd instance name -Installs and configures a Kubernetes scheduler +Default value: `$facts['networking']['hostname']` -#### Parameters +##### `fqdn` -The following parameters are available in the `k8s::server::scheduler` class: +Data type: `String[1]` -* [`ensure`](#-k8s--server--scheduler--ensure) -* [`control_plane_url`](#-k8s--server--scheduler--control_plane_url) -* [`arguments`](#-k8s--server--scheduler--arguments) -* [`cert_path`](#-k8s--server--scheduler--cert_path) -* [`ca_cert`](#-k8s--server--scheduler--ca_cert) -* [`cert`](#-k8s--server--scheduler--cert) -* [`key`](#-k8s--server--scheduler--key) -* [`container_registry`](#-k8s--server--scheduler--container_registry) -* [`container_image`](#-k8s--server--scheduler--container_image) -* [`container_image_tag`](#-k8s--server--scheduler--container_image_tag) +fully qualified domain name -##### `ensure` +Default value: `$facts['networking']['fqdn']` -Data type: `K8s::Ensure` +##### `gid` -Whether the scheduler should be configured. +Data type: `Optional[Integer[0, 65535]]` -Default value: `$k8s::server::ensure` +The group system id -##### `control_plane_url` +Default value: `undef` -Data type: `Stdlib::HTTPUrl` +##### `group` -The URL of the Kubernetes API server. +Data type: `String[1]` -Default value: `$k8s::control_plane_url` +etcd system user group -##### `arguments` +Default value: `'etcd'` -Data type: `Hash[String, Data]` +##### `initial_advertise_peer_urls` -Additional arguments to pass to the scheduler. +Data type: `Array[Stdlib::HTTPUrl]` -Default value: `{}` +The peer urls to advertise -##### `cert_path` +Default value: `["https://${fqdn}:2380"]` -Data type: `Stdlib::Unixpath` +##### `initial_cluster` -The path to the directory containing the TLS certificates. +Data type: `Array[String[1]]` -Default value: `$k8s::server::tls::cert_path` +The initial cluster -##### `ca_cert` +Default value: `[]` -Data type: `Stdlib::Unixpath` +##### `initial_cluster_state` -The path to the CA certificate. +Data type: `Optional[Enum['existing', 'new']]` -Default value: `$k8s::server::tls::ca_cert` +The initial cluster state -##### `cert` +Default value: `undef` -Data type: `Stdlib::Unixpath` +##### `initial_cluster_token` -The path to the scheduler certificate. +Data type: `Optional[String[1]]` -Default value: `"${cert_path}/kube-scheduler.pem"` +The initial cluster token -##### `key` +Default value: `undef` -Data type: `Stdlib::Unixpath` +##### `install` -The path to the scheduler key. +Data type: `Enum['archive','package']` -Default value: `"${cert_path}/kube-scheduler.key"` +etcd installation method -##### `container_registry` +Default value: `'archive'` -Data type: `String[1]` +##### `key_file` -The container registry to pull images from. +Data type: `Optional[Stdlib::Unixpath]` -Default value: `$k8s::container_registry` +path to the key file -##### `container_image` +Default value: `undef` -Data type: `String[1]` +##### `listen_client_urls` -The container image to use for the scheduler. +Data type: `Array[Stdlib::HTTPUrl]` -Default value: `'kube-scheduler'` +The client urls to listen on -##### `container_image_tag` +Default value: `['https://[::]:2379']` -Data type: `Optional[String[1]]` +##### `listen_peer_urls` -The container image tag to use for the scheduler. +Data type: `Array[Stdlib::HTTPUrl]` -Default value: `$k8s::container_image_tag` +The peer urls to listen on -### `k8s::server::tls` +Default value: `['https://[::]:2380']` -Generates the necessary Kubernetes certificates for a server +##### `package` -#### Parameters +Data type: `String[1]` -The following parameters are available in the `k8s::server::tls` class: +etcd package name -* [`aggregator_ca_cert`](#-k8s--server--tls--aggregator_ca_cert) -* [`aggregator_ca_key`](#-k8s--server--tls--aggregator_ca_key) -* [`api_addn_names`](#-k8s--server--tls--api_addn_names) -* [`api_service_address`](#-k8s--server--tls--api_service_address) -* [`ca_cert`](#-k8s--server--tls--ca_cert) -* [`ca_key`](#-k8s--server--tls--ca_key) -* [`cert_path`](#-k8s--server--tls--cert_path) -* [`cluster_domain`](#-k8s--server--tls--cluster_domain) -* [`ensure`](#-k8s--server--tls--ensure) -* [`generate_ca`](#-k8s--server--tls--generate_ca) -* [`key_bits`](#-k8s--server--tls--key_bits) -* [`manage_certs`](#-k8s--server--tls--manage_certs) -* [`valid_days`](#-k8s--server--tls--valid_days) +Default value: `'etcd'` -##### `aggregator_ca_cert` +##### `peer_auto_tls` -Data type: `Stdlib::Unixpath` +Data type: `Optional[Boolean]` -The path to the aggregator CA certificate +Use peer auto tls -Default value: `$k8s::server::aggregator_ca_cert` +Default value: `undef` -##### `aggregator_ca_key` +##### `peer_cert_file` -Data type: `Stdlib::Unixpath` +Data type: `Optional[Stdlib::Unixpath]` -The path to the aggregator CA key +path to the peer cert file -Default value: `$k8s::server::aggregator_ca_key` +Default value: `undef` -##### `api_addn_names` +##### `peer_client_cert_auth` -Data type: `K8s::TLS_altnames` +Data type: `Boolean` -Additional names to add to the API server certificate +Use peer client cert auth -Default value: `[]` +Default value: `false` -##### `api_service_address` +##### `peer_key_file` -Data type: `Stdlib::IP::Address::Nosubnet` +Data type: `Optional[Stdlib::Unixpath]` -The API service address +path to the peer key file -Default value: `$k8s::api_service_address` +Default value: `undef` -##### `ca_cert` +##### `peer_trusted_ca_file` -Data type: `Stdlib::Unixpath` +Data type: `Optional[Stdlib::Unixpath]` -The path to the CA certificate +path to the peer trusted ca file -Default value: `$k8s::server::ca_cert` +Default value: `undef` -##### `ca_key` +##### `proxy` -Data type: `Stdlib::Unixpath` +Data type: `Enum['on','off','readonly']` -The path to the CA key +The proxy mode -Default value: `$k8s::server::ca_key` +Default value: `'off'` -##### `cert_path` +##### `storage_path` Data type: `Stdlib::Unixpath` -The path to the certificates - -Default value: `$k8s::server::cert_path` - -##### `cluster_domain` - -Data type: `String[1]` - -The cluster domain - -Default value: `$k8s::cluster_domain` - -##### `ensure` - -Data type: `K8s::Ensure` - -Whether to generate the certificates or not +path to the working dir of etcd -Default value: `'present'` +Default value: `'/var/lib/etcd'` -##### `generate_ca` +##### `trusted_ca_file` -Data type: `Boolean` +Data type: `Optional[Stdlib::Unixpath]` -Whether to generate the CA or not +path to the trusted ca file -Default value: `$k8s::server::generate_ca` +Default value: `undef` -##### `key_bits` +##### `uid` -Data type: `Integer[512]` +Data type: `Optional[Integer[0, 65535]]` -The number of bits to use for the key +The user system id -Default value: `2048` +Default value: `undef` -##### `manage_certs` +##### `user` -Data type: `Boolean` +Data type: `String[1]` -Whether to manage the certificates or not +etcd system user -Default value: `$k8s::server::manage_certs` +Default value: `'etcd'` -##### `valid_days` +##### `version` -Data type: `Integer[1]` +Data type: `String[1]` -The number of days the certificate is valid for +The ectd version to install -Default value: `10000` +Default value: `$k8s::etcd_version` ### `k8s::server::wait_online` diff --git a/manifests/common.pp b/manifests/common.pp index 39ef5b3..b077320 100644 --- a/manifests/common.pp +++ b/manifests/common.pp @@ -1,5 +1,8 @@ # @summary Sets up common Kubernetes components - users/groups/folders/etc +# @api private class k8s::common { + assert_private() + group { $k8s::group: ensure => present, system => true, diff --git a/manifests/node/kube_proxy.pp b/manifests/node/kube_proxy.pp index 255ef45..ac1c1b5 100644 --- a/manifests/node/kube_proxy.pp +++ b/manifests/node/kube_proxy.pp @@ -1,4 +1,5 @@ # @summary Sets up a on-node kube-proxy instance +# @api private # # For most use-cases, running kube-proxy inside the cluster itself is recommended # diff --git a/manifests/node/kubelet.pp b/manifests/node/kubelet.pp index bfb94d5..706e567 100644 --- a/manifests/node/kubelet.pp +++ b/manifests/node/kubelet.pp @@ -1,4 +1,5 @@ # @summary Installs and configures kubelet +# @api private # # @param arguments additional arguments to pass to kubelet # @param auth type of node authentication @@ -52,6 +53,8 @@ Optional[K8s::Firewall] $firewall_type = $k8s::node::firewall_type, ) { + assert_private() + k8s::binary { 'kubelet': ensure => $ensure, notify => Service['kubelet'], diff --git a/manifests/server/apiserver.pp b/manifests/server/apiserver.pp index e3fc51e..55c3beb 100644 --- a/manifests/server/apiserver.pp +++ b/manifests/server/apiserver.pp @@ -1,4 +1,5 @@ # @summary Installs and configures a Kubernetes apiserver +# @api private # # @param advertise_address bind address of the apiserver # @param aggregator_ca_cert path to the aggregator ca cert file diff --git a/manifests/server/controller_manager.pp b/manifests/server/controller_manager.pp index 7e17b74..afbe003 100644 --- a/manifests/server/controller_manager.pp +++ b/manifests/server/controller_manager.pp @@ -1,4 +1,5 @@ # @summary Installs and configures a Kubernetes controller manager +# @api private # # @param arguments Additional arguments to pass to the controller manager. # @param ca_cert The path to the CA certificate. diff --git a/manifests/server/resources.pp b/manifests/server/resources.pp index cf9f28e..36e84b1 100644 --- a/manifests/server/resources.pp +++ b/manifests/server/resources.pp @@ -1,4 +1,5 @@ # @summary Generates and deploys standard Kubernetes in-cluster services +# @api private # # @param ca_cert the path to the CA certificate to use for the cluster # @param cluster_cidr the CIDR to use for the cluster diff --git a/manifests/server/resources/bootstrap.pp b/manifests/server/resources/bootstrap.pp index 2815581..8244db5 100644 --- a/manifests/server/resources/bootstrap.pp +++ b/manifests/server/resources/bootstrap.pp @@ -1,4 +1,5 @@ # @summary Generates and deploys the default Puppet boostrap configuration into the cluster +# @api private # # @param control_plane_url The main API URL to encode in the bootstrap configuration # @param ensure Whether the resources should be present or absent diff --git a/manifests/server/resources/coredns.pp b/manifests/server/resources/coredns.pp index 1c18b62..f0b8120 100644 --- a/manifests/server/resources/coredns.pp +++ b/manifests/server/resources/coredns.pp @@ -1,4 +1,5 @@ # @summary Generates and deploys the default CoreDNS DNS provider for Kubernetes +# @api private # # @param cluster_domain The cluster domain to use for the CoreDNS ConfigMap # @param corefile_content The content to use for the CoreDNS ConfigMap diff --git a/manifests/server/resources/flannel.pp b/manifests/server/resources/flannel.pp index 19a0d8b..22da3a9 100644 --- a/manifests/server/resources/flannel.pp +++ b/manifests/server/resources/flannel.pp @@ -1,4 +1,5 @@ # @summary Generates and deploys the default CoreDNS DNS provider for Kubernetes +# @api private # # @param cluster_cidr The internal cluster CIDR to proxy for # @param cni_image The Flannel CNI plugin image name to use diff --git a/manifests/server/resources/kube_proxy.pp b/manifests/server/resources/kube_proxy.pp index 81d935e..a161e65 100644 --- a/manifests/server/resources/kube_proxy.pp +++ b/manifests/server/resources/kube_proxy.pp @@ -1,4 +1,5 @@ # @summary Generates and deploys the default kube-proxy service for Kubernetes +# @api private # # @param cluster_cidr The internal cluster CIDR to proxy for # @param daemonset_config Additional configuration to merge into the DaemonSet object diff --git a/manifests/server/scheduler.pp b/manifests/server/scheduler.pp index 00dd282..6b8b640 100644 --- a/manifests/server/scheduler.pp +++ b/manifests/server/scheduler.pp @@ -1,4 +1,5 @@ # @summary Installs and configures a Kubernetes scheduler +# @api private # # @param ensure Whether the scheduler should be configured. # @param control_plane_url The URL of the Kubernetes API server. diff --git a/manifests/server/tls.pp b/manifests/server/tls.pp index a89c334..a27f374 100644 --- a/manifests/server/tls.pp +++ b/manifests/server/tls.pp @@ -1,4 +1,5 @@ # @summary Generates the necessary Kubernetes certificates for a server +# @api private # # @param aggregator_ca_cert The path to the aggregator CA certificate # @param aggregator_ca_key The path to the aggregator CA key @@ -32,6 +33,7 @@ Stdlib::Unixpath $aggregator_ca_key = $k8s::server::aggregator_ca_key, Stdlib::Unixpath $aggregator_ca_cert = $k8s::server::aggregator_ca_cert, ) { + assert_private() if $manage_certs or $ensure == 'absent' { if !defined(File[$cert_path]) { file { $cert_path: From 653da1c0c251da0bf288ae60f53474ae74fcb04c Mon Sep 17 00:00:00 2001 From: Alexander Olofsson Date: Fri, 27 Sep 2024 09:22:38 +0200 Subject: [PATCH 07/10] Require repo class for container runtime --- manifests/install/container_runtime.pp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/manifests/install/container_runtime.pp b/manifests/install/container_runtime.pp index bffedc5..e7a7e10 100644 --- a/manifests/install/container_runtime.pp +++ b/manifests/install/container_runtime.pp @@ -87,7 +87,6 @@ } if $manage_repo { - include k8s::repo - Class['k8s::repo'] -> Package['k8s container manager'] + require k8s::repo } } From e11b1e66209921be9444cf2080ea0de6da1f8ceb Mon Sep 17 00:00:00 2001 From: Alexander Olofsson Date: Fri, 27 Sep 2024 09:38:39 +0200 Subject: [PATCH 08/10] Disable assert_private in tls test --- spec/classes/server/tls_spec.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/spec/classes/server/tls_spec.rb b/spec/classes/server/tls_spec.rb index 42610da..e004ce0 100644 --- a/spec/classes/server/tls_spec.rb +++ b/spec/classes/server/tls_spec.rb @@ -11,6 +11,8 @@ end let(:pre_condition) do <<~PUPPET + function assert_private() {} + include ::k8s class { '::k8s::server': manage_etcd => false, From 4a380fc429cddb3b803b168f83b8f3e5f0a31298 Mon Sep 17 00:00:00 2001 From: Alexander Olofsson Date: Fri, 27 Sep 2024 09:39:26 +0200 Subject: [PATCH 09/10] Contain the k8s roles --- manifests/init.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 15f5e97..0a47466 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -104,10 +104,10 @@ Integer[0, 65535] $gid = 888, ) { if $role == 'server' or $role == 'control-plane' { - include k8s::server + contain k8s::server } elsif $role == 'node' { - include k8s::node + contain k8s::node } elsif $role == 'etcd-replica' { - include k8s::server::etcd + contain k8s::server::etcd } } From 682d1845fb8779c0b990fd1e665b450407d21f26 Mon Sep 17 00:00:00 2001 From: Alexander Olofsson Date: Fri, 27 Sep 2024 13:52:08 +0200 Subject: [PATCH 10/10] Simplify conntrack package name selection --- manifests/node.pp | 8 +++----- spec/classes/node_spec.rb | 6 ++++++ 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/manifests/node.pp b/manifests/node.pp index e197cff..117bbbd 100644 --- a/manifests/node.pp +++ b/manifests/node.pp @@ -65,12 +65,10 @@ } if $k8s::manage_packages { # Ensure conntrack is installed to properly handle networking cleanup - if fact('os.family') == 'Debian' { - $_conntrack = 'conntrack' - } else { - $_conntrack = 'conntrack-tools' + $_conntrack = fact('os.family') ? { + 'Debian' => 'conntrack', + default => 'conntrack-tools', } - ensure_packages([$_conntrack,]) } diff --git a/spec/classes/node_spec.rb b/spec/classes/node_spec.rb index aedb226..637d23c 100644 --- a/spec/classes/node_spec.rb +++ b/spec/classes/node_spec.rb @@ -14,6 +14,12 @@ let(:facts) { os_facts } it { is_expected.to compile } + + if os_facts.dig('os', 'family') == 'Debian' + it { is_expected.to contain_package 'conntrack' } + else + it { is_expected.to contain_package 'conntrack-tools' } + end end end end