diff --git a/REFERENCE.md b/REFERENCE.md
index 6506ec8..d27fb8c 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -7,6 +7,8 @@
### Classes
* [`k8s`](#k8s): Sets up a Kubernetes instance - either as a node or as a server
+* [`k8s::install::kubeadm`](#k8s--install--kubeadm): Installs the kubeadm binary
+* [`k8s::install::kubectl`](#k8s--install--kubectl): Installs the kubectl binary
* [`k8s::node`](#k8s--node): Installs a Kubernetes node
* [`k8s::node::kube_proxy`](#k8s--node--kube_proxy): Sets up a on-node kube-proxy instance
* [`k8s::node::kubectl`](#k8s--node--kubectl): Installs the kubectl binary
@@ -47,6 +49,7 @@
* [`K8s::Duration`](#K8s--Duration): This regexp matches Go duration values, as taken from;
* [`K8s::Ensure`](#K8s--Ensure): a type to describe the ensure pattern
* [`K8s::Extended_key_usage`](#K8s--Extended_key_usage): a type to describe extended key usage for a TLS certificate
+* [`K8s::Firewall`](#K8s--Firewall): a type to describe the type of the firewall to use
* [`K8s::IP_addresses`](#K8s--IP_addresses): a type to describe multiple IP addresses without subnet sizes
* [`K8s::Native_packaging`](#K8s--Native_packaging): a type to describe Kubernetes native packaging methods
* [`K8s::Node_auth`](#K8s--Node_auth): a type to describe node/kubelet authentication methods
@@ -106,6 +109,7 @@ The following parameters are available in the `k8s` class:
* [`dns_service_address`](#-k8s--dns_service_address)
* [`cluster_domain`](#-k8s--cluster_domain)
* [`role`](#-k8s--role)
+* [`firewall_type`](#-k8s--firewall_type)
##### `manage_kernel_modules`
@@ -411,86 +415,115 @@ Data type: `Enum['node','server','none']`
Default value: `'none'`
-### `k8s::node`
+##### `firewall_type`
-Installs a Kubernetes node
+Data type: `Optional[K8s::Firewall]`
+
+
+
+Default value: `undef`
+
+### `k8s::install::kubeadm`
+
+Installs the kubeadm binary
#### Parameters
-The following parameters are available in the `k8s::node` class:
+The following parameters are available in the `k8s::install::kubeadm` class:
-* [`ensure`](#-k8s--node--ensure)
-* [`master`](#-k8s--node--master)
-* [`node_auth`](#-k8s--node--node_auth)
-* [`proxy_auth`](#-k8s--node--proxy_auth)
-* [`manage_kubelet`](#-k8s--node--manage_kubelet)
-* [`manage_proxy`](#-k8s--node--manage_proxy)
-* [`manage_firewall`](#-k8s--node--manage_firewall)
-* [`manage_kernel_modules`](#-k8s--node--manage_kernel_modules)
-* [`manage_sysctl_settings`](#-k8s--node--manage_sysctl_settings)
-* [`puppetdb_discovery_tag`](#-k8s--node--puppetdb_discovery_tag)
-* [`cert_path`](#-k8s--node--cert_path)
-* [`ca_cert`](#-k8s--node--ca_cert)
-* [`node_cert`](#-k8s--node--node_cert)
-* [`node_key`](#-k8s--node--node_key)
-* [`proxy_cert`](#-k8s--node--proxy_cert)
-* [`proxy_key`](#-k8s--node--proxy_key)
-* [`node_token`](#-k8s--node--node_token)
-* [`proxy_token`](#-k8s--node--proxy_token)
+* [`ensure`](#-k8s--install--kubeadm--ensure)
-##### `ensure`
+##### `ensure`
Data type: `K8s::Ensure`
-
+set ensure for installation or deinstallation
Default value: `$k8s::ensure`
-##### `master`
+### `k8s::install::kubectl`
-Data type: `Stdlib::HTTPUrl`
+Installs the kubectl binary
+#### Parameters
+The following parameters are available in the `k8s::install::kubectl` class:
-Default value: `$k8s::master`
+* [`ensure`](#-k8s--install--kubectl--ensure)
-##### `node_auth`
+##### `ensure`
-Data type: `K8s::Node_auth`
+Data type: `K8s::Ensure`
+set ensure for installation or deinstallation
+Default value: `$k8s::ensure`
-Default value: `$k8s::node_auth`
+### `k8s::node`
-##### `proxy_auth`
+Installs a Kubernetes node
-Data type: `K8s::Proxy_auth`
+#### Parameters
+The following parameters are available in the `k8s::node` class:
+* [`ca_cert`](#-k8s--node--ca_cert)
+* [`cert_path`](#-k8s--node--cert_path)
+* [`ensure`](#-k8s--node--ensure)
+* [`firewall_type`](#-k8s--node--firewall_type)
+* [`manage_firewall`](#-k8s--node--manage_firewall)
+* [`manage_kernel_modules`](#-k8s--node--manage_kernel_modules)
+* [`manage_kubelet`](#-k8s--node--manage_kubelet)
+* [`manage_proxy`](#-k8s--node--manage_proxy)
+* [`manage_sysctl_settings`](#-k8s--node--manage_sysctl_settings)
+* [`master`](#-k8s--node--master)
+* [`node_auth`](#-k8s--node--node_auth)
+* [`node_cert`](#-k8s--node--node_cert)
+* [`node_key`](#-k8s--node--node_key)
+* [`node_token`](#-k8s--node--node_token)
+* [`proxy_auth`](#-k8s--node--proxy_auth)
+* [`proxy_cert`](#-k8s--node--proxy_cert)
+* [`proxy_key`](#-k8s--node--proxy_key)
+* [`proxy_token`](#-k8s--node--proxy_token)
+* [`puppetdb_discovery_tag`](#-k8s--node--puppetdb_discovery_tag)
-Default value: `'incluster'`
+##### `ca_cert`
-##### `manage_kubelet`
+Data type: `Stdlib::Unixpath`
-Data type: `Boolean`
+path to the ca cert
+Default value: `"${cert_path}/ca.pem"`
+##### `cert_path`
-Default value: `true`
+Data type: `Stdlib::Unixpath`
-##### `manage_proxy`
+path to cert files
-Data type: `Boolean`
+Default value: `'/var/lib/kubelet/pki'`
+##### `ensure`
+Data type: `K8s::Ensure`
-Default value: `false`
+set ensure for installation or deinstallation
+
+Default value: `$k8s::ensure`
+
+##### `firewall_type`
+
+Data type: `Optional[K8s::Firewall]`
+
+define the type of firewall to use
+
+Default value: `$k8s::firewall_type`
##### `manage_firewall`
Data type: `Boolean`
-
+whether to manage firewall or not
Default value: `$k8s::manage_firewall`
@@ -498,47 +531,55 @@ Default value: `$k8s::manage_firewall`
Data type: `Boolean`
-
+whether to load kernel modules or not
Default value: `$k8s::manage_kernel_modules`
-##### `manage_sysctl_settings`
+##### `manage_kubelet`
Data type: `Boolean`
+whether to manage kublet or not
+Default value: `true`
-Default value: `$k8s::manage_sysctl_settings`
+##### `manage_proxy`
-##### `puppetdb_discovery_tag`
+Data type: `Boolean`
-Data type: `String[1]`
+whether to manage kube-proxy or not
+Default value: `false`
+##### `manage_sysctl_settings`
-Default value: `$k8s::puppetdb_discovery_tag`
+Data type: `Boolean`
-##### `cert_path`
+whether to manage sysctl settings or not
-Data type: `Stdlib::Unixpath`
+Default value: `$k8s::manage_sysctl_settings`
+##### `master`
+Data type: `Stdlib::HTTPUrl`
-Default value: `'/var/lib/kubelet/pki'`
+cluster API connection
-##### `ca_cert`
+Default value: `$k8s::master`
-Data type: `Stdlib::Unixpath`
+##### `node_auth`
+Data type: `K8s::Node_auth`
+type of node authentication
-Default value: `"${cert_path}/ca.pem"`
+Default value: `$k8s::node_auth`
##### `node_cert`
Data type: `Optional[Stdlib::Unixpath]`
-
+path to node cert file
Default value: `undef`
@@ -546,15 +587,31 @@ Default value: `undef`
Data type: `Optional[Stdlib::Unixpath]`
+path to node key file
+Default value: `undef`
+
+##### `node_token`
+
+Data type: `Optional[String[1]]`
+
+k8s token to join a cluster
Default value: `undef`
+##### `proxy_auth`
+
+Data type: `K8s::Proxy_auth`
+
+which proxy auth to use
+
+Default value: `'incluster'`
+
##### `proxy_cert`
Data type: `Optional[Stdlib::Unixpath]`
-
+path to proxy cert file
Default value: `undef`
@@ -562,25 +619,25 @@ Default value: `undef`
Data type: `Optional[Stdlib::Unixpath]`
-
+path to proxy key file
Default value: `undef`
-##### `node_token`
+##### `proxy_token`
Data type: `Optional[String[1]]`
-
+k8s token for kube-proxy
Default value: `undef`
-##### `proxy_token`
-
-Data type: `Optional[String[1]]`
+##### `puppetdb_discovery_tag`
+Data type: `String[1]`
+enable puppetdb resource searching
-Default value: `undef`
+Default value: `$k8s::puppetdb_discovery_tag`
### `k8s::node::kube_proxy`
@@ -716,103 +773,112 @@ Installs and configures kubelet
The following parameters are available in the `k8s::node::kubelet` class:
-* [`ensure`](#-k8s--node--kubelet--ensure)
-* [`master`](#-k8s--node--kubelet--master)
-* [`config`](#-k8s--node--kubelet--config)
* [`arguments`](#-k8s--node--kubelet--arguments)
-* [`runtime`](#-k8s--node--kubelet--runtime)
-* [`runtime_service`](#-k8s--node--kubelet--runtime_service)
-* [`puppetdb_discovery_tag`](#-k8s--node--kubelet--puppetdb_discovery_tag)
* [`auth`](#-k8s--node--kubelet--auth)
-* [`rotate_server_tls`](#-k8s--node--kubelet--rotate_server_tls)
+* [`ca_cert`](#-k8s--node--kubelet--ca_cert)
+* [`cert`](#-k8s--node--kubelet--cert)
+* [`cert_path`](#-k8s--node--kubelet--cert_path)
+* [`config`](#-k8s--node--kubelet--config)
+* [`ensure`](#-k8s--node--kubelet--ensure)
+* [`firewall_type`](#-k8s--node--kubelet--firewall_type)
+* [`key`](#-k8s--node--kubelet--key)
+* [`kubeconfig`](#-k8s--node--kubelet--kubeconfig)
* [`manage_firewall`](#-k8s--node--kubelet--manage_firewall)
* [`manage_kernel_modules`](#-k8s--node--kubelet--manage_kernel_modules)
* [`manage_sysctl_settings`](#-k8s--node--kubelet--manage_sysctl_settings)
+* [`master`](#-k8s--node--kubelet--master)
+* [`puppetdb_discovery_tag`](#-k8s--node--kubelet--puppetdb_discovery_tag)
+* [`rotate_server_tls`](#-k8s--node--kubelet--rotate_server_tls)
+* [`runtime`](#-k8s--node--kubelet--runtime)
+* [`runtime_service`](#-k8s--node--kubelet--runtime_service)
* [`support_dualstack`](#-k8s--node--kubelet--support_dualstack)
-* [`cert_path`](#-k8s--node--kubelet--cert_path)
-* [`kubeconfig`](#-k8s--node--kubelet--kubeconfig)
-* [`ca_cert`](#-k8s--node--kubelet--ca_cert)
-* [`cert`](#-k8s--node--kubelet--cert)
-* [`key`](#-k8s--node--kubelet--key)
* [`token`](#-k8s--node--kubelet--token)
-##### `ensure`
-
-Data type: `K8s::Ensure`
-
-
+##### `arguments`
-Default value: `$k8s::node::ensure`
+Data type: `Hash[String, Data]`
-##### `master`
-Data type: `Stdlib::HTTPUrl`
+Default value: `{}`
+##### `auth`
-Default value: `$k8s::node::master`
+Data type: `K8s::Node_auth`
-##### `config`
+type of node authentication
-Data type: `Hash[String, Data]`
+Default value: `$k8s::node::node_auth`
+##### `ca_cert`
+Data type: `Optional[Stdlib::Unixpath]`
-Default value: `{}`
+path to the ca cert
-##### `arguments`
+Default value: `$k8s::node::ca_cert`
-Data type: `Hash[String, Data]`
+##### `cert`
+Data type: `Optional[Stdlib::Unixpath]`
+path to node cert file
-Default value: `{}`
+Default value: `$k8s::node::node_cert`
-##### `runtime`
+##### `cert_path`
-Data type: `String`
+Data type: `Stdlib::Unixpath`
+path to cert files
+Default value: `$k8s::node::cert_path`
-Default value: `$k8s::container_manager`
+##### `config`
-##### `runtime_service`
+Data type: `Hash[String, Data]`
-Data type: `String`
+Default value: `{}`
-Default value: `$k8s::container_runtime_service`
+##### `ensure`
-##### `puppetdb_discovery_tag`
+Data type: `K8s::Ensure`
-Data type: `String[1]`
+set ensure for installation or deinstallation
+Default value: `$k8s::node::ensure`
+##### `firewall_type`
-Default value: `$k8s::node::puppetdb_discovery_tag`
+Data type: `Optional[K8s::Firewall]`
-##### `auth`
+define the type of firewall to use
-Data type: `K8s::Node_auth`
+Default value: `$k8s::node::firewall_type`
+##### `key`
+Data type: `Optional[Stdlib::Unixpath]`
-Default value: `$k8s::node::node_auth`
+path to node key file
-##### `rotate_server_tls`
+Default value: `$k8s::node::node_key`
-Data type: `Boolean`
+##### `kubeconfig`
+Data type: `Stdlib::Unixpath`
+path to kubeconfig
-Default value: `$auth == 'bootstrap'`
+Default value: `'/srv/kubernetes/kubelet.kubeconf'`
##### `manage_firewall`
Data type: `Boolean`
-
+whether to manage firewall or not
Default value: `$k8s::node::manage_firewall`
@@ -820,7 +886,7 @@ Default value: `$k8s::node::manage_firewall`
Data type: `Boolean`
-
+whether to load kernel modules or not
Default value: `$k8s::node::manage_kernel_modules`
@@ -828,63 +894,63 @@ Default value: `$k8s::node::manage_kernel_modules`
Data type: `Boolean`
-
+whether to manage sysctl settings or not
Default value: `$k8s::node::manage_sysctl_settings`
-##### `support_dualstack`
-
-Data type: `Boolean`
-
-
-
-Default value: `$k8s::cluster_cidr =~ Array[Data, 2]`
+##### `master`
-##### `cert_path`
+Data type: `Stdlib::HTTPUrl`
-Data type: `Stdlib::Unixpath`
+cluster API connection
+Default value: `$k8s::node::master`
+##### `puppetdb_discovery_tag`
-Default value: `$k8s::node::cert_path`
+Data type: `String[1]`
-##### `kubeconfig`
+enable puppetdb resource searching
-Data type: `Stdlib::Unixpath`
+Default value: `$k8s::node::puppetdb_discovery_tag`
+##### `rotate_server_tls`
+Data type: `Boolean`
-Default value: `'/srv/kubernetes/kubelet.kubeconf'`
-##### `ca_cert`
-Data type: `Optional[Stdlib::Unixpath]`
+Default value: `$auth == 'bootstrap'`
+##### `runtime`
+Data type: `String`
-Default value: `$k8s::node::ca_cert`
+which container runtime to use
-##### `cert`
+Default value: `$k8s::container_manager`
-Data type: `Optional[Stdlib::Unixpath]`
+##### `runtime_service`
+Data type: `String`
+name of the service of the container runtime
-Default value: `$k8s::node::node_cert`
+Default value: `$k8s::container_runtime_service`
-##### `key`
+##### `support_dualstack`
-Data type: `Optional[Stdlib::Unixpath]`
+Data type: `Boolean`
-Default value: `$k8s::node::node_key`
+Default value: `$k8s::cluster_cidr =~ Array[Data, 2]`
##### `token`
Data type: `Optional[String[1]]`
-
+k8s token to join a cluster
Default value: `$k8s::node::node_token`
@@ -903,7 +969,7 @@ The following parameters are available in the `k8s::repo` class:
Data type: `Boolean`
-
+whether to add cri-o repository or not
Default value: `$k8s::manage_container_manager`
@@ -911,7 +977,7 @@ Default value: `$k8s::manage_container_manager`
Data type: `String[1]`
-
+version o cri-o
Default value: `$k8s::version.split('\.')[0, 2].join('.')`
@@ -923,138 +989,164 @@ Sets up a Kubernetes server instance
The following parameters are available in the `k8s::server` class:
-* [`ensure`](#-k8s--server--ensure)
+* [`aggregator_ca_cert`](#-k8s--server--aggregator_ca_cert)
+* [`aggregator_ca_key`](#-k8s--server--aggregator_ca_key)
* [`api_port`](#-k8s--server--api_port)
+* [`ca_cert`](#-k8s--server--ca_cert)
+* [`ca_key`](#-k8s--server--ca_key)
+* [`cert_path`](#-k8s--server--cert_path)
* [`cluster_cidr`](#-k8s--server--cluster_cidr)
-* [`dns_service_address`](#-k8s--server--dns_service_address)
* [`cluster_domain`](#-k8s--server--cluster_domain)
* [`direct_master`](#-k8s--server--direct_master)
-* [`master`](#-k8s--server--master)
-* [`cert_path`](#-k8s--server--cert_path)
-* [`ca_key`](#-k8s--server--ca_key)
-* [`ca_cert`](#-k8s--server--ca_cert)
-* [`aggregator_ca_key`](#-k8s--server--aggregator_ca_key)
-* [`aggregator_ca_cert`](#-k8s--server--aggregator_ca_cert)
+* [`dns_service_address`](#-k8s--server--dns_service_address)
+* [`ensure`](#-k8s--server--ensure)
+* [`etcd_servers`](#-k8s--server--etcd_servers)
+* [`firewall_type`](#-k8s--server--firewall_type)
* [`generate_ca`](#-k8s--server--generate_ca)
-* [`manage_etcd`](#-k8s--server--manage_etcd)
-* [`manage_firewall`](#-k8s--server--manage_firewall)
* [`manage_certs`](#-k8s--server--manage_certs)
-* [`manage_signing`](#-k8s--server--manage_signing)
* [`manage_components`](#-k8s--server--manage_components)
+* [`manage_etcd`](#-k8s--server--manage_etcd)
+* [`manage_firewall`](#-k8s--server--manage_firewall)
+* [`manage_kubeadm`](#-k8s--server--manage_kubeadm)
* [`manage_resources`](#-k8s--server--manage_resources)
+* [`manage_signing`](#-k8s--server--manage_signing)
+* [`master`](#-k8s--server--master)
* [`node_on_server`](#-k8s--server--node_on_server)
* [`puppetdb_discovery_tag`](#-k8s--server--puppetdb_discovery_tag)
-* [`etcd_servers`](#-k8s--server--etcd_servers)
-##### `ensure`
+##### `aggregator_ca_cert`
+
+Data type: `Stdlib::Unixpath`
+
+
-Data type: `K8s::Ensure`
+Default value: `"${cert_path}/aggregator-ca.pem"`
+
+##### `aggregator_ca_key`
+
+Data type: `Stdlib::Unixpath`
-Default value: `$k8s::ensure`
+Default value: `"${cert_path}/aggregator-ca.key"`
##### `api_port`
Data type: `Integer[1]`
-
+Cluster API port
Default value: `6443`
-##### `cluster_cidr`
+##### `ca_cert`
-Data type: `K8s::CIDR`
+Data type: `Stdlib::Unixpath`
+path to the ca cert
+Default value: `"${cert_path}/ca.pem"`
-Default value: `$k8s::cluster_cidr`
+##### `ca_key`
-##### `dns_service_address`
+Data type: `Stdlib::Unixpath`
-Data type: `K8s::IP_addresses`
+path to the ca key
+Default value: `"${cert_path}/ca.key"`
+##### `cert_path`
-Default value: `$k8s::dns_service_address`
+Data type: `Stdlib::Unixpath`
-##### `cluster_domain`
+path to cert files
-Data type: `String`
+Default value: `'/etc/kubernetes/certs'`
+##### `cluster_cidr`
+Data type: `K8s::CIDR`
-Default value: `$k8s::cluster_domain`
+cluster cidr
-##### `direct_master`
+Default value: `$k8s::cluster_cidr`
-Data type: `String`
+##### `cluster_domain`
+Data type: `String`
+cluster domain name
-Default value: `"https://${fact('networking.ip')}:${api_port}"`
+Default value: `$k8s::cluster_domain`
-##### `master`
+##### `direct_master`
Data type: `String`
+direct clust API connection
+Default value: `"https://${fact('networking.ip')}:${api_port}"`
-Default value: `$k8s::master`
-
-##### `cert_path`
-
-Data type: `Stdlib::Unixpath`
+##### `dns_service_address`
+Data type: `K8s::IP_addresses`
+cluster dns service address
-Default value: `'/etc/kubernetes/certs'`
+Default value: `$k8s::dns_service_address`
-##### `ca_key`
+##### `ensure`
-Data type: `Stdlib::Unixpath`
+Data type: `K8s::Ensure`
+set ensure for installation or deinstallation
+Default value: `$k8s::ensure`
-Default value: `"${cert_path}/ca.key"`
+##### `etcd_servers`
-##### `ca_cert`
+Data type: `Optional[Array[Stdlib::HTTPUrl]]`
-Data type: `Stdlib::Unixpath`
+list etcd servers if no puppetdb is used
+Default value: `undef`
+##### `firewall_type`
-Default value: `"${cert_path}/ca.pem"`
+Data type: `Optional[K8s::Firewall]`
-##### `aggregator_ca_key`
+define the type of firewall to use
-Data type: `Stdlib::Unixpath`
+Default value: `$k8s::firewall_type`
+##### `generate_ca`
+Data type: `Boolean`
-Default value: `"${cert_path}/aggregator-ca.key"`
+initially generate ca
-##### `aggregator_ca_cert`
+Default value: `false`
-Data type: `Stdlib::Unixpath`
+##### `manage_certs`
+Data type: `Boolean`
+whether to manage certs or not
-Default value: `"${cert_path}/aggregator-ca.pem"`
+Default value: `true`
-##### `generate_ca`
+##### `manage_components`
Data type: `Boolean`
+whether to manage components or not
-
-Default value: `false`
+Default value: `true`
##### `manage_etcd`
Data type: `Boolean`
-
+whether to manage etcd or not
Default value: `$k8s::manage_etcd`
@@ -1062,47 +1154,47 @@ Default value: `$k8s::manage_etcd`
Data type: `Boolean`
-
+whether to manage firewall or not
Default value: `$k8s::manage_firewall`
-##### `manage_certs`
+##### `manage_kubeadm`
Data type: `Boolean`
+whether to install kubeadm or not
+Default value: `false`
-Default value: `true`
-
-##### `manage_signing`
+##### `manage_resources`
Data type: `Boolean`
+whether to manage cluster internal resources or not
+Default value: `true`
-Default value: `$k8s::puppetdb_discovery`
-
-##### `manage_components`
+##### `manage_signing`
Data type: `Boolean`
+whether to manage cert signing or not
+Default value: `$k8s::puppetdb_discovery`
-Default value: `true`
-
-##### `manage_resources`
-
-Data type: `Boolean`
+##### `master`
+Data type: `String`
+cluster API connection
-Default value: `true`
+Default value: `$k8s::master`
##### `node_on_server`
Data type: `Boolean`
-
+whether to use controller also as nodes or not
Default value: `true`
@@ -1110,18 +1202,10 @@ Default value: `true`
Data type: `String[1]`
-
+enable puppetdb resource searching
Default value: `$k8s::puppetdb_discovery_tag`
-##### `etcd_servers`
-
-Data type: `Optional[Array[Stdlib::HTTPUrl]]`
-
-
-
-Default value: `undef`
-
### `k8s::server::apiserver`
Installs and configures a Kubernetes apiserver
@@ -1130,139 +1214,157 @@ Installs and configures a Kubernetes apiserver
The following parameters are available in the `k8s::server::apiserver` class:
-* [`ensure`](#-k8s--server--apiserver--ensure)
-* [`arguments`](#-k8s--server--apiserver--arguments)
-* [`service_cluster_cidr`](#-k8s--server--apiserver--service_cluster_cidr)
-* [`etcd_servers`](#-k8s--server--apiserver--etcd_servers)
-* [`discover_etcd_servers`](#-k8s--server--apiserver--discover_etcd_servers)
-* [`manage_firewall`](#-k8s--server--apiserver--manage_firewall)
-* [`puppetdb_discovery_tag`](#-k8s--server--apiserver--puppetdb_discovery_tag)
-* [`cert_path`](#-k8s--server--apiserver--cert_path)
-* [`ca_cert`](#-k8s--server--apiserver--ca_cert)
+* [`advertise_address`](#-k8s--server--apiserver--advertise_address)
* [`aggregator_ca_cert`](#-k8s--server--apiserver--aggregator_ca_cert)
-* [`serviceaccount_public`](#-k8s--server--apiserver--serviceaccount_public)
-* [`serviceaccount_private`](#-k8s--server--apiserver--serviceaccount_private)
* [`apiserver_cert`](#-k8s--server--apiserver--apiserver_cert)
-* [`apiserver_key`](#-k8s--server--apiserver--apiserver_key)
-* [`front_proxy_cert`](#-k8s--server--apiserver--front_proxy_cert)
-* [`front_proxy_key`](#-k8s--server--apiserver--front_proxy_key)
* [`apiserver_client_cert`](#-k8s--server--apiserver--apiserver_client_cert)
* [`apiserver_client_key`](#-k8s--server--apiserver--apiserver_client_key)
+* [`apiserver_key`](#-k8s--server--apiserver--apiserver_key)
+* [`arguments`](#-k8s--server--apiserver--arguments)
+* [`ca_cert`](#-k8s--server--apiserver--ca_cert)
+* [`cert_path`](#-k8s--server--apiserver--cert_path)
+* [`discover_etcd_servers`](#-k8s--server--apiserver--discover_etcd_servers)
+* [`ensure`](#-k8s--server--apiserver--ensure)
* [`etcd_ca`](#-k8s--server--apiserver--etcd_ca)
* [`etcd_cert`](#-k8s--server--apiserver--etcd_cert)
* [`etcd_key`](#-k8s--server--apiserver--etcd_key)
+* [`etcd_servers`](#-k8s--server--apiserver--etcd_servers)
+* [`firewall_type`](#-k8s--server--apiserver--firewall_type)
+* [`front_proxy_cert`](#-k8s--server--apiserver--front_proxy_cert)
+* [`front_proxy_key`](#-k8s--server--apiserver--front_proxy_key)
+* [`manage_firewall`](#-k8s--server--apiserver--manage_firewall)
+* [`puppetdb_discovery_tag`](#-k8s--server--apiserver--puppetdb_discovery_tag)
+* [`service_cluster_cidr`](#-k8s--server--apiserver--service_cluster_cidr)
+* [`serviceaccount_private`](#-k8s--server--apiserver--serviceaccount_private)
+* [`serviceaccount_public`](#-k8s--server--apiserver--serviceaccount_public)
-##### `ensure`
-
-Data type: `K8s::Ensure`
+##### `advertise_address`
+Data type: `Stdlib::IP::Address::Nosubnet`
+bind address of the apiserver
-Default value: `$k8s::server::ensure`
+Default value: `fact('networking.ip')`
-##### `arguments`
+##### `aggregator_ca_cert`
-Data type: `Hash[String, Data]`
+Data type: `Stdlib::Unixpath`
-Default value: `{}`
+Default value: `$k8s::server::tls::aggregator_ca_cert`
-##### `service_cluster_cidr`
+##### `apiserver_cert`
-Data type: `K8s::CIDR`
+Data type: `Stdlib::Unixpath`
+path to the apiserver cert file
+Default value: `"${cert_path}/kube-apiserver.pem"`
-Default value: `$k8s::service_cluster_cidr`
+##### `apiserver_client_cert`
-##### `etcd_servers`
+Data type: `Stdlib::Unixpath`
-Data type: `Optional[Array[Stdlib::HTTPUrl]]`
+path to the apiserver client cert file
+Default value: `"${cert_path}/apiserver-kubelet-client.pem"`
+##### `apiserver_client_key`
-Default value: `$k8s::server::etcd_servers`
+Data type: `Stdlib::Unixpath`
-##### `discover_etcd_servers`
+path to the apiserver client key file
-Data type: `Boolean`
+Default value: `"${cert_path}/apiserver-kubelet-client.key"`
+##### `apiserver_key`
+Data type: `Stdlib::Unixpath`
-Default value: `$k8s::puppetdb_discovery`
+path to the apiserver cert file
-##### `manage_firewall`
+Default value: `"${cert_path}/kube-apiserver.key"`
-Data type: `Boolean`
+##### `arguments`
+Data type: `Hash[String, Data]`
-Default value: `$k8s::server::manage_firewall`
-##### `puppetdb_discovery_tag`
+Default value: `{}`
-Data type: `String`
+##### `ca_cert`
+Data type: `Stdlib::Unixpath`
+path to the ca cert
-Default value: `$k8s::server::puppetdb_discovery_tag`
+Default value: `$k8s::server::tls::ca_cert`
##### `cert_path`
Data type: `Stdlib::Unixpath`
-
+path to cert files
Default value: `$k8s::server::tls::cert_path`
-##### `ca_cert`
-
-Data type: `Stdlib::Unixpath`
-
+##### `discover_etcd_servers`
+Data type: `Boolean`
-Default value: `$k8s::server::tls::ca_cert`
+enable puppetdb resource searching
-##### `aggregator_ca_cert`
+Default value: `$k8s::puppetdb_discovery`
-Data type: `Stdlib::Unixpath`
+##### `ensure`
+Data type: `K8s::Ensure`
+set ensure for installation or deinstallation
-Default value: `$k8s::server::tls::aggregator_ca_cert`
+Default value: `$k8s::server::ensure`
-##### `serviceaccount_public`
+##### `etcd_ca`
Data type: `Stdlib::Unixpath`
+path to the etcd ca cert file
+Default value: `"${cert_path}/etcd-ca.pem"`
-Default value: `"${cert_path}/service-account.pub"`
-
-##### `serviceaccount_private`
+##### `etcd_cert`
Data type: `Stdlib::Unixpath`
+path to the etcd cert file
+Default value: `"${cert_path}/etcd.pem"`
-Default value: `"${cert_path}/service-account.key"`
-
-##### `apiserver_cert`
+##### `etcd_key`
Data type: `Stdlib::Unixpath`
+path to the etcd key file
+Default value: `"${cert_path}/etcd.key"`
-Default value: `"${cert_path}/kube-apiserver.pem"`
+##### `etcd_servers`
-##### `apiserver_key`
+Data type: `Optional[Array[Stdlib::HTTPUrl]]`
-Data type: `Stdlib::Unixpath`
+list etcd servers if no puppetdb is used
+Default value: `$k8s::server::etcd_servers`
+##### `firewall_type`
-Default value: `"${cert_path}/kube-apiserver.key"`
+Data type: `Optional[K8s::Firewall]`
+
+define the type of firewall to use
+
+Default value: `$k8s::server::firewall_type`
##### `front_proxy_cert`
@@ -1280,45 +1382,45 @@ Data type: `Stdlib::Unixpath`
Default value: `"${cert_path}/front-proxy-client.key"`
-##### `apiserver_client_cert`
-
-Data type: `Stdlib::Unixpath`
-
+##### `manage_firewall`
+Data type: `Boolean`
-Default value: `"${cert_path}/apiserver-kubelet-client.pem"`
+whether to manage firewall or not
-##### `apiserver_client_key`
+Default value: `$k8s::server::manage_firewall`
-Data type: `Stdlib::Unixpath`
+##### `puppetdb_discovery_tag`
+Data type: `String`
+enable puppetdb resource searching
-Default value: `"${cert_path}/apiserver-kubelet-client.key"`
+Default value: `$k8s::server::puppetdb_discovery_tag`
-##### `etcd_ca`
+##### `service_cluster_cidr`
-Data type: `Stdlib::Unixpath`
+Data type: `K8s::CIDR`
-Default value: `"${cert_path}/etcd-ca.pem"`
+Default value: `$k8s::service_cluster_cidr`
-##### `etcd_cert`
+##### `serviceaccount_private`
Data type: `Stdlib::Unixpath`
-Default value: `"${cert_path}/etcd.pem"`
+Default value: `"${cert_path}/service-account.key"`
-##### `etcd_key`
+##### `serviceaccount_public`
Data type: `Stdlib::Unixpath`
-Default value: `"${cert_path}/etcd.key"`
+Default value: `"${cert_path}/service-account.pub"`
### `k8s::server::controller_manager`
@@ -1442,6 +1544,7 @@ The following parameters are available in the `k8s::server::etcd` class:
* [`peer_ca_cert`](#-k8s--server--etcd--peer_ca_cert)
* [`client_ca_key`](#-k8s--server--etcd--client_ca_key)
* [`client_ca_cert`](#-k8s--server--etcd--client_ca_cert)
+* [`firewall_type`](#-k8s--server--etcd--firewall_type)
##### `ensure`
@@ -1563,6 +1666,14 @@ Data type: `Stdlib::Unixpath`
Default value: `"${cert_path}/client-ca.pem"`
+##### `firewall_type`
+
+Data type: `Optional[K8s::Firewall]`
+
+
+
+Default value: `$k8s::server::firewall_type`
+
### `k8s::server::etcd::setup`
Installs and configures an etcd instance
@@ -3084,6 +3195,12 @@ Array[Enum[
]]
```
+### `K8s::Firewall`
+
+a type to describe the type of the firewall to use
+
+Alias of `Enum['iptables', 'firewalld']`
+
### `K8s::IP_addresses`
a type to describe multiple IP addresses without subnet sizes
diff --git a/manifests/init.pp b/manifests/init.pp
index 5338831..7df15da 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,5 +1,5 @@
# @summary Sets up a Kubernetes instance - either as a node or as a server
-#
+#
# @param manage_kernel_modules
# A flag to manage required Kernel modules.
#
@@ -52,6 +52,7 @@
Stdlib::Fqdn $cluster_domain = 'cluster.local',
Enum['node','server','none'] $role = 'none',
+ Optional[K8s::Firewall] $firewall_type = undef,
) {
if $manage_container_manager {
if $container_manager == 'docker' {
diff --git a/manifests/install/kubeadm.pp b/manifests/install/kubeadm.pp
new file mode 100644
index 0000000..61d94d5
--- /dev/null
+++ b/manifests/install/kubeadm.pp
@@ -0,0 +1,11 @@
+# @summary Installs the kubeadm binary
+#
+# @param ensure set ensure for installation or deinstallation
+#
+class k8s::install::kubeadm (
+ K8s::Ensure $ensure = $k8s::ensure,
+) {
+ k8s::binary { 'kubeadm':
+ ensure => $ensure,
+ }
+}
diff --git a/manifests/install/kubectl.pp b/manifests/install/kubectl.pp
new file mode 100644
index 0000000..81abf65
--- /dev/null
+++ b/manifests/install/kubectl.pp
@@ -0,0 +1,11 @@
+# @summary Installs the kubectl binary
+#
+# @param ensure set ensure for installation or deinstallation
+#
+class k8s::install::kubectl (
+ K8s::Ensure $ensure = $k8s::ensure,
+) {
+ k8s::binary { 'kubectl':
+ ensure => $ensure,
+ }
+}
diff --git a/manifests/node.pp b/manifests/node.pp
index fbabaf1..bd29011 100644
--- a/manifests/node.pp
+++ b/manifests/node.pp
@@ -1,4 +1,25 @@
# @summary Installs a Kubernetes node
+#
+# @param ca_cert path to the ca cert
+# @param cert_path path to cert files
+# @param ensure set ensure for installation or deinstallation
+# @param firewall_type define the type of firewall to use
+# @param manage_firewall whether to manage firewall or not
+# @param manage_kernel_modules whether to load kernel modules or not
+# @param manage_kubelet whether to manage kublet or not
+# @param manage_proxy whether to manage kube-proxy or not
+# @param manage_sysctl_settings whether to manage sysctl settings or not
+# @param master cluster API connection
+# @param node_auth type of node authentication
+# @param node_cert path to node cert file
+# @param node_key path to node key file
+# @param node_token k8s token to join a cluster
+# @param proxy_auth which proxy auth to use
+# @param proxy_cert path to proxy cert file
+# @param proxy_key path to proxy key file
+# @param proxy_token k8s token for kube-proxy
+# @param puppetdb_discovery_tag enable puppetdb resource searching
+#
class k8s::node (
K8s::Ensure $ensure = $k8s::ensure,
@@ -26,6 +47,8 @@
# For token and bootstrap auth
Optional[String[1]] $node_token = undef,
Optional[String[1]] $proxy_token = undef,
+
+ Optional[K8s::Firewall] $firewall_type = $k8s::firewall_type,
) {
if $manage_kubelet {
include k8s::node::kubelet
diff --git a/manifests/node/kubelet.pp b/manifests/node/kubelet.pp
index 9c126f1..b45b7ad 100644
--- a/manifests/node/kubelet.pp
+++ b/manifests/node/kubelet.pp
@@ -1,4 +1,26 @@
# @summary Installs and configures kubelet
+#
+# @param arguments
+# @param auth type of node authentication
+# @param ca_cert path to the ca cert
+# @param cert path to node cert file
+# @param cert_path path to cert files
+# @param config
+# @param ensure set ensure for installation or deinstallation
+# @param firewall_type define the type of firewall to use
+# @param key path to node key file
+# @param kubeconfig path to kubeconfig
+# @param manage_firewall whether to manage firewall or not
+# @param manage_kernel_modules whether to load kernel modules or not
+# @param manage_sysctl_settings whether to manage sysctl settings or not
+# @param master cluster API connection
+# @param puppetdb_discovery_tag enable puppetdb resource searching
+# @param rotate_server_tls
+# @param runtime which container runtime to use
+# @param runtime_service name of the service of the container runtime
+# @param support_dualstack
+# @param token k8s token to join a cluster
+#
class k8s::node::kubelet (
K8s::Ensure $ensure = $k8s::node::ensure,
@@ -27,6 +49,8 @@
# For token and bootstrap auth
Optional[String[1]] $token = $k8s::node::node_token,
+
+ Optional[K8s::Firewall] $firewall_type = $k8s::node::firewall_type,
) {
k8s::binary { 'kubelet':
ensure => $ensure,
@@ -160,6 +184,14 @@
'net.ipv4.ip_forward':;
'net.ipv6.conf.all.forwarding':;
}
+
+ if $manage_kernel_modules {
+ Kmod::Load['br_netfilter']
+ -> [
+ Sysctl['net.bridge.bridge-nf-call-iptables'],
+ Sysctl['net.bridge.bridge-nf-call-ip6tables']
+ ]
+ }
}
file { '/etc/kubernetes/kubelet.conf':
@@ -228,21 +260,41 @@
Package <| title == 'containernetworking-plugins' |> -> Service['kubelet']
if $manage_firewall {
- firewalld_custom_service { 'kubelet':
- ensure => $ensure,
- short => 'kubelet',
- description => 'Kubernetes kubelet daemon',
- ports => [
- {
- port => '10250',
- protocol => 'tcp',
- },
- ],
+ if $facts['firewalld_version'] {
+ $_firewall_type = pick($firewall_type, 'firewalld')
+ } else {
+ $_firewall_type = pick($firewall_type, 'iptables')
}
- firewalld_service { 'Allow k8s kubelet access':
- ensure => $ensure,
- zone => 'public',
- service => 'kubelet',
+
+ case $_firewall_type {
+ 'firewalld' : {
+ firewalld_custom_service { 'kubelet':
+ ensure => $ensure,
+ short => 'kubelet',
+ description => 'Kubernetes kubelet daemon',
+ ports => [
+ {
+ port => '10250',
+ protocol => 'tcp',
+ },
+ ],
+ }
+ firewalld_service { 'Allow k8s kubelet access':
+ ensure => $ensure,
+ zone => 'public',
+ service => 'kubelet',
+ }
+ }
+ 'iptables': {
+ include firewall
+
+ firewall { '100 allow kubelet access':
+ dport => 10250,
+ proto => 'tcp',
+ action => 'accept',
+ }
+ }
+ default: {}
}
}
}
diff --git a/manifests/repo.pp b/manifests/repo.pp
index 11705cf..bef1fd6 100644
--- a/manifests/repo.pp
+++ b/manifests/repo.pp
@@ -1,4 +1,8 @@
# @summary Handles repositories for the container runtime
+#
+# @param manage_container_manager whether to add cri-o repository or not
+# @param crio_version version o cri-o
+#
class k8s::repo (
Boolean $manage_container_manager = $k8s::manage_container_manager,
String[1] $crio_version = $k8s::version.split('\.')[0, 2].join('.'),
diff --git a/manifests/server.pp b/manifests/server.pp
index 5d66280..e6aa10b 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -1,4 +1,30 @@
# @summary Sets up a Kubernetes server instance
+#
+# @param aggregator_ca_cert
+# @param aggregator_ca_key
+# @param api_port Cluster API port
+# @param ca_cert path to the ca cert
+# @param ca_key path to the ca key
+# @param cert_path path to cert files
+# @param cluster_cidr cluster cidr
+# @param cluster_domain cluster domain name
+# @param direct_master direct clust API connection
+# @param dns_service_address cluster dns service address
+# @param ensure set ensure for installation or deinstallation
+# @param etcd_servers list etcd servers if no puppetdb is used
+# @param firewall_type define the type of firewall to use
+# @param generate_ca initially generate ca
+# @param manage_certs whether to manage certs or not
+# @param manage_components whether to manage components or not
+# @param manage_etcd whether to manage etcd or not
+# @param manage_firewall whether to manage firewall or not
+# @param manage_kubeadm whether to install kubeadm or not
+# @param manage_resources whether to manage cluster internal resources or not
+# @param manage_signing whether to manage cert signing or not
+# @param master cluster API connection
+# @param node_on_server whether to use controller also as nodes or not
+# @param puppetdb_discovery_tag enable puppetdb resource searching
+#
class k8s::server (
K8s::Ensure $ensure = $k8s::ensure,
Integer[1] $api_port = 6443,
@@ -23,9 +49,11 @@
Boolean $manage_components = true,
Boolean $manage_resources = true,
Boolean $node_on_server = true,
+ Boolean $manage_kubeadm = false,
String[1] $puppetdb_discovery_tag = $k8s::puppetdb_discovery_tag,
Optional[Array[Stdlib::HTTPUrl]] $etcd_servers = undef,
+ Optional[K8s::Firewall] $firewall_type = $k8s::firewall_type,
) {
if $manage_etcd {
class { 'k8s::server::etcd':
@@ -74,7 +102,12 @@
$cluster_nodes.each |$node| { k8s::server::tls::k8s_sign { $node['certname']: } }
}
- include k8s::node::kubectl
+ include k8s::install::kubectl
+
+ if $manage_kubeadm {
+ include k8s::install::kubeadm
+ }
+
kubeconfig { '/root/.kube/config':
ensure => $ensure,
server => "https://localhost:${api_port}",
diff --git a/manifests/server/apiserver.pp b/manifests/server/apiserver.pp
index 514989b..c13bb96 100644
--- a/manifests/server/apiserver.pp
+++ b/manifests/server/apiserver.pp
@@ -1,4 +1,29 @@
# @summary Installs and configures a Kubernetes apiserver
+#
+# @param advertise_address bind address of the apiserver
+# @param aggregator_ca_cert
+# @param apiserver_cert path to the apiserver cert file
+# @param apiserver_client_cert path to the apiserver client cert file
+# @param apiserver_client_key path to the apiserver client key file
+# @param apiserver_key path to the apiserver cert file
+# @param arguments
+# @param ca_cert path to the ca cert
+# @param cert_path path to cert files
+# @param discover_etcd_servers enable puppetdb resource searching
+# @param ensure set ensure for installation or deinstallation
+# @param etcd_ca path to the etcd ca cert file
+# @param etcd_cert path to the etcd cert file
+# @param etcd_key path to the etcd key file
+# @param etcd_servers list etcd servers if no puppetdb is used
+# @param firewall_type define the type of firewall to use
+# @param front_proxy_cert
+# @param front_proxy_key
+# @param manage_firewall whether to manage firewall or not
+# @param puppetdb_discovery_tag enable puppetdb resource searching
+# @param service_cluster_cidr
+# @param serviceaccount_private
+# @param serviceaccount_public
+#
class k8s::server::apiserver (
K8s::Ensure $ensure = $k8s::server::ensure,
@@ -10,7 +35,6 @@
Boolean $discover_etcd_servers = $k8s::puppetdb_discovery,
Boolean $manage_firewall = $k8s::server::manage_firewall,
String $puppetdb_discovery_tag = $k8s::server::puppetdb_discovery_tag,
-
Stdlib::Unixpath $cert_path = $k8s::server::tls::cert_path,
Stdlib::Unixpath $ca_cert = $k8s::server::tls::ca_cert,
Stdlib::Unixpath $aggregator_ca_cert = $k8s::server::tls::aggregator_ca_cert,
@@ -25,6 +49,9 @@
Stdlib::Unixpath $etcd_ca = "${cert_path}/etcd-ca.pem",
Stdlib::Unixpath $etcd_cert = "${cert_path}/etcd.pem",
Stdlib::Unixpath $etcd_key = "${cert_path}/etcd.key",
+
+ Stdlib::IP::Address::Nosubnet $advertise_address = fact('networking.ip'),
+ Optional[K8s::Firewall] $firewall_type = $k8s::server::firewall_type,
) {
assert_private()
@@ -93,7 +120,7 @@
'Priority',
'NodeRestriction',
],
- advertise_address => fact('networking.ip'),
+ advertise_address => $advertise_address,
allow_privileged => true,
anonymous_auth => true,
authorization_mode => ['Node', 'RBAC'],
@@ -267,10 +294,30 @@
}
if $manage_firewall {
- firewalld_service { 'Allow k8s apiserver access':
- ensure => $ensure,
- zone => 'public',
- service => 'kube-apiserver',
+ if $facts['firewalld_version'] {
+ $_firewall_type = pick($firewall_type, 'firewalld')
+ } else {
+ $_firewall_type = pick($firewall_type, 'iptables')
+ }
+
+ case $_firewall_type {
+ 'firewalld' : {
+ firewalld_service { 'Allow k8s apiserver access':
+ ensure => $ensure,
+ zone => 'public',
+ service => 'kube-apiserver',
+ }
+ }
+ 'iptables': {
+ include firewall
+
+ firewall { '100 allow k8s apiserver access':
+ dport => 6443,
+ proto => 'tcp',
+ action => 'accept',
+ }
+ }
+ default: {}
}
}
}
diff --git a/manifests/server/etcd.pp b/manifests/server/etcd.pp
index f1ae882..298dd03 100644
--- a/manifests/server/etcd.pp
+++ b/manifests/server/etcd.pp
@@ -18,6 +18,8 @@
Stdlib::Unixpath $peer_ca_cert = "${cert_path}/peer-ca.pem",
Stdlib::Unixpath $client_ca_key = "${cert_path}/client-ca.key",
Stdlib::Unixpath $client_ca_cert = "${cert_path}/client-ca.pem",
+
+ Optional[K8s::Firewall] $firewall_type = $k8s::server::firewall_type,
) {
if (!$self_signed_tls and $manage_certs) or $ensure == 'absent' {
if !defined(File[$cert_path]) {
@@ -139,16 +141,41 @@
}
if $manage_firewall {
- firewalld_service {
- default:
- ensure => $ensure,
- zone => 'public';
+ if $facts['firewalld_version'] {
+ $_firewall_type = pick($firewall_type, 'firewalld')
+ } else {
+ $_firewall_type = pick($firewall_type, 'iptables')
+ }
- 'Allow etcd server access':
- service => 'etcd-server';
+ case $_firewall_type {
+ 'firewalld' : {
+ firewalld_service {
+ default:
+ ensure => $ensure,
+ zone => 'public';
- 'Allow etcd client access':
- service => 'etcd-client';
+ 'Allow etcd server access':
+ service => 'etcd-server';
+
+ 'Allow etcd client access':
+ service => 'etcd-client';
+ }
+ }
+ 'iptables': {
+ include firewall
+
+ firewall { '100 allow etcd server access':
+ dport => 2379,
+ proto => 'tcp',
+ action => 'accept',
+ }
+ firewall { '100 allow etcd client access':
+ dport => 2380,
+ proto => 'tcp',
+ action => 'accept',
+ }
+ }
+ default: {}
}
}
}
diff --git a/manifests/server/tls/k8s_sign.pp b/manifests/server/tls/k8s_sign.pp
index 4f31b6d..b1b875d 100644
--- a/manifests/server/tls/k8s_sign.pp
+++ b/manifests/server/tls/k8s_sign.pp
@@ -13,8 +13,9 @@
].join(' | ')
exec { "Sign ${name} cert":
- path => ['/usr/local/bin','/usr/bin','/bin'],
+ path => $facts['path'],
command => $exec_command,
onlyif => "kubectl --kubeconfig='${kubeconfig}' get csr | grep 'system:node:${name}' | grep Pending",
+ require => 'File[/usr/bin/kubectl]',
}
}
diff --git a/metadata.json b/metadata.json
index f342df2..75188c0 100644
--- a/metadata.json
+++ b/metadata.json
@@ -20,6 +20,10 @@
"name": "puppet-kmod",
"version_requirement": ">= 3.2.0 < 4.0.0"
},
+ {
+ "name": "puppet-augeasproviders_core",
+ "version_requirement": ">= 2.4.0 < 4.0.0"
+ },
{
"name": "herculesteam-augeasproviders_sysctl",
"version_requirement": ">= 2.6.2 < 3.0.0"
@@ -27,6 +31,14 @@
{
"name": "puppet-systemd",
"version_requirement": ">= 2.0.0 < 4.0.0"
+ },
+ {
+ "name": "puppetlabs-firewall",
+ "version_requirement": ">= 4.0.0 < 6.0.0"
+ },
+ {
+ "name": "puppet-firewalld",
+ "version_requirement": ">= 4.5.0 < 6.0.0"
}
],
"operatingsystem_support": [
@@ -48,7 +60,8 @@
"operatingsystemrelease": [
"18.04",
"20.04",
- "20.10"
+ "20.10",
+ "22.04"
]
}
],
diff --git a/spec/classes/install/kubeadm_spec.rb b/spec/classes/install/kubeadm_spec.rb
new file mode 100644
index 0000000..607539e
--- /dev/null
+++ b/spec/classes/install/kubeadm_spec.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'k8s::install::kubeadm' do
+ let(:pre_condition) do
+ <<~PUPPET
+ include k8s
+ PUPPET
+ end
+
+ on_supported_os.each do |os, os_facts|
+ context "on #{os}" do
+ let(:facts) { os_facts }
+
+ it { is_expected.to compile }
+ end
+ end
+end
diff --git a/spec/classes/node/kubectl_spec.rb b/spec/classes/install/kubectl_spec.rb
similarity index 58%
rename from spec/classes/node/kubectl_spec.rb
rename to spec/classes/install/kubectl_spec.rb
index 2dbb6e3..ed180c0 100644
--- a/spec/classes/node/kubectl_spec.rb
+++ b/spec/classes/install/kubectl_spec.rb
@@ -2,16 +2,10 @@
require 'spec_helper'
-describe 'k8s::node::kubectl' do
+describe 'k8s::install::kubectl' do
let(:pre_condition) do
<<~PUPPET
- function assert_private() {}
-
- include ::k8s
- class { '::k8s::node':
- manage_kubelet => false,
- manage_proxy => false,
- }
+ include k8s
PUPPET
end
diff --git a/spec/type_aliases/firewall.rb b/spec/type_aliases/firewall.rb
new file mode 100644
index 0000000..b0bfe87
--- /dev/null
+++ b/spec/type_aliases/firewall.rb
@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'K8s::Firewall' do
+ describe 'valid firewall' do
+ %w[
+ iptables
+ firewalld
+ ].each do |value|
+ describe value.inspect do
+ it { is_expected.to allow_value(value) }
+ end
+ end
+ end
+
+ describe 'invalid firewall' do
+ [
+ nil,
+ [nil],
+ [nil, nil],
+ { 'foo' => 'bar' },
+ {},
+ '',
+ 's',
+ 'mailto:',
+ 'blah',
+ '199',
+ 600,
+ 1_000,
+ ].each do |value|
+ describe value.inspect do
+ it { is_expected.not_to allow_value(value) }
+ end
+ end
+ end
+end
diff --git a/types/firewall.pp b/types/firewall.pp
new file mode 100644
index 0000000..0b95c97
--- /dev/null
+++ b/types/firewall.pp
@@ -0,0 +1,5 @@
+# @summary a type to describe the type of the firewall to use
+type K8s::Firewall = Enum[
+ 'iptables',
+ 'firewalld',
+]