Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Patching v3 #21

Merged
merged 22 commits into from
Mar 16, 2023
Merged

Patching v3 #21

Show file tree
Hide file tree
Changes from 19 commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
42ab9bc
allow to set advertise_address
rwaffen Mar 9, 2023
8d3c49b
require file kubectl before using it
rwaffen Mar 9, 2023
641541d
add dependencies between sysctl and kmod
rwaffen Mar 9, 2023
bb2cf89
add module dependency for augeasproviders_core
rwaffen Mar 9, 2023
ea4dcc9
update class documentation
rwaffen Mar 9, 2023
7988729
add kubeadm tool to controller
rwaffen Mar 9, 2023
782860f
add firewall also for non firewalld systems
rwaffen Mar 9, 2023
f8eece2
move kubectl and kubeadm to generic install classes
rwaffen Mar 9, 2023
8c0989c
add ubuntu 22.04 and module dependencies to metadata
rwaffen Mar 9, 2023
bf3262d
add more firewall
rwaffen Mar 9, 2023
7e23c46
include firewall class for dependency packages
rwaffen Mar 9, 2023
f02c869
style fix
rwaffen Mar 9, 2023
34e99fe
fix typo in wording
rwaffen Mar 10, 2023
d59feba
add type for selection of firewall
rwaffen Mar 13, 2023
1b04a0b
add firewall parameter as interface for selection of firewall
rwaffen Mar 13, 2023
5a58db2
add parameters to server class
rwaffen Mar 13, 2023
4bcee55
document ensure parameter better
rwaffen Mar 13, 2023
c5b2e5f
change firewall selection
rwaffen Mar 13, 2023
44ba963
update REFERENCE.md
rwaffen Mar 13, 2023
08e57dd
add parameter documentation
rwaffen Mar 13, 2023
157e0e7
rebuild firewall setup with better UX
rwaffen Mar 15, 2023
654b123
fix spec tests
rwaffen Mar 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
271 changes: 194 additions & 77 deletions REFERENCE.md
View file
Open in desktop

Large diffs are not rendered by default.

3 changes: 2 additions & 1 deletion manifests/init.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# @summary Sets up a Kubernetes instance - either as a node or as a server
#
#
# @param manage_kernel_modules
# A flag to manage required Kernel modules.
#
Expand Down Expand Up @@ -52,6 +52,7 @@
Stdlib::Fqdn $cluster_domain = 'cluster.local',

Enum['node','server','none'] $role = 'none',
K8s::Firewall $firewall_type = 'firewalld',
) {
if $manage_container_manager {
if $container_manager == 'docker' {
Expand Down
11 changes: 11 additions & 0 deletions manifests/install/kubeadm.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# @summary Installs the kubeadm binary
#
# @param ensure set ensure for installation or deinstallation
#
class k8s::install::kubeadm (
K8s::Ensure $ensure = $k8s::ensure,
) {
k8s::binary { 'kubeadm':
ensure => $ensure,
}
}
11 changes: 11 additions & 0 deletions manifests/install/kubectl.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# @summary Installs the kubectl binary
#
# @param ensure set ensure for installation or deinstallation
#
class k8s::install::kubectl (
K8s::Ensure $ensure = $k8s::ensure,
) {
k8s::binary { 'kubectl':
ensure => $ensure,
}
}
2 changes: 2 additions & 0 deletions manifests/node.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@
# For token and bootstrap auth
Optional[String[1]] $node_token = undef,
Optional[String[1]] $proxy_token = undef,

K8s::Firewall $firewall_type = $k8s::firewall_type,
rwaffen marked this conversation as resolved.
Show resolved Hide resolved
) {
if $manage_kubelet {
include k8s::node::kubelet
Expand Down
50 changes: 35 additions & 15 deletions manifests/node/kubelet.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@

# For token and bootstrap auth
Optional[String[1]] $token = $k8s::node::node_token,

K8s::Firewall $firewall_type = $k8s::node::firewall_type,
rwaffen marked this conversation as resolved.
Show resolved Hide resolved
) {
k8s::binary { 'kubelet':
ensure => $ensure,
Expand Down Expand Up @@ -160,6 +162,14 @@
'net.ipv4.ip_forward':;
'net.ipv6.conf.all.forwarding':;
}

if $manage_kernel_modules {
Kmod::Load['br_netfilter']
-> [
Sysctl['net.bridge.bridge-nf-call-iptables'],
Sysctl['net.bridge.bridge-nf-call-ip6tables']
]
}
}

file { '/etc/kubernetes/kubelet.conf':
Expand Down Expand Up @@ -228,21 +238,31 @@
Package <| title == 'containernetworking-plugins' |> -> Service['kubelet']

if $manage_firewall {
firewalld_custom_service { 'kubelet':
ensure => $ensure,
short => 'kubelet',
description => 'Kubernetes kubelet daemon',
ports => [
{
port => '10250',
protocol => 'tcp',
},
],
}
firewalld_service { 'Allow k8s kubelet access':
ensure => $ensure,
zone => 'public',
service => 'kubelet',
if $facts['firewalld_version'] and $firewall_type == 'firewalld' {
rwaffen marked this conversation as resolved.
Show resolved Hide resolved
firewalld_custom_service { 'kubelet':
ensure => $ensure,
short => 'kubelet',
description => 'Kubernetes kubelet daemon',
ports => [
{
port => '10250',
protocol => 'tcp',
},
],
}
firewalld_service { 'Allow k8s kubelet access':
ensure => $ensure,
zone => 'public',
service => 'kubelet',
}
} else {
include firewall

firewall { '100 allow kubelet access':
dport => 10250,
proto => 'tcp',
action => 'accept',
}
}
}
}
4 changes: 4 additions & 0 deletions manifests/repo.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
# @summary Handles repositories for the container runtime
#
# @param manage_container_manager whether to add cri-o repository or not
rwaffen marked this conversation as resolved.
Show resolved Hide resolved
# @param crio_version version o cri-o
#
class k8s::repo (
Boolean $manage_container_manager = $k8s::manage_container_manager,
String[1] $crio_version = $k8s::version.split('\.')[0, 2].join('.'),
Expand Down
35 changes: 34 additions & 1 deletion manifests/server.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,30 @@
# @summary Sets up a Kubernetes server instance
#
# @param aggregator_ca_cert
# @param aggregator_ca_key
# @param api_port Cluster API port
# @param ca_cert path to the ca cert
# @param ca_key path to the ca key
# @param cert_path path to cert files
# @param cluster_cidr cluster cidr
# @param cluster_domain cluster domain name
# @param direct_master direct clust API connection
# @param dns_service_address cluster dns service address
# @param ensure set ensure for installation or deinstallation
# @param etcd_servers list etcd servers if no puppetdb is used
# @param firewall_type define the type of firewall to use
# @param generate_ca initially generate ca
# @param manage_certs whether to manage certs or not
# @param manage_components whether to manage components or not
# @param manage_etcd whether to manage etcd or not
# @param manage_firewall whether to manage firewall or not
# @param manage_kubeadm whether to install kubeadm or not
# @param manage_resources whether to manage cluster internal resources or not
# @param manage_signing whether to manage cert signing or not
# @param master cluster API connection
# @param node_on_server whether to use controller also as nodes or not
# @param puppetdb_discovery_tag enable puppetdb resource searching
#
class k8s::server (
K8s::Ensure $ensure = $k8s::ensure,
Integer[1] $api_port = 6443,
Expand All @@ -23,9 +49,11 @@
Boolean $manage_components = true,
Boolean $manage_resources = true,
Boolean $node_on_server = true,
Boolean $manage_kubeadm = false,
String[1] $puppetdb_discovery_tag = $k8s::puppetdb_discovery_tag,

Optional[Array[Stdlib::HTTPUrl]] $etcd_servers = undef,
K8s::Firewall $firewall_type = $k8s::firewall_type,
) {
if $manage_etcd {
class { 'k8s::server::etcd':
Expand Down Expand Up @@ -74,7 +102,12 @@
$cluster_nodes.each |$node| { k8s::server::tls::k8s_sign { $node['certname']: } }
}

include k8s::node::kubectl
include k8s::install::kubectl

if $manage_kubeadm {
include k8s::install::kubeadm
}

kubeconfig { '/root/.kube/config':
ensure => $ensure,
server => "https://localhost:${api_port}",
Expand Down
24 changes: 18 additions & 6 deletions manifests/server/apiserver.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@
Boolean $discover_etcd_servers = $k8s::puppetdb_discovery,
Boolean $manage_firewall = $k8s::server::manage_firewall,
String $puppetdb_discovery_tag = $k8s::server::puppetdb_discovery_tag,

Stdlib::Unixpath $cert_path = $k8s::server::tls::cert_path,
Stdlib::Unixpath $ca_cert = $k8s::server::tls::ca_cert,
Stdlib::Unixpath $aggregator_ca_cert = $k8s::server::tls::aggregator_ca_cert,
Expand All @@ -25,6 +24,9 @@
Stdlib::Unixpath $etcd_ca = "${cert_path}/etcd-ca.pem",
Stdlib::Unixpath $etcd_cert = "${cert_path}/etcd.pem",
Stdlib::Unixpath $etcd_key = "${cert_path}/etcd.key",

Stdlib::IP::Address::Nosubnet $advertise_address = fact('networking.ip'),
K8s::Firewall $firewall_type = $k8s::server::firewall_type
rwaffen marked this conversation as resolved.
Show resolved Hide resolved
) {
assert_private()

Expand Down Expand Up @@ -93,7 +95,7 @@
'Priority',
'NodeRestriction',
],
advertise_address => fact('networking.ip'),
advertise_address => $advertise_address,
allow_privileged => true,
anonymous_auth => true,
authorization_mode => ['Node', 'RBAC'],
Expand Down Expand Up @@ -267,10 +269,20 @@
}

if $manage_firewall {
firewalld_service { 'Allow k8s apiserver access':
ensure => $ensure,
zone => 'public',
service => 'kube-apiserver',
if $facts['firewalld_version'] and $firewall_type == 'firewalld' {
rwaffen marked this conversation as resolved.
Show resolved Hide resolved
firewalld_service { 'Allow k8s apiserver access':
ensure => $ensure,
zone => 'public',
service => 'kube-apiserver',
}
} else {
include firewall

firewall { '100 allow k8s apiserver access':
dport => 6443,
proto => 'tcp',
action => 'accept',
}
}
}
}
33 changes: 25 additions & 8 deletions manifests/server/etcd.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@
Stdlib::Unixpath $peer_ca_cert = "${cert_path}/peer-ca.pem",
Stdlib::Unixpath $client_ca_key = "${cert_path}/client-ca.key",
Stdlib::Unixpath $client_ca_cert = "${cert_path}/client-ca.pem",

K8s::Firewall $firewall_type = $k8s::server::firewall_type,
) {
if (!$self_signed_tls and $manage_certs) or $ensure == 'absent' {
if !defined(File[$cert_path]) {
Expand Down Expand Up @@ -139,16 +141,31 @@
}

if $manage_firewall {
firewalld_service {
default:
ensure => $ensure,
zone => 'public';
if $facts['firewalld_version'] and $firewall_type == 'firewalld' {
rwaffen marked this conversation as resolved.
Show resolved Hide resolved
firewalld_service {
default:
ensure => $ensure,
zone => 'public';

'Allow etcd server access':
service => 'etcd-server';

'Allow etcd server access':
service => 'etcd-server';
'Allow etcd client access':
service => 'etcd-client';
}
} else {
include firewall

'Allow etcd client access':
service => 'etcd-client';
firewall { '100 allow etcd server access':
dport => 2379,
proto => 'tcp',
action => 'accept',
}
firewall { '100 allow etcd client access':
dport => 2380,
proto => 'tcp',
action => 'accept',
}
}
}
}
3 changes: 2 additions & 1 deletion manifests/server/tls/k8s_sign.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,9 @@
].join(' | ')

exec { "Sign ${name} cert":
path => ['/usr/local/bin','/usr/bin','/bin'],
path => $facts['path'],
command => $exec_command,
onlyif => "kubectl --kubeconfig='${kubeconfig}' get csr | grep 'system:node:${name}' | grep Pending",
require => 'File[/usr/bin/kubectl]',
}
}
15 changes: 14 additions & 1 deletion metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,25 @@
"name": "puppet-kmod",
"version_requirement": ">= 3.2.0 < 4.0.0"
},
{
"name": "puppet-augeasproviders_core",
"version_requirement": ">= 2.4.0 < 4.0.0"
},
{
"name": "herculesteam-augeasproviders_sysctl",
"version_requirement": ">= 2.6.2 < 3.0.0"
},
{
"name": "puppet-systemd",
"version_requirement": ">= 2.0.0 < 4.0.0"
},
{
"name": "puppetlabs-firewall",
"version_requirement": ">= 4.0.0 < 6.0.0"
},
{
"name": "puppet-firewalld",
"version_requirement": ">= 4.5.0 < 6.0.0"
}
],
"operatingsystem_support": [
Expand All @@ -48,7 +60,8 @@
"operatingsystemrelease": [
"18.04",
"20.04",
"20.10"
"20.10",
"22.04"
]
}
],
Expand Down
19 changes: 19 additions & 0 deletions spec/classes/install/kubeadm_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# frozen_string_literal: true

require 'spec_helper'

describe 'k8s::install::kubeadm' do
let(:pre_condition) do
<<~PUPPET
include k8s
PUPPET
end

on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:facts) { os_facts }

it { is_expected.to compile }
end
end
end
10 changes: 2 additions & 8 deletions spec/classes/node/kubectl_spec.rb → spec/classes/install/kubectl_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,10 @@

require 'spec_helper'

describe 'k8s::node::kubectl' do
describe 'k8s::install::kubectl' do
let(:pre_condition) do
<<~PUPPET
function assert_private() {}

include ::k8s
class { '::k8s::node':
manage_kubelet => false,
manage_proxy => false,
}
include k8s
PUPPET
end

Expand Down
Loading