- manage rke2 repos - add rke2 module (init, params, install, config, service) - split roles::infra::k8s::node -> control/compute roles - moved common k8s config into k8s.yaml - add bootstrap_node, manage server and token fields in rke2 config - manage install of helm - manage node attributes (from puppet facts) - manage frr exclusions for service/cluster network
This commit is contained in:
@@ -1,10 +1,3 @@
|
||||
---
|
||||
# networking
|
||||
systemd::manage_networkd: true
|
||||
systemd::manage_all_network_files: true
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
type: physical
|
||||
forwarding: true
|
||||
dhcp: true
|
||||
mtu: 1500
|
||||
# manage rke2
|
||||
rke2::node_type: agent
|
||||
|
||||
@@ -1,42 +1,73 @@
|
||||
---
|
||||
profiles::pki::vault::alt_names:
|
||||
- k8s-control.service.consul
|
||||
- k8s-control.query.consul
|
||||
- "k8s-control.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- k8s-control.service.consul
|
||||
- k8s-control.query.consul
|
||||
- "k8s-control.service.%{facts.country}-%{facts.region}.consul"
|
||||
# manage rke2
|
||||
rke2::node_type: server
|
||||
rke2::helm_install: true
|
||||
rke2::helm_repos:
|
||||
metallb: https://metallb.github.io/metallb
|
||||
rancher-stable: https://releases.rancher.com/server-charts/stable
|
||||
rke2::extra_config_files:
|
||||
- rke2-canal-config
|
||||
rke2::config_hash:
|
||||
advertise-address: "%{hiera('networking_loopback0_ip')}"
|
||||
cluster-domain: "svc.k8s.unkin.net"
|
||||
tls-san:
|
||||
- "join-k8s.service.consul"
|
||||
- "api-k8s.service.consul"
|
||||
- "api.k8s.unkin.net"
|
||||
- "join.k8s.unkin.net"
|
||||
cni: canal
|
||||
cluster-cidr: 10.42.0.0/16
|
||||
service-cidr: 10.43.0.0/16
|
||||
cluster-dns: 10.43.0.10
|
||||
etcd-arg: "--quota-backend-bytes 2048000000"
|
||||
etcd-snapshot-schedule-cron: "0 3 * * *"
|
||||
etcd-snapshot-retention: 10
|
||||
kube-apiserver-arg:
|
||||
- '--default-not-ready-toleration-seconds=30'
|
||||
- '--default-unreachable-toleration-seconds=30'
|
||||
kube-controller-manager-arg:
|
||||
- '--node-monitor-period=4s'
|
||||
protect-kernel-defaults: true
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
k8s-control:
|
||||
service_name: 'k8s-control'
|
||||
tags:
|
||||
- 'k8s'
|
||||
- 'container'
|
||||
api-k8s:
|
||||
service_name: 'api-k8s'
|
||||
address: "%{facts.networking.fqdn}"
|
||||
port: 6443
|
||||
checks:
|
||||
- id: 'k8s-control_https_check'
|
||||
name: 'k8s-control HTTPS Check'
|
||||
http: "https://%{facts.networking.fqdn}:6443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
- id: 'api-k8s_livez_check'
|
||||
name: 'api-k8s livez Check'
|
||||
args:
|
||||
- sudo
|
||||
- /usr/local/bin/check_k8s_api.sh
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
join-k8s:
|
||||
service_name: 'join-k8s'
|
||||
address: "%{facts.networking.fqdn}"
|
||||
port: 9345
|
||||
checks:
|
||||
- id: 'rke2_tcp_check_9345'
|
||||
name: 'rke2 TCP Check 9345'
|
||||
tcp: "%{hiera('networking_loopback0_ip')}:9345"
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: k8s-control
|
||||
segment: api-k8s
|
||||
disposition: write
|
||||
- resource: service
|
||||
segment: join-k8s
|
||||
disposition: write
|
||||
|
||||
# networking
|
||||
systemd::manage_networkd: true
|
||||
systemd::manage_all_network_files: true
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
type: physical
|
||||
forwarding: true
|
||||
dhcp: true
|
||||
mtu: 1500
|
||||
profiles::pki::vault::alt_names:
|
||||
- api-k8s.service.consul
|
||||
- api-k8s.query.consul
|
||||
- "api-k8s.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
sudo::configs:
|
||||
consul-checks:
|
||||
priority: 20
|
||||
content: |
|
||||
consul ALL=(ALL) NOPASSWD: /usr/local/bin/check_k8s_api.sh
|
||||
|
||||
@@ -5,6 +5,24 @@ hiera_include:
|
||||
- profiles::ceph::node
|
||||
- profiles::ceph::client
|
||||
- exporters::frr_exporter
|
||||
- profiles::rke2::node
|
||||
|
||||
# manage rke2
|
||||
profiles::rke2::node::servers:
|
||||
- prodnxsr0001.main.unkin.net
|
||||
- prodnxsr0002.main.unkin.net
|
||||
- prodnxsr0003.main.unkin.net
|
||||
|
||||
rke2::config_hash:
|
||||
bind-address: "%{hiera('networking_loopback0_ip')}"
|
||||
advertise-address: "%{hiera('networking_loopback0_ip')}"
|
||||
node-ip: "%{hiera('networking_loopback0_ip')}"
|
||||
node-external-ip: "%{hiera('networking_loopback0_ip')}"
|
||||
cluster-domain: "svc.k8s.unkin.net"
|
||||
tls-san:
|
||||
- "api.k8s.unkin.net"
|
||||
- "join.k8s.unkin.net"
|
||||
cni: cilium
|
||||
|
||||
# FIXME: puppet-python wants to try manage python-dev, which is required by the ceph package
|
||||
python::manage_dev_package: false
|
||||
@@ -25,6 +43,7 @@ profiles::ceph::client::mons:
|
||||
- 198.18.23.11
|
||||
- 198.18.23.12
|
||||
- 198.18.23.13
|
||||
|
||||
# additional repos
|
||||
profiles::yum::global::repos:
|
||||
ceph:
|
||||
@@ -55,6 +74,20 @@ profiles::yum::global::repos:
|
||||
baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
|
||||
gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
|
||||
mirrorlist: absent
|
||||
rancher-rke2-common-latest:
|
||||
name: rancher-rke2-common-latest
|
||||
descr: rancher-rke2-common-latest
|
||||
target: /etc/yum.repos.d/rke2-common.repo
|
||||
baseurl: https://rpm.rancher.io/rke2/latest/common/centos/%{facts.os.release.major}/noarch
|
||||
gpgkey: https://rpm.rancher.io/public.key
|
||||
mirrorlist: absent
|
||||
rancher-rke2-1-33-latest:
|
||||
name: rancher-rke2-1-33-latest
|
||||
descr: rancher-rke2-1-33-latest
|
||||
target: /etc/yum.repos.d/rke2-1-33.repo
|
||||
baseurl: https://rpm.rancher.io/rke2/latest/1.33/centos/%{facts.os.release.major}/x86_64
|
||||
gpgkey: https://rpm.rancher.io/public.key
|
||||
mirrorlist: absent
|
||||
|
||||
# dns
|
||||
profiles::dns::base::primary_interface: loopback0
|
||||
@@ -91,9 +124,38 @@ networking::interfaces:
|
||||
netmask: 255.255.255.255
|
||||
mtu: 1500
|
||||
|
||||
# consul
|
||||
# configure consul service
|
||||
profiles::consul::client::host_addr: "%{hiera('networking_loopback0_ip')}"
|
||||
consul::services:
|
||||
api-k8s:
|
||||
service_name: 'api-k8s'
|
||||
address: "%{facts.networking.fqdn}"
|
||||
port: 6443
|
||||
checks:
|
||||
- id: 'api-k8s_https_check'
|
||||
name: 'api-k8s HTTPS Check'
|
||||
http: "https://%{facts.networking.fqdn}:6443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
join-k8s:
|
||||
service_name: 'join-k8s'
|
||||
address: "%{facts.networking.fqdn}"
|
||||
port: 9345
|
||||
checks:
|
||||
- id: 'etcd_tcp_check_9345'
|
||||
name: 'ETCD TCP Check 9345'
|
||||
tcp: "%{facts.networking.fqdn}:9345"
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: api-k8s
|
||||
disposition: write
|
||||
- resource: service
|
||||
segment: join-k8s
|
||||
disposition: write
|
||||
- resource: service
|
||||
segment: frr_exporter
|
||||
disposition: write
|
||||
@@ -130,3 +192,8 @@ profiles::ssh::sign::principals:
|
||||
- "%{hiera('networking_loopback0_ip')}"
|
||||
- "%{hiera('networking_1000_ip')}"
|
||||
- "%{hiera('networking_2500_ip')}"
|
||||
|
||||
profiles::pki::vault::alt_names:
|
||||
- api-k8s.service.consul
|
||||
- api-k8s.query.consul
|
||||
- "api-k8s.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
Reference in New Issue
Block a user