feat: adding rke2

- manage rke2 repos - add rke2 module (init, params, install, config, service) - exclude setting ips for cilium interfaces - split roles::infra::k8s::node -> control/compute roles - moved common k8s config into k8s.yaml - add bootstrap_node, manage server and token fields in rke2 config
2025-09-06 23:01:57 +10:00 · 2025-09-06 23:01:57 +10:00 · 43f06a8086
commit 43f06a8086
parent 0665873dc8
13 changed files with 381 additions and 40 deletions
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@ -155,6 +155,9 @@ lookup_options:
  zfs::datasets:
    merge:
      strategy: deep
  rke2::config_hash:
    merge:
      strategy: deep
 facts_path: '/opt/puppetlabs/facter/facts.d'
--- a/hieradata/roles/infra/k8s.eyaml
+++ b/hieradata/roles/infra/k8s.eyaml
@ -0,0 +1 @@
 rke2::node_token: ENC[PKCS7,MIIB2gYJKoZIhvcNAQcDoIIByzCCAccCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAOQ+c78bNNrJfc44CXqfmpGfyLMRmv5xsK2bKWrcwNxGTRfCEUlU7UOl7gKUI+7wHaeAhAbO0HNvxaQ+OK8lH3KRG5YumF5cLs3nrwp3PtVWKivQXns/icaYYTVpBRCaM96fMFQFqpoL2P7elMTndCtwJ/PYnN1etncRhJnV1j0Ogcnz69NZY+obuuyDozZTGojFrLg8aK46rzURi1biU5cGAI2x+CitGl8zfIcpkSwqTktlIf8kMaw8UmiR7sPk3TLh+sOqXlKVw8LzM3/fU7+x+UzE3KtdbF5mpfcnogJPwe+2wbzIkIZcXDU10MpQhaqEqzodkLmS7os5iyQPm9jCBnAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQYn6gyEoS8w7iPQTZ/51yX4BwyKGpjdMtiBLzBBvX1wdGda8exfGTKw0TGq58R+ZZlXDfQ4sxtBszHOgmbCNKm0RS8iHZhgbtC51mG8X7zNgvD3YAXJlcVqtOb9amy9w25uFIjoSvc0G4JW1uVmbvZzgu59w6GgR0PfAw5uQrBxnkLQ==]
--- a/hieradata/roles/infra/k8s.yaml
+++ b/hieradata/roles/infra/k8s.yaml
@ -0,0 +1,157 @@
 ---
 hiera_include:
  - profiles::selinux::setenforce
  - profiles::ceph::node
  - profiles::ceph::client
  - exporters::frr_exporter
  - frrouting
  - rke2
 # manage rke2
 rke2::bootstrap_node: prodnxsr0001.main.unkin.net
 rke2::join_url: https://join-k8s.service.consul:9345
 rke2::config_hash:
  bind-address: "%{hiera('networking_loopback0_ip')}"
  node-ip: "%{hiera('networking_loopback0_ip')}"
  node-external-ip: "%{hiera('networking_loopback0_ip')}"
  write-kubeconfig-mode: 644
 # FIXME: puppet-python wants to try manage python-dev, which is required by the ceph package
 python::manage_dev_package: false
 profiles::packages::include:
  bridge-utils: {}
  cephadm: {}
 profiles::selinux::setenforce::mode: disabled
 profiles::ceph::client::manage_ceph_conf: false
 profiles::ceph::client::manage_ceph_package: false
 profiles::ceph::client::manage_ceph_paths: false
 profiles::ceph::client::fsid: 'de96a98f-3d23-465a-a899-86d3d67edab8'
 profiles::ceph::client::mons:
  - 198.18.23.9
  - 198.18.23.10
  - 198.18.23.11
  - 198.18.23.12
  - 198.18.23.13
 # additional repos
 profiles::yum::global::repos:
  ceph:
    name: ceph
    descr: ceph repository
    target: /etc/yum.repos.d/ceph.repo
    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
    gpgkey: https://download.ceph.com/keys/release.asc
    mirrorlist: absent
  ceph-noarch:
    name: ceph-noarch
    descr: ceph-noarch repository
    target: /etc/yum.repos.d/ceph-noarch.repo
    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/noarch
    gpgkey: https://download.ceph.com/keys/release.asc
    mirrorlist: absent
  frr-extras:
    name: frr-extras
    descr: frr-extras repository
    target: /etc/yum.repos.d/frr-extras.repo
    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
    mirrorlist: absent
  frr-stable:
    name: frr-stable
    descr: frr-stable repository
    target: /etc/yum.repos.d/frr-stable.repo
    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
    mirrorlist: absent
  rancher-rke2-common-latest:
    name: rancher-rke2-common-latest
    descr: rancher-rke2-common-latest
    target: /etc/yum.repos.d/rke2-common.repo
    baseurl: https://rpm.rancher.io/rke2/latest/common/centos/%{facts.os.release.major}/noarch
    gpgkey: https://rpm.rancher.io/public.key
    mirrorlist: absent
  rancher-rke2-1-33-latest:
    name: rancher-rke2-1-33-latest
    descr: rancher-rke2-1-33-latest
    target: /etc/yum.repos.d/rke2-1-33.repo
    baseurl: https://rpm.rancher.io/rke2/latest/1.33/centos/%{facts.os.release.major}/x86_64
    gpgkey: https://rpm.rancher.io/public.key
    mirrorlist: absent
 # dns
 profiles::dns::base::primary_interface: loopback0
 # networking
 systemd::manage_networkd: true
 systemd::manage_all_network_files: true
 networking::interfaces:
  "%{hiera('networking_1000_iface')}":
    type: physical
    ipaddress: "%{hiera('networking_1000_ip')}"
    gateway: 198.18.15.254
    txqueuelen: 10000
    forwarding: true
  "%{hiera('networking_2500_iface')}":
    type: physical
    ipaddress: "%{hiera('networking_2500_ip')}"
    mtu: 1500
    txqueuelen: 10000
    forwarding: true
  loopback0:
    type: dummy
    ipaddress: "%{hiera('networking_loopback0_ip')}"
    netmask: 255.255.255.255
    mtu: 1500
  loopback1:
    type: dummy
    ipaddress: "%{hiera('networking_loopback1_ip')}"
    netmask: 255.255.255.255
    mtu: 1500
  loopback2:
    type: dummy
    ipaddress: "%{hiera('networking_loopback2_ip')}"
    netmask: 255.255.255.255
    mtu: 1500
 # configure consul service
 profiles::consul::client::host_addr: "%{hiera('networking_loopback0_ip')}"
 profiles::consul::client::node_rules:
  - resource: service
    segment: frr_exporter
    disposition: write
 # frrouting
 exporters::frr_exporter::enable: true
 frrouting::ospfd_router_id: "%{hiera('networking_loopback0_ip')}"
 frrouting::ospf_preferred_source_enable: true
 frrouting::ospf_preferred_source: "%{hiera('networking_loopback0_ip')}"
 frrouting::ospfd_redistribute:
  - connected
 frrouting::ospfd_interfaces:
  "%{hiera('networking_1000_iface')}":
    area: 0.0.0.0
  "%{hiera('networking_2500_iface')}":
    area: 0.0.0.0
  loopback0:
    area: 0.0.0.0
  loopback1:
    area: 0.0.0.0
  loopback2:
    area: 0.0.0.0
 frrouting::daemons:
  ospfd: true
 # add loopback interfaces to ssh list
 ssh::server::options:
  ListenAddress:
    - "%{hiera('networking_loopback0_ip')}"
    - "%{hiera('networking_1000_ip')}"
    - "%{hiera('networking_2500_ip')}"
 profiles::ssh::sign::principals:
  - "%{hiera('networking_loopback0_ip')}"
  - "%{hiera('networking_1000_ip')}"
  - "%{hiera('networking_2500_ip')}"
--- a/hieradata/roles/infra/k8s/compute.yaml
+++ b/hieradata/roles/infra/k8s/compute.yaml
@ -1,10 +1,3 @@
 ---
-# networking
+# manage rke2
-systemd::manage_networkd: true
+rke2::node_type: agent
 systemd::manage_all_network_files: true
 networking::interfaces:
  eth0:
    type: physical
    forwarding: true
    dhcp: true
    mtu: 1500
--- a/hieradata/roles/infra/k8s/control.yaml
+++ b/hieradata/roles/infra/k8s/control.yaml
@ -1,42 +1,55 @@
 ---
-profiles::pki::vault::alt_names:
+# manage rke2
-  - k8s-control.service.consul
+rke2::node_type: server
-  - k8s-control.query.consul
+rke2::config_hash:
-  - "k8s-control.service.%{facts.country}-%{facts.region}.consul"
+  advertise-address: "%{hiera('networking_loopback0_ip')}"
-
+  cluster-domain: "svc.k8s.unkin.net"
-profiles::ssh::sign::principals:
+  tls-san:
-  - k8s-control.service.consul
+    - "join-k8s.service.consul"
-  - k8s-control.query.consul
+    - "api-k8s.service.consul"
-  - "k8s-control.service.%{facts.country}-%{facts.region}.consul"
+    - "api.k8s.unkin.net"
    - "join.k8s.unkin.net"
  cni: cilium
 # configure consul service
 consul::services:
-  k8s-control:
+  api-k8s:
-    service_name: 'k8s-control'
+    service_name: 'api-k8s'
    tags:
      - 'k8s'
      - 'container'
    address: "%{facts.networking.fqdn}"
    port: 6443
    checks:
-      - id: 'k8s-control_https_check'
+      - id: 'api-k8s_livez_check'
-        name: 'k8s-control HTTPS Check'
+        name: 'api-k8s livez Check'
-        http: "https://%{facts.networking.fqdn}:6443"
+        args:
-        method: 'GET'
+          - sudo
-        tls_skip_verify: true
+          - /usr/local/bin/check_k8s_api.sh
        interval: '10s'
        timeout: '1s'
  join-k8s:
    service_name: 'join-k8s'
    address: "%{facts.networking.fqdn}"
    port: 9345
    checks:
      - id: 'rke2_tcp_check_9345'
        name: 'rke2 TCP Check 9345'
        tcp: "%{hiera('networking_loopback0_ip')}:9345"
        interval: '10s'
        timeout: '1s'
 profiles::consul::client::node_rules:
  - resource: service
-    segment: k8s-control
+    segment: api-k8s
    disposition: write
  - resource: service
    segment: join-k8s
    disposition: write
-# networking
+profiles::pki::vault::alt_names:
-systemd::manage_networkd: true
+  - api-k8s.service.consul
-systemd::manage_all_network_files: true
+  - api-k8s.query.consul
-networking::interfaces:
+  - "api-k8s.service.%{facts.country}-%{facts.region}.consul"
-  eth0:
+
-    type: physical
+sudo::configs:
-    forwarding: true
+  consul-checks:
-    dhcp: true
+    priority: 20
-    mtu: 1500
+    content: |
      consul ALL=(ALL) NOPASSWD: /usr/local/bin/check_k8s_api.sh
--- a/hieradata/roles/infra/k8s/node.yaml
+++ b/hieradata/roles/infra/k8s/node.yaml
@ -5,6 +5,24 @@ hiera_include:
  - profiles::ceph::node
  - profiles::ceph::client
  - exporters::frr_exporter
  - profiles::rke2::node
 # manage rke2
 profiles::rke2::node::servers:
  - prodnxsr0001.main.unkin.net
  - prodnxsr0002.main.unkin.net
  - prodnxsr0003.main.unkin.net
 rke2::config_hash:
  bind-address: "%{hiera('networking_loopback0_ip')}"
  advertise-address: "%{hiera('networking_loopback0_ip')}"
  node-ip: "%{hiera('networking_loopback0_ip')}"
  node-external-ip: "%{hiera('networking_loopback0_ip')}"
  cluster-domain: "svc.k8s.unkin.net"
  tls-san:
    - "api.k8s.unkin.net"
    - "join.k8s.unkin.net"
  cni: cilium
 # FIXME: puppet-python wants to try manage python-dev, which is required by the ceph package
 python::manage_dev_package: false
@ -25,6 +43,7 @@ profiles::ceph::client::mons:
  - 198.18.23.11
  - 198.18.23.12
  - 198.18.23.13
 # additional repos
 profiles::yum::global::repos:
  ceph:
@ -55,6 +74,20 @@ profiles::yum::global::repos:
    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
    mirrorlist: absent
  rancher-rke2-common-latest:
    name: rancher-rke2-common-latest
    descr: rancher-rke2-common-latest
    target: /etc/yum.repos.d/rke2-common.repo
    baseurl: https://rpm.rancher.io/rke2/latest/common/centos/%{facts.os.release.major}/noarch
    gpgkey: https://rpm.rancher.io/public.key
    mirrorlist: absent
  rancher-rke2-1-33-latest:
    name: rancher-rke2-1-33-latest
    descr: rancher-rke2-1-33-latest
    target: /etc/yum.repos.d/rke2-1-33.repo
    baseurl: https://rpm.rancher.io/rke2/latest/1.33/centos/%{facts.os.release.major}/x86_64
    gpgkey: https://rpm.rancher.io/public.key
    mirrorlist: absent
 # dns
 profiles::dns::base::primary_interface: loopback0
@ -91,9 +124,38 @@ networking::interfaces:
    netmask: 255.255.255.255
    mtu: 1500
-# consul
+# configure consul service
 profiles::consul::client::host_addr: "%{hiera('networking_loopback0_ip')}"
 consul::services:
  api-k8s:
    service_name: 'api-k8s'
    address: "%{facts.networking.fqdn}"
    port: 6443
    checks:
      - id: 'api-k8s_https_check'
        name: 'api-k8s HTTPS Check'
        http: "https://%{facts.networking.fqdn}:6443"
        method: 'GET'
        tls_skip_verify: true
        interval: '10s'
        timeout: '1s'
  join-k8s:
    service_name: 'join-k8s'
    address: "%{facts.networking.fqdn}"
    port: 9345
    checks:
      - id: 'etcd_tcp_check_9345'
        name: 'ETCD TCP Check 9345'
        tcp: "%{facts.networking.fqdn}:9345"
        interval: '10s'
        timeout: '1s'
 profiles::consul::client::node_rules:
  - resource: service
    segment: api-k8s
    disposition: write
  - resource: service
    segment: join-k8s
    disposition: write
  - resource: service
    segment: frr_exporter
    disposition: write
@ -130,3 +192,8 @@ profiles::ssh::sign::principals:
  - "%{hiera('networking_loopback0_ip')}"
  - "%{hiera('networking_1000_ip')}"
  - "%{hiera('networking_2500_ip')}"
 profiles::pki::vault::alt_names:
  - api-k8s.service.consul
  - api-k8s.query.consul
  - "api-k8s.service.%{facts.country}-%{facts.region}.consul"
--- a/modules/rke2/files/check_k8s_api.sh
+++ b/modules/rke2/files/check_k8s_api.sh
@ -0,0 +1,2 @@
 #!/usr/bin/bash
 /var/lib/rancher/rke2/bin/kubectl --kubeconfig=/etc/rancher/rke2/rke2.yaml get --raw /livez
--- a/modules/rke2/manifests/config.pp
+++ b/modules/rke2/manifests/config.pp
@ -0,0 +1,57 @@
 # config rke2
 class rke2::config (
  Enum['server', 'agent'] $node_type = $rke2::node_type,
  Stdlib::Absolutepath    $config_file = $rke2::config_file,
  Hash                    $config_hash = $rke2::config_hash,
  Stdlib::HTTPSUrl        $join_url = $rke2::join_url,
  Stdlib::Fqdn            $bootstrap_node = $rke2::bootstrap_node,
  String                  $node_token = $rke2::node_token,
 ){
  # if agent, add token. what other fields should i add?
  # how can I add a tls secret using kubectl to add ephemeral certs.
  # if its not the bootstrap node, add join path to config
  if $node_type == 'server' {
    if $trusted['certname'] != $bootstrap_node {
      $config = merge($config_hash, {
        server => $join_url,
        token  => $node_token,
      } )
    }else{
      $config = $config_hash
    }
  } elsif $node_type == 'agent' {
      $config = merge($config_hash, {
        server => $join_url,
        token  => $node_token,
      } )
  }else{
    $config = $config_hash
  }
  # create the config file
  file { $config_file:
    ensure  => file,
    content => Sensitive($config.to_yaml),
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
  }
  # create a script to verify k8s api is up (used by consul)
  file {'/usr/local/bin/check_k8s_api.sh':
    ensure => file,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
    source => 'puppet:///modules/rke2/check_k8s_api.sh'
  }
  # symlink kubectl to path
  file {'/usr/bin/kubectl':
    ensure => link,
    target => '/var/lib/rancher/rke2/bin/kubectl',
  }
 }
--- a/modules/rke2/manifests/init.pp
+++ b/modules/rke2/manifests/init.pp
@ -0,0 +1,16 @@
 # manage rke2
 class rke2 (
  Enum['server', 'agent'] $node_type = $rke2::params::node_type,
  Stdlib::Absolutepath    $config_file = $rke2::params::config_file,
  Hash                    $config_hash = $rke2::params::config_hash,
  Stdlib::HTTPSUrl        $join_url = $rke2::params::join_url,
  Stdlib::Fqdn            $bootstrap_node = $rke2::params::bootstrap_node,
  String                  $node_token = $rke2::params::node_token,
 ) inherits rke2::params {
  include rke2::install
  include rke2::config
  include rke2::service
  Class['rke2::install'] -> Class['rke2::config'] -> Class['rke2::service']
 }
--- a/modules/rke2/manifests/install.pp
+++ b/modules/rke2/manifests/install.pp
@ -0,0 +1,10 @@
 # install rke2
 class rke2::install (
  Enum['server', 'agent'] $node_type = $rke2::node_type,
 ){
  package {"rke2-${node_type}":
    ensure => installed,
  }
 }
--- a/modules/rke2/manifests/params.pp
+++ b/modules/rke2/manifests/params.pp
@ -0,0 +1,9 @@
 # rke2 params
 class rke2::params (
  Enum['server', 'agent'] $node_type = 'agent',
  Stdlib::Absolutepath    $config_file = '/etc/rancher/rke2/config.yaml',
  Hash                    $config_hash = {},
  Stdlib::HTTPSUrl        $join_url = 'https://127.0.0.1:9345',
  Stdlib::Fqdn            $bootstrap_node = 'localhost.localdomain',
  String                  $node_token = '',
 ) {}
--- a/modules/rke2/manifests/service.pp
+++ b/modules/rke2/manifests/service.pp
@ -0,0 +1,13 @@
 # manage rke2 service
 class rke2::service (
  Enum['server', 'agent'] $node_type = $rke2::node_type,
  Stdlib::Absolutepath    $config_file = $rke2::config_file,
 ){
  service {"rke2-${node_type}":
    ensure    => true,
    enable    => true,
    subscribe => File[$config_file],
  }
 }
--- a/site/profiles/manifests/dns/base.pp
+++ b/site/profiles/manifests/dns/base.pp
@ -47,7 +47,7 @@ class profiles::dns::base (
  $facts['networking']['interfaces'].each | $interface, $data | {
    # exclude those without ipv4 address, lo, docker0 and anycast addresses
-    if $data['ip'] and $interface != 'lo' and $interface != 'docker0' and $interface !~ /^anycast[0-9]$/ {
+    if $data['ip'] and $interface != 'lo' and $interface != 'docker0' and $interface !~ /^anycast[0-9]$/ and $interface !~ /^cilium_/  {
      # use defaults for the primary_interface
      if $interface == $primary_interface {
		`@ -0,0 +1 @@`
							rke2::node_token: ENC[PKCS7,MIIB2gYJKoZIhvcNAQcDoIIByzCCAccCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAOQ+c78bNNrJfc44CXqfmpGfyLMRmv5xsK2bKWrcwNxGTRfCEUlU7UOl7gKUI+7wHaeAhAbO0HNvxaQ+OK8lH3KRG5YumF5cLs3nrwp3PtVWKivQXns/icaYYTVpBRCaM96fMFQFqpoL2P7elMTndCtwJ/PYnN1etncRhJnV1j0Ogcnz69NZY+obuuyDozZTGojFrLg8aK46rzURi1biU5cGAI2x+CitGl8zfIcpkSwqTktlIf8kMaw8UmiR7sPk3TLh+sOqXlKVw8LzM3/fU7+x+UzE3KtdbF5mpfcnogJPwe+2wbzIkIZcXDU10MpQhaqEqzodkLmS7os5iyQPm9jCBnAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQYn6gyEoS8w7iPQTZ/51yX4BwyKGpjdMtiBLzBBvX1wdGda8exfGTKw0TGq58R+ZZlXDfQ4sxtBszHOgmbCNKm0RS8iHZhgbtC51mG8X7zNgvD3YAXJlcVqtOb9amy9w25uFIjoSvc0G4JW1uVmbvZzgu59w6GgR0PfAw5uQrBxnkLQ==]
		`@ -0,0 +1,2 @@`
							`#!/usr/bin/bash`
							`/var/lib/rancher/rke2/bin/kubectl --kubeconfig=/etc/rancher/rke2/rke2.yaml get --raw /livez`