feat: adding rke2 (#394)
- manage rke2 repos - add rke2 module (init, params, install, config, service) - split roles::infra::k8s::node -> control/compute roles - moved common k8s config into k8s.yaml - add bootstrap_node, manage server and token fields in rke2 config - manage install of helm - manage node attributes (from puppet facts) - manage frr exclusions for service/cluster network Reviewed-on: #394
This commit was merged in pull request #394.
This commit is contained in:
@@ -1,42 +1,73 @@
|
||||
---
|
||||
profiles::pki::vault::alt_names:
|
||||
- k8s-control.service.consul
|
||||
- k8s-control.query.consul
|
||||
- "k8s-control.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- k8s-control.service.consul
|
||||
- k8s-control.query.consul
|
||||
- "k8s-control.service.%{facts.country}-%{facts.region}.consul"
|
||||
# manage rke2
|
||||
rke2::node_type: server
|
||||
rke2::helm_install: true
|
||||
rke2::helm_repos:
|
||||
metallb: https://metallb.github.io/metallb
|
||||
rancher-stable: https://releases.rancher.com/server-charts/stable
|
||||
rke2::extra_config_files:
|
||||
- rke2-canal-config
|
||||
rke2::config_hash:
|
||||
advertise-address: "%{hiera('networking_loopback0_ip')}"
|
||||
cluster-domain: "svc.k8s.unkin.net"
|
||||
tls-san:
|
||||
- "join-k8s.service.consul"
|
||||
- "api-k8s.service.consul"
|
||||
- "api.k8s.unkin.net"
|
||||
- "join.k8s.unkin.net"
|
||||
cni: canal
|
||||
cluster-cidr: 10.42.0.0/16
|
||||
service-cidr: 10.43.0.0/16
|
||||
cluster-dns: 10.43.0.10
|
||||
etcd-arg: "--quota-backend-bytes 2048000000"
|
||||
etcd-snapshot-schedule-cron: "0 3 * * *"
|
||||
etcd-snapshot-retention: 10
|
||||
kube-apiserver-arg:
|
||||
- '--default-not-ready-toleration-seconds=30'
|
||||
- '--default-unreachable-toleration-seconds=30'
|
||||
kube-controller-manager-arg:
|
||||
- '--node-monitor-period=4s'
|
||||
protect-kernel-defaults: true
|
||||
|
||||
# configure consul service
|
||||
consul::services:
|
||||
k8s-control:
|
||||
service_name: 'k8s-control'
|
||||
tags:
|
||||
- 'k8s'
|
||||
- 'container'
|
||||
api-k8s:
|
||||
service_name: 'api-k8s'
|
||||
address: "%{facts.networking.fqdn}"
|
||||
port: 6443
|
||||
checks:
|
||||
- id: 'k8s-control_https_check'
|
||||
name: 'k8s-control HTTPS Check'
|
||||
http: "https://%{facts.networking.fqdn}:6443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
- id: 'api-k8s_livez_check'
|
||||
name: 'api-k8s livez Check'
|
||||
args:
|
||||
- sudo
|
||||
- /usr/local/bin/check_k8s_api.sh
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
join-k8s:
|
||||
service_name: 'join-k8s'
|
||||
address: "%{facts.networking.fqdn}"
|
||||
port: 9345
|
||||
checks:
|
||||
- id: 'rke2_tcp_check_9345'
|
||||
name: 'rke2 TCP Check 9345'
|
||||
tcp: "%{hiera('networking_loopback0_ip')}:9345"
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: k8s-control
|
||||
segment: api-k8s
|
||||
disposition: write
|
||||
- resource: service
|
||||
segment: join-k8s
|
||||
disposition: write
|
||||
|
||||
# networking
|
||||
systemd::manage_networkd: true
|
||||
systemd::manage_all_network_files: true
|
||||
networking::interfaces:
|
||||
eth0:
|
||||
type: physical
|
||||
forwarding: true
|
||||
dhcp: true
|
||||
mtu: 1500
|
||||
profiles::pki::vault::alt_names:
|
||||
- api-k8s.service.consul
|
||||
- api-k8s.query.consul
|
||||
- "api-k8s.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
sudo::configs:
|
||||
consul-checks:
|
||||
priority: 20
|
||||
content: |
|
||||
consul ALL=(ALL) NOPASSWD: /usr/local/bin/check_k8s_api.sh
|
||||
|
||||
Reference in New Issue
Block a user