feat: adding rke2 (#394)

- manage rke2 repos
- add rke2 module (init, params, install, config, service)
- split roles::infra::k8s::node -> control/compute roles
- moved common k8s config into k8s.yaml
- add bootstrap_node, manage server and token fields in rke2 config
- manage install of helm
- manage node attributes (from puppet facts)
- manage frr exclusions for service/cluster network

Reviewed-on: #394
This commit was merged in pull request #394.
This commit is contained in:
2025-09-14 13:27:49 +10:00
parent 012e842d7d
commit 6e4bc9fbc7
19 changed files with 629 additions and 40 deletions
+60 -29
View File
@@ -1,42 +1,73 @@
---
profiles::pki::vault::alt_names:
- k8s-control.service.consul
- k8s-control.query.consul
- "k8s-control.service.%{facts.country}-%{facts.region}.consul"
profiles::ssh::sign::principals:
- k8s-control.service.consul
- k8s-control.query.consul
- "k8s-control.service.%{facts.country}-%{facts.region}.consul"
# manage rke2
rke2::node_type: server
rke2::helm_install: true
rke2::helm_repos:
metallb: https://metallb.github.io/metallb
rancher-stable: https://releases.rancher.com/server-charts/stable
rke2::extra_config_files:
- rke2-canal-config
rke2::config_hash:
advertise-address: "%{hiera('networking_loopback0_ip')}"
cluster-domain: "svc.k8s.unkin.net"
tls-san:
- "join-k8s.service.consul"
- "api-k8s.service.consul"
- "api.k8s.unkin.net"
- "join.k8s.unkin.net"
cni: canal
cluster-cidr: 10.42.0.0/16
service-cidr: 10.43.0.0/16
cluster-dns: 10.43.0.10
etcd-arg: "--quota-backend-bytes 2048000000"
etcd-snapshot-schedule-cron: "0 3 * * *"
etcd-snapshot-retention: 10
kube-apiserver-arg:
- '--default-not-ready-toleration-seconds=30'
- '--default-unreachable-toleration-seconds=30'
kube-controller-manager-arg:
- '--node-monitor-period=4s'
protect-kernel-defaults: true
# configure consul service
consul::services:
k8s-control:
service_name: 'k8s-control'
tags:
- 'k8s'
- 'container'
api-k8s:
service_name: 'api-k8s'
address: "%{facts.networking.fqdn}"
port: 6443
checks:
- id: 'k8s-control_https_check'
name: 'k8s-control HTTPS Check'
http: "https://%{facts.networking.fqdn}:6443"
method: 'GET'
tls_skip_verify: true
- id: 'api-k8s_livez_check'
name: 'api-k8s livez Check'
args:
- sudo
- /usr/local/bin/check_k8s_api.sh
interval: '10s'
timeout: '1s'
join-k8s:
service_name: 'join-k8s'
address: "%{facts.networking.fqdn}"
port: 9345
checks:
- id: 'rke2_tcp_check_9345'
name: 'rke2 TCP Check 9345'
tcp: "%{hiera('networking_loopback0_ip')}:9345"
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: k8s-control
segment: api-k8s
disposition: write
- resource: service
segment: join-k8s
disposition: write
# networking
systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
eth0:
type: physical
forwarding: true
dhcp: true
mtu: 1500
profiles::pki::vault::alt_names:
- api-k8s.service.consul
- api-k8s.query.consul
- "api-k8s.service.%{facts.country}-%{facts.region}.consul"
sudo::configs:
consul-checks:
priority: 20
content: |
consul ALL=(ALL) NOPASSWD: /usr/local/bin/check_k8s_api.sh