From 888db366a1ff5e869908c3067cee27cc2eadb89d Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 6 Sep 2025 23:01:57 +1000
Subject: [PATCH] feat: adding rke2

- manage rke2 repos
- add rke2 module (init, params, install, config, service)
- add node_type setting class profiles::rke2::node
- exclude setting ips for cilium interfaces
---
 hieradata/roles/infra/k8s/node.yaml  | 34 ++++++++++++++++++++++++++++
 modules/rke2/manifests/config.pp     | 15 ++++++++++++
 modules/rke2/manifests/init.pp       | 13 +++++++++++
 modules/rke2/manifests/install.pp    | 10 ++++++++
 modules/rke2/manifests/params.pp     |  6 +++++
 modules/rke2/manifests/service.pp    | 13 +++++++++++
 site/profiles/manifests/dns/base.pp  |  2 +-
 site/profiles/manifests/rke2/node.pp | 15 ++++++++++++
 8 files changed, 107 insertions(+), 1 deletion(-)
 create mode 100644 modules/rke2/manifests/config.pp
 create mode 100644 modules/rke2/manifests/init.pp
 create mode 100644 modules/rke2/manifests/install.pp
 create mode 100644 modules/rke2/manifests/params.pp
 create mode 100644 modules/rke2/manifests/service.pp
 create mode 100644 site/profiles/manifests/rke2/node.pp

diff --git a/hieradata/roles/infra/k8s/node.yaml b/hieradata/roles/infra/k8s/node.yaml
index 67e7c01..c51db9e 100644
--- a/hieradata/roles/infra/k8s/node.yaml
+++ b/hieradata/roles/infra/k8s/node.yaml
@@ -5,6 +5,25 @@ hiera_include:
   - profiles::ceph::node
   - profiles::ceph::client
   - exporters::frr_exporter
+  - profiles::rke2::node
+
+
+# manage rke2
+profiles::rke2::node::servers:
+  - prodnxsr0001.main.unkin.net
+  - prodnxsr0002.main.unkin.net
+  - prodnxsr0003.main.unkin.net
+
+rke2::config_hash:
+  bind-address: "%{hiera('networking_loopback0_ip')}"
+  advertise-address: "%{hiera('networking_loopback0_ip')}"
+  node-ip: "%{hiera('networking_loopback0_ip')}"
+  node-external-ip: "%{hiera('networking_loopback0_ip')}"
+  cluster-domain: "svc.k8s.unkin.net"
+  tls-san:
+    - "api.k8s.unkin.net"
+    - "join.k8s.unkin.net"
+  cni: cilium
 
 # FIXME: puppet-python wants to try manage python-dev, which is required by the ceph package
 python::manage_dev_package: false
@@ -25,6 +44,7 @@ profiles::ceph::client::mons:
   - 198.18.23.11
   - 198.18.23.12
   - 198.18.23.13
+
 # additional repos
 profiles::yum::global::repos:
   ceph:
@@ -55,6 +75,20 @@ profiles::yum::global::repos:
     baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
     gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
     mirrorlist: absent
+  rancher-rke2-common-latest:
+    name: rancher-rke2-common-latest
+    descr: rancher-rke2-common-latest
+    target: /etc/yum.repos.d/rke2-common.repo
+    baseurl: https://rpm.rancher.io/rke2/latest/common/centos/%{facts.os.release.major}/noarch
+    gpgkey: https://rpm.rancher.io/public.key
+    mirrorlist: absent
+  rancher-rke2-1-33-latest:
+    name: rancher-rke2-1-33-latest
+    descr: rancher-rke2-1-33-latest
+    target: /etc/yum.repos.d/rke2-1-33.repo
+    baseurl: https://rpm.rancher.io/rke2/latest/1.33/centos/%{facts.os.release.major}/x86_64
+    gpgkey: https://rpm.rancher.io/public.key
+    mirrorlist: absent
 
 # dns
 profiles::dns::base::primary_interface: loopback0
diff --git a/modules/rke2/manifests/config.pp b/modules/rke2/manifests/config.pp
new file mode 100644
index 0000000..0b32699
--- /dev/null
+++ b/modules/rke2/manifests/config.pp
@@ -0,0 +1,15 @@
+# config rke2
+class rke2::config (
+  Enum['server', 'agent'] $node_type = $rke2::node_type,
+  Stdlib::Absolutepath    $config_file = $rke2::config_file,
+  Hash                    $config_hash = $rke2::config_hash,
+){
+
+  file { $config_file:
+    ensure  => file,
+    content => $config_hash.to_yaml,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+  }
+}
diff --git a/modules/rke2/manifests/init.pp b/modules/rke2/manifests/init.pp
new file mode 100644
index 0000000..7d99d5d
--- /dev/null
+++ b/modules/rke2/manifests/init.pp
@@ -0,0 +1,13 @@
+# manage rke2
+class rke2 (
+  Enum['server', 'agent'] $node_type = $rke2::params::node_type,
+  Stdlib::Absolutepath    $config_file = $rke2::params::config_file,
+  Hash                    $config_hash = $rke2::params::config_hash,
+) inherits rke2::params {
+
+  include rke2::install
+  include rke2::config
+  include rke2::service
+
+  Class['rke2::install'] -> Class['rke2::config'] -> Class['rke2::service']
+}
diff --git a/modules/rke2/manifests/install.pp b/modules/rke2/manifests/install.pp
new file mode 100644
index 0000000..db4d6ce
--- /dev/null
+++ b/modules/rke2/manifests/install.pp
@@ -0,0 +1,10 @@
+# install rke2
+class rke2::install (
+  Enum['server', 'agent'] $node_type = $rke2::node_type,
+){
+
+  package {"rke2-${node_type}":
+    ensure => installed,
+  }
+
+}
diff --git a/modules/rke2/manifests/params.pp b/modules/rke2/manifests/params.pp
new file mode 100644
index 0000000..280f4e4
--- /dev/null
+++ b/modules/rke2/manifests/params.pp
@@ -0,0 +1,6 @@
+# rke2 params
+class rke2::params (
+  Enum['server', 'agent'] $node_type = 'agent',
+  Stdlib::Absolutepath    $config_file = '/etc/rancher/rke2/config.yaml',
+  Hash                    $config_hash = {},
+) {}
diff --git a/modules/rke2/manifests/service.pp b/modules/rke2/manifests/service.pp
new file mode 100644
index 0000000..7e98f98
--- /dev/null
+++ b/modules/rke2/manifests/service.pp
@@ -0,0 +1,13 @@
+# manage rke2 service
+class rke2::service (
+  Enum['server', 'agent'] $node_type = $rke2::node_type,
+  Stdlib::Absolutepath    $config_file = $rke2::config_file,
+){
+
+  service {"rke2-${node_type}":
+    ensure    => true,
+    enabled   => true,
+    subscribe => File[$config_file],
+  }
+
+}
diff --git a/site/profiles/manifests/dns/base.pp b/site/profiles/manifests/dns/base.pp
index a25ba08..ee2fff0 100644
--- a/site/profiles/manifests/dns/base.pp
+++ b/site/profiles/manifests/dns/base.pp
@@ -47,7 +47,7 @@ class profiles::dns::base (
   $facts['networking']['interfaces'].each | $interface, $data | {
 
     # exclude those without ipv4 address, lo, docker0 and anycast addresses
-    if $data['ip'] and $interface != 'lo' and $interface != 'docker0' and $interface !~ /^anycast[0-9]$/ {
+    if $data['ip'] and $interface != 'lo' and $interface != 'docker0' and $interface !~ /^anycast[0-9]$/ and $interface !~ /^cilium_/  {
 
       # use defaults for the primary_interface
       if $interface == $primary_interface {
diff --git a/site/profiles/manifests/rke2/node.pp b/site/profiles/manifests/rke2/node.pp
new file mode 100644
index 0000000..b8a3e5b
--- /dev/null
+++ b/site/profiles/manifests/rke2/node.pp
@@ -0,0 +1,15 @@
+# manage server/agent nodes
+class profiles::rke2::node (
+  Array[Stdlib::Fqdn] $servers = [],
+){
+
+  $node_type = $trusted['certname'] in $servers ? {
+    'true'  => 'server',
+    default => 'agent'
+  }
+
+  class {'rke2':
+    node_type => $node_type,
+  }
+
+}