From e17f9170f2f0900cbaeabd6eb4e9f46f7e0943ef Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 13 Mar 2025 21:00:48 +1100 Subject: [PATCH] feat: add etcd cluster --- hieradata/roles/infra/etcd/k8s.eyaml | 2 + hieradata/roles/infra/etcd/k8s.yaml | 64 ++++++++++++++++++++++++++ site/roles/manifests/infra/etcd/k8s.pp | 11 +++++ 3 files changed, 77 insertions(+) create mode 100644 hieradata/roles/infra/etcd/k8s.eyaml create mode 100644 hieradata/roles/infra/etcd/k8s.yaml create mode 100644 site/roles/manifests/infra/etcd/k8s.pp diff --git a/hieradata/roles/infra/etcd/k8s.eyaml b/hieradata/roles/infra/etcd/k8s.eyaml new file mode 100644 index 0000000..40ffd6b --- /dev/null +++ b/hieradata/roles/infra/etcd/k8s.eyaml @@ -0,0 +1,2 @@ +--- +profiles::etcd::node::initial_cluster_token: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAhLyXszXUU6Dkiw9bEJTH0RXGaV2751NzvLH94i7QHfNukvOslF/kaDOA+FwqG06xSKSKo24Qyj4ewYA3BzhN8XLf2E9uW2LuDrUoA6aXUP2tYPqiTw8zmmgsVV5t7Y5PeNcleV3KmfcJZJKp33yGCKtGF7ggvNvnied5slO6E1BDkcVnqO7sdyI0MqSvsvH4IvEmeiSWAcBRBnwVLIwfn10frIvUg0fH4uZR7DASfO/HstYWKAEacz4xYBv74TtVVtYHlPvnVwC20YIYDMrgBsm3XngyWIQvruQCgyIkRzHjUKCpp76HpyEqzdJdEdaywkODYNOT6ab1B5uUu9WaMjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBADXLPOqFHdnVgJW5+iXJYcgCDK1Eyr+RwvMA+3VszYALU5B6OCH5maplwC5aUgiQZ7ew==] diff --git a/hieradata/roles/infra/etcd/k8s.yaml b/hieradata/roles/infra/etcd/k8s.yaml new file mode 100644 index 0000000..2b1c832 --- /dev/null +++ b/hieradata/roles/infra/etcd/k8s.yaml @@ -0,0 +1,64 @@ +--- +hiera_include: + - profiles::etcd::node + +profiles::etcd::node::members_lookup: true +profiles::etcd::node::members_role: roles::infra::etcd::k8s + +profiles::etcd::node::config: + data-dir: /data/etcd + client-cert-auth: false + client-transport-security: + cert-file: /etc/pki/tls/vault/certificate.crt + key-file: /etc/pki/tls/vault/private.key + client-cert-auth: false + auto-tls: false + peer-transport-security: + cert-file: /etc/pki/tls/vault/certificate.crt + key-file: /etc/pki/tls/vault/private.key + client-cert-auth: false + auto-tls: false + allowed-cn: + max-wals: 5 + max-snapshots: 5 + snapshot-count: 10000 + heartbeat-interval: 100 + election-timeout: 1000 + cipher-suites: [ + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + ] + tls-min-version: 'TLS1.2' + tls-max-version: 'TLS1.3' + +profiles::pki::vault::alt_names: + - etcd-k8s.service.consul + - etcd-k8s.query.consul + - "etcd-k8s.service.%{facts.country}-%{facts.region}.consul" + +profiles::ssh::sign::principals: + - etcd-k8s.query.consul + - etcd-k8s.service.consul + - etcd-k8s.service.%{facts.country}-%{facts.region}.consul + +consul::services: + etcd: + service_name: 'etcd-k8s' + tags: + - 'etcd' + - 'k8s' + - 'etcd-k8s' + address: "%{facts.networking.ip}" + port: 2379 + checks: + - id: 'etcd_http_health_check' + name: 'ETCD HTTP Health Check' + http: "https://%{facts.networking.ip}:2379/health" + method: 'GET' + interval: '10s' + timeout: '1s' + tls_skip_verify: true +profiles::consul::client::node_rules: + - resource: service + segment: etcd-k8s + disposition: write diff --git a/site/roles/manifests/infra/etcd/k8s.pp b/site/roles/manifests/infra/etcd/k8s.pp new file mode 100644 index 0000000..aad7241 --- /dev/null +++ b/site/roles/manifests/infra/etcd/k8s.pp @@ -0,0 +1,11 @@ +# a role to deploy etcd for k8s +class roles::infra::etcd::k8s { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::base::datavol + } +}