feat: add ectd role for k8s

- small updates to k8s server/node/etcd-replica
- change k8s networking to all use networkd

hieradata/roles/infra/dns/master.yaml

@@ -17,6 +17,7 @@ profiles::dns::master::acls:
       - 198.18.27.0/24
       - 198.18.28.0/24
       - 198.18.29.0/24
+      - 198.18.30.0/24
 
 profiles::dns::master::zones:
   main.unkin.net:

hieradata/roles/infra/dns/resolver.yaml

@@ -26,6 +26,7 @@ profiles::dns::resolver::acls:
       - 198.18.27.0/24
       - 198.18.28.0/24
       - 198.18.29.0/24
+      - 198.18.30.0/24
   acl-nomad-jobs:
     addresses:
       - 198.18.64.0/24

hieradata/roles/infra/k8s.yaml

@@ -1,11 +1,30 @@
+---
+hiera_include:
+  - k8s
+
 k8s::node::manage_simple_cni: false
 k8s::server::resources::manage_flannel: false
 
 k8s::container_manager: containerd
-k8s::version: 1.28.14
+k8s::version: 1.31.9
 k8s::etcd_version: 3.5.16
+k8s::cluster_domain: k8s.au-syd1.unkin.net
+k8s::manage_firewall: false
+k8s::manage_kube_proxy: true
+k8s::puppetdb_discovery: true
+k8s::service_cidr: 198.18.30.0/24
+k8s::pod_cidr: 10.240.0.0/16
 
 ### k8s::install::crictl
 k8s::install::crictl::config:
   'runtime-endpoint': 'unix:///run/containerd/containerd.sock'
   'image-endpoint': 'unix:///run/containerd/containerd.sock'
+
+### networking
+systemd::manage_networkd: true
+systemd::manage_all_network_files: true
+networking::interfaces:
+  eth0:
+    type: physical
+    forwarding: true
+    dhcp: true

hieradata/roles/infra/k8s/controller.yaml

@@ -1,23 +1,9 @@
 ---
-hiera_include:
-  - profiles::k8s::controller
-
-### K8S::Server
+k8s::role: server
 k8s::server::node_on_server: false
 k8s::server::manage_kubeadm: true
-k8s::server::etcd::generate_ca: true
-#k8s::server::etcd::client_ca_cert: '/etc/pki/tls/vault/certificate.crt'
-#k8s::server::etcd::client_ca_key: '/etc/pki/tls/vault/private.key'
-
-### K8S::Server::Apiserver
-# Choose an interface which is for cluster communications.
-# The apiserver will expose a port on the controller
-# and all the workers need to be able to reach it.
 k8s::server::apiserver::advertise_address: "%{facts.networking.ip}"
 
-### K8S::Server::Resources
-k8s::server::resources::manage_flannel: false
-
 consul::services:
   k8s:
     service_name: 'k8s'

hieradata/roles/infra/k8s/etcd.yaml

@@ -0,0 +1,7 @@
+---
+hiera_include:
+  - k8s::server::etcd
+k8s::role: none
+k8s::server::etcd::generate_ca: true
+k8s::server::etcd::manage_members: true
+k8s::server::etcd::self_signed_tls: true

hieradata/roles/infra/k8s/worker.yaml

@@ -1,7 +1,5 @@
 ---
-hiera_include:
-  - profiles::k8s::worker
-
 ### K8S::Node
+k8s::role: node
 k8s::node::node_token: "puppet.%{lookup('k8s::server::resources::bootstrap::secret')}"
 k8s::node::manage_crictl: true

modules/libs/lib/facter/subnet_facts.rb

@@ -21,7 +21,8 @@ class SubnetAttributes
     '198.18.26.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0010
     '198.18.27.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0011
     '198.18.28.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0012
-    '198.18.29.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }  # common node0013
+    '198.18.29.0/24' => { environment: 'prod', region: 'syd1', country: 'au' }, # common node0013
+    '198.18.30.0/24' => { environment: 'prod', region: 'syd1', country: 'au' } # k8s service network
   }.freeze
 
   # Default attributes if no subnet matches, also defined as a constant

site/profiles/manifests/k8s/controller.pp

@@ -1,37 +0,0 @@
-# Class: profile::k8s::controller
-#
-# @param container_manager set the cri, like cri-o or containerd, if controller should be also a worker
-# @param etcd_version version of etcd
-# @param k8s_version version of kubernetes
-# @param manage_firewall whether to manage firewall or not
-# @param manage_kube_proxy whether to manage manage_kube_proxy or not
-# @param control_plane_url
-#   api server url where the server/nodes connect to.
-#   this is most likely a load balanced dns with all the controllers in the backend.
-#   on single head clusters this may be the dns name:port of the controller node.
-# @param role role in the cluster, server, node, none
-# @param puppetdb_discovery whether to use puppetdb or not
-# @param service_cidr address space for the services
-# @param pod_cidr address space for the pods
-#
-# lint:ignore:autoloader_layout
-class profiles::k8s::controller (
-  # lint:endignore
-  Boolean $manage_firewall                   = false,                     # k8s-class default: false
-  Boolean $manage_kube_proxy                 = true,                      # k8s-class default: true
-  Boolean $puppetdb_discovery                = true,                      # k8s-class default: false
-  Stdlib::HTTPUrl $control_plane_url         = 'https://k8s.service.consul:6443', # k8s-class default: https://kubernetes:6443
-  Enum['server'] $role                       = 'server',                  # k8s-class default: none
-  K8s::CIDR $service_cidr                    = '10.20.0.0/20',            # k8s-class default: 10.1.0.0/24
-  K8s::CIDR $pod_cidr                        = '10.20.16.0/20',           # k8s-class default: 10.0.0.0/16
-) {
-  class { 'k8s':
-    manage_firewall      => $manage_firewall,
-    manage_kube_proxy    => $manage_kube_proxy,
-    control_plane_url    => $control_plane_url,
-    role                 => $role,
-    service_cluster_cidr => $service_cidr,
-    cluster_cidr         => $pod_cidr,
-    puppetdb_discovery   => $puppetdb_discovery,
-  }
-}

site/profiles/manifests/k8s/worker.pp

@@ -1,30 +0,0 @@
-# Class: profile::k8s::worker
-#
-# @param role role in the cluster, server, node, none
-# @param control_plane_url
-#   cluster url where the server/nodes connect to.
-#   this is most likely a load balanced dns with all the controllers in the backend.
-#   on single head clusters this may be the dns name:port of the controller node.
-# @param k8s_version version of kubernetes
-# @param puppetdb_discovery whether to use puppetdb or not
-# @param manage_firewall whether to manage firewall or not
-# @param manage_kube_proxy whether to manage manage_kube_proxy or not, for cilium this is not needed
-# @param container_manager set the cri, like cri-o or containerd
-#
-# lint:ignore:autoloader_layout
-class profiles::k8s::worker (
-  # lint:endignore
-  Boolean $manage_firewall                   = true,         # k8s-class default: false
-  Boolean $manage_kube_proxy                 = true,         # k8s-class default: true
-  Boolean $puppetdb_discovery                = true,         # k8s-class default: false
-  Enum['node'] $role                         = 'node',       # k8s-class default: none
-  Stdlib::HTTPUrl $control_plane_url         = $profiles::k8s::controller::control_plane_url,
-) {
-  class { 'k8s':
-    manage_firewall    => $manage_firewall,
-    manage_kube_proxy  => $manage_kube_proxy,
-    control_plane_url  => $control_plane_url,
-    puppetdb_discovery => $puppetdb_discovery,
-    role               => $role,
-  }
-}

site/roles/manifests/infra/k8s/etcd.pp

@@ -0,0 +1,11 @@
+# deploy k8s workers
+class roles::infra::k8s::etcd {
+  if $facts['firstrun'] {
+    include profiles::defaults
+    include profiles::firstrun::init
+  }else{
+    include profiles::defaults
+    include profiles::base
+    include profiles::base::datavol
+  }
+}