feat: adding rke2

- manage rke2 repos - add rke2 module (init, params, install, config, service) - add node_type setting class profiles::rke2::node - exclude setting ips for cilium interfaces
2025-09-06 23:01:57 +10:00 · 2025-09-06 23:01:57 +10:00 · e9d3da946e
commit e9d3da946e
parent 65fb52da55
8 changed files with 107 additions and 1 deletions
--- a/hieradata/roles/infra/k8s/node.yaml
+++ b/hieradata/roles/infra/k8s/node.yaml
@ -5,6 +5,25 @@ hiera_include:
  - profiles::ceph::node
  - profiles::ceph::client
  - exporters::frr_exporter
+  - profiles::rke2::node
+
+
+# manage rke2
+profiles::rke2::node::servers:
+  - prodnxsr0001.main.unkin.net
+  - prodnxsr0002.main.unkin.net
+  - prodnxsr0003.main.unkin.net
+
+rke2::config_hash:
+  bind-address: "%{hiera('networking_loopback0_ip')}"
+  advertise-address: "%{hiera('networking_loopback0_ip')}"
+  node-ip: "%{hiera('networking_loopback0_ip')}"
+  node-external-ip: "%{hiera('networking_loopback0_ip')}"
+  cluster-domain: "svc.k8s.unkin.net"
+  tls-san:
+    - "api.k8s.unkin.net"
+    - "join.k8s.unkin.net"
+  cni: cilium

 # FIXME: puppet-python wants to try manage python-dev, which is required by the ceph package
 python::manage_dev_package: false
@ -25,6 +44,7 @@ profiles::ceph::client::mons:
  - 198.18.23.11
  - 198.18.23.12
  - 198.18.23.13
+
 # additional repos
 profiles::yum::global::repos:
  ceph:
@ -55,6 +75,20 @@ profiles::yum::global::repos:
    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
    mirrorlist: absent
+  rancher-rke2-common-latest:
+    name: rancher-rke2-common-latest
+    descr: rancher-rke2-common-latest
+    target: /etc/yum.repos.d/rke2-common.repo
+    baseurl: https://rpm.rancher.io/rke2/latest/common/centos/%{facts.os.release.major}/noarch
+    gpgkey: https://rpm.rancher.io/public.key
+    mirrorlist: absent
+  rancher-rke2-1-33-latest:
+    name: rancher-rke2-1-33-latest
+    descr: rancher-rke2-1-33-latest
+    target: /etc/yum.repos.d/rke2-1-33.repo
+    baseurl: https://rpm.rancher.io/rke2/latest/1.33/centos/%{facts.os.release.major}/x86_64
+    gpgkey: https://rpm.rancher.io/public.key
+    mirrorlist: absent

 # dns
 profiles::dns::base::primary_interface: loopback0
--- a/modules/rke2/manifests/config.pp
+++ b/modules/rke2/manifests/config.pp
@ -0,0 +1,15 @@
+# config rke2
+class rke2::config (
+  Enum['server', 'agent'] $node_type = $rke2::node_type,
+  Stdlib::Absolutepath    $config_file = $rke2::config_file,
+  Hash                    $config_hash = $rke2::config_hash,
+){
+
+  file { $config_file:
+    ensure  => file,
+    content => $config_hash.to_yaml,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+  }
+}
--- a/modules/rke2/manifests/init.pp
+++ b/modules/rke2/manifests/init.pp
@ -0,0 +1,13 @@
+# manage rke2
+class rke2 (
+  Enum['server', 'agent'] $node_type = $rke2::params::node_type,
+  Stdlib::Absolutepath    $config_file = $rke2::params::config_file,
+  Hash                    $config_hash = $rke2::params::config_hash,
+) inherits rke2::params {
+
+  include rke2::install
+  include rke2::config
+  include rke2::service
+
+  Class['rke2::install'] -> Class['rke2::config'] -> Class['rke2::service']
+}
--- a/modules/rke2/manifests/install.pp
+++ b/modules/rke2/manifests/install.pp
@ -0,0 +1,10 @@
+# install rke2
+class rke2::install (
+  Enum['server', 'agent'] $node_type = $rke2::node_type,
+){
+
+  package {"rke2-${node_type}":
+    ensure => installed,
+  }
+
+}
--- a/modules/rke2/manifests/params.pp
+++ b/modules/rke2/manifests/params.pp
@ -0,0 +1,6 @@
+# rke2 params
+class rke2::params (
+  Enum['server', 'agent'] $node_type = 'agent',
+  Stdlib::Absolutepath    $config_file = '/etc/rancher/rke2/config.yaml',
+  Hash                    $config_hash = {},
+) {}
--- a/modules/rke2/manifests/service.pp
+++ b/modules/rke2/manifests/service.pp
@ -0,0 +1,13 @@
+# manage rke2 service
+class rke2::service (
+  Enum['server', 'agent'] $node_type = $rke2::node_type,
+  Stdlib::Absolutepath    $config_file = $rke2::config_file,
+){
+
+  service {"rke2-${node_type}":
+    ensure    => true,
+    enabled   => true,
+    subscribe => File[$config_file],
+  }
+
+}
--- a/site/profiles/manifests/dns/base.pp
+++ b/site/profiles/manifests/dns/base.pp
@ -47,7 +47,7 @@ class profiles::dns::base (
  $facts['networking']['interfaces'].each | $interface, $data | {

    # exclude those without ipv4 address, lo, docker0 and anycast addresses
-    if $data['ip'] and $interface != 'lo' and $interface != 'docker0' and $interface !~ /^anycast[0-9]$/ {
+    if $data['ip'] and $interface != 'lo' and $interface != 'docker0' and $interface !~ /^anycast[0-9]$/ and $interface !~ /^cilium_/  {

      # use defaults for the primary_interface
      if $interface == $primary_interface {
--- a/site/profiles/manifests/rke2/node.pp
+++ b/site/profiles/manifests/rke2/node.pp
@ -0,0 +1,15 @@
+# manage server/agent nodes
+class profiles::rke2::node (
+  Array[Stdlib::Fqdn] $servers = [],
+){
+
+  $node_type = $trusted['certname'] in $servers ? {
+    True    => 'server',
+    default => 'agent'
+  }
+
+  class {'rke2':
+    node_type => $node_type,
+  }
+
+}