---
# manage rke2
rke2::node_type: server
rke2::helm_install: true
rke2::helm_repos:
  rancher-stable: https://releases.rancher.com/server-charts/stable
  purelb: https://gitlab.com/api/v4/projects/20400619/packages/helm/stable
  jetstack: https://charts.jetstack.io
  harbor: https://helm.goharbor.io
  traefik: https://traefik.github.io/charts
  hashicorp: https://helm.releases.hashicorp.com
rke2::csi_ceph_enable: true
rke2::csi_ceph_clusterid: de96a98f-3d23-465a-a899-86d3d67edab8
rke2::csi_ceph_poolname: kubernetes
rke2::csi_ceph_monitors:
  - 198.18.23.9:6789
  - 198.18.23.10:6789
  - 198.18.23.11:6789
  - 198.18.23.12:6789
  - 198.18.23.13:6789
rke2::csi_ceph_files:
  - ceph-csi-nodeplugin-rbac
  - ceph-csi-provisioner-rbac
  - ceph-csi-rbdplugin-provisioner
  - ceph-csi-rbdplugin
rke2::csi_ceph_templates:
  - ceph-csi-config
  - ceph-csi-secret
rke2::extra_config_files:
  - namespaces
  - rke2-canal-config
  - purelb-config
  - ingres-lb-nginx
  - ingres-route-rancher
rke2::config_hash:
  advertise-address: "%{hiera('networking_loopback0_ip')}"
  cluster-domain: "svc.k8s.unkin.net"
  tls-san:
    - "join-k8s.service.consul"
    - "api-k8s.service.consul"
    - "api.k8s.unkin.net"
    - "join.k8s.unkin.net"
  cni: canal
  cluster-cidr: 10.42.0.0/16
  service-cidr: 10.43.0.0/16
  cluster-dns: 10.43.0.10
  etcd-arg: "--quota-backend-bytes 2048000000"
  etcd-snapshot-schedule-cron: "0 3 * * *"
  etcd-snapshot-retention: 10
  kube-apiserver-arg:
    - '--default-not-ready-toleration-seconds=30'
    - '--default-unreachable-toleration-seconds=30'
  kube-controller-manager-arg:
    - '--node-monitor-period=4s'
  protect-kernel-defaults: true
  disable-kube-proxy: false

# configure consul service
consul::services:
  api-k8s:
    service_name: 'api-k8s'
    address: "%{facts.networking.fqdn}"
    port: 6443
    checks:
      - id: 'api-k8s_livez_check'
        name: 'api-k8s livez Check'
        args:
          - sudo
          - /usr/local/bin/check_k8s_api.sh
        interval: '10s'
        timeout: '1s'
  join-k8s:
    service_name: 'join-k8s'
    address: "%{facts.networking.fqdn}"
    port: 9345
    checks:
      - id: 'rke2_tcp_check_9345'
        name: 'rke2 TCP Check 9345'
        tcp: "%{hiera('networking_loopback0_ip')}:9345"
        interval: '10s'
        timeout: '1s'
profiles::consul::client::node_rules:
  - resource: service
    segment: api-k8s
    disposition: write
  - resource: service
    segment: join-k8s
    disposition: write

profiles::pki::vault::alt_names:
  - api-k8s.service.consul
  - api-k8s.query.consul
  - "api-k8s.service.%{facts.country}-%{facts.region}.consul"

sudo::configs:
  consul-checks:
    priority: 20
    content: |
      consul ALL=(ALL) NOPASSWD: /usr/local/bin/check_k8s_api.sh