puppet-prod/modules/rke2/manifests/config.pp

# config rke2
class rke2::config (
  Enum['server', 'agent'] $node_type = $rke2::node_type,
  Stdlib::Absolutepath    $config_file = $rke2::config_file,
  Hash                    $config_hash = $rke2::config_hash,
  Stdlib::HTTPSUrl        $join_url = $rke2::join_url,
  Stdlib::Fqdn            $bootstrap_node = $rke2::bootstrap_node,
  String                  $node_token = $rke2::node_token,
){

  # if agent, add token. what other fields should i add?
  # how can I add a tls secret using kubectl to add ephemeral certs.

  # if its not the bootstrap node, add join path to config
  if $node_type == 'server' {
    if $trusted['certname'] != $bootstrap_node {
      $config = merge($config_hash, {
        server => $join_url,
        token  => $node_token,
      } )
    }else{
      $config = $config_hash
    }
  } elsif $node_type == 'agent' {
      $config = merge($config_hash, {
        server => $join_url,
        token  => $node_token,
      } )
  }else{
    $config = $config_hash
  }

  # create the config file
  file { $config_file:
    ensure  => file,
    content => Sensitive($config.to_yaml),
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
  }

  # create a script to verify k8s api is up (used by consul)
  file {'/usr/local/bin/check_k8s_api.sh':
    ensure => file,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
    source => 'puppet:///modules/rke2/check_k8s_api.sh'
  }

  # symlink kubectl to path
  file {'/usr/bin/kubectl':
    ensure => link,
    target => '/var/lib/rancher/rke2/bin/kubectl',
  }

  # manage cilium config
  file {'/var/lib/rancher/rke2/server/manifests/rke2-cilium-config.yaml':
    ensure => file,
    owner  => 'root',
    group  => 'root',
    mode   => '0644',
    source => 'puppet:///modules/rke2/rke2-cilium-config.yaml'
  }

}