puppet-prod/hieradata/roles/infra/k8s/control.yaml

---
# manage rke2
rke2::node_type: server
rke2::config_hash:
  advertise-address: "%{hiera('networking_loopback0_ip')}"
  cluster-domain: "svc.k8s.unkin.net"
  tls-san:
    - "join-k8s.service.consul"
    - "api-k8s.service.consul"
    - "api.k8s.unkin.net"
    - "join.k8s.unkin.net"
  cni: cilium

# configure consul service
consul::services:
  api-k8s:
    service_name: 'api-k8s'
    address: "%{facts.networking.fqdn}"
    port: 6443
    checks:
      - id: 'api-k8s_livez_check'
        name: 'api-k8s livez Check'
        args:
          - sudo
          - /usr/local/bin/check_k8s_api.sh
        interval: '10s'
        timeout: '1s'
  join-k8s:
    service_name: 'join-k8s'
    address: "%{facts.networking.fqdn}"
    port: 9345
    checks:
      - id: 'rke2_tcp_check_9345'
        name: 'rke2 TCP Check 9345'
        tcp: "%{hiera('networking_loopback0_ip')}:9345"
        interval: '10s'
        timeout: '1s'
profiles::consul::client::node_rules:
  - resource: service
    segment: api-k8s
    disposition: write
  - resource: service
    segment: join-k8s
    disposition: write

profiles::pki::vault::alt_names:
  - api-k8s.service.consul
  - api-k8s.query.consul
  - "api-k8s.service.%{facts.country}-%{facts.region}.consul"

sudo::configs:
  consul-checks:
    priority: 20
    content: |
      consul ALL=(ALL) NOPASSWD: /usr/local/bin/check_k8s_api.sh