Ben Vincent
623ad6d701
All checks were successful
Build / precommit (pull_request) Successful in 5m26s
THis change will install rancher, purelb and cert-manager, then configure a dmz and common ip pool to be used by loadbalancers. The nginx ingres controller is configured to use 198.18.200.0 (common) and announce the ip from all nodes so that it becomes an anycast ip in ospf. - manage the install of rancher, purelb and cert-manager - add rancher ingress routes - add nginx externalip/loadBalancer
84 lines
2.2 KiB
YAML
84 lines
2.2 KiB
YAML
---
|
|
# manage rke2
|
|
rke2::node_type: server
|
|
rke2::helm_install: true
|
|
rke2::helm_repos:
|
|
metallb: https://metallb.github.io/metallb
|
|
rancher-stable: https://releases.rancher.com/server-charts/stable
|
|
purelb: https://gitlab.com/api/v4/projects/20400619/packages/helm/stable
|
|
jetstack: https://charts.jetstack.io
|
|
rke2::extra_config_files:
|
|
- 000_namespaces
|
|
- 010_rke2-canal-config
|
|
- 010_cert-manager
|
|
- 010_purelb
|
|
- 010_rancher
|
|
- 100_purelb_config
|
|
- 200_ingres_lb_nginx
|
|
- 201_ingres_route_rancher
|
|
rke2::config_hash:
|
|
advertise-address: "%{hiera('networking_loopback0_ip')}"
|
|
cluster-domain: "svc.k8s.unkin.net"
|
|
tls-san:
|
|
- "join-k8s.service.consul"
|
|
- "api-k8s.service.consul"
|
|
- "api.k8s.unkin.net"
|
|
- "join.k8s.unkin.net"
|
|
cni: canal
|
|
cluster-cidr: 10.42.0.0/16
|
|
service-cidr: 10.43.0.0/16
|
|
cluster-dns: 10.43.0.10
|
|
etcd-arg: "--quota-backend-bytes 2048000000"
|
|
etcd-snapshot-schedule-cron: "0 3 * * *"
|
|
etcd-snapshot-retention: 10
|
|
kube-apiserver-arg:
|
|
- '--default-not-ready-toleration-seconds=30'
|
|
- '--default-unreachable-toleration-seconds=30'
|
|
kube-controller-manager-arg:
|
|
- '--node-monitor-period=4s'
|
|
protect-kernel-defaults: true
|
|
disable-kube-proxy: false
|
|
|
|
# configure consul service
|
|
consul::services:
|
|
api-k8s:
|
|
service_name: 'api-k8s'
|
|
address: "%{facts.networking.fqdn}"
|
|
port: 6443
|
|
checks:
|
|
- id: 'api-k8s_livez_check'
|
|
name: 'api-k8s livez Check'
|
|
args:
|
|
- sudo
|
|
- /usr/local/bin/check_k8s_api.sh
|
|
interval: '10s'
|
|
timeout: '1s'
|
|
join-k8s:
|
|
service_name: 'join-k8s'
|
|
address: "%{facts.networking.fqdn}"
|
|
port: 9345
|
|
checks:
|
|
- id: 'rke2_tcp_check_9345'
|
|
name: 'rke2 TCP Check 9345'
|
|
tcp: "%{hiera('networking_loopback0_ip')}:9345"
|
|
interval: '10s'
|
|
timeout: '1s'
|
|
profiles::consul::client::node_rules:
|
|
- resource: service
|
|
segment: api-k8s
|
|
disposition: write
|
|
- resource: service
|
|
segment: join-k8s
|
|
disposition: write
|
|
|
|
profiles::pki::vault::alt_names:
|
|
- api-k8s.service.consul
|
|
- api-k8s.query.consul
|
|
- "api-k8s.service.%{facts.country}-%{facts.region}.consul"
|
|
|
|
sudo::configs:
|
|
consul-checks:
|
|
priority: 20
|
|
content: |
|
|
consul ALL=(ALL) NOPASSWD: /usr/local/bin/check_k8s_api.sh
|