Improve handling of manage_* parameters

ananace · ananace · commit 4680dcc5de94 · 2025-03-26T17:49:34.000+01:00
Will no longer break catalog compilation and/or application when turning
off manage_* parameters, and also respects them more

Also removes a no longer required jq call from kubelet bootstrap, modern
kubernetes can do non-raw output with an unauthenticated user
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -732,6 +732,7 @@ The following parameters are available in the `k8s::node` class:
 * [`firewall_type`](#-k8s--node--firewall_type)
 * [`manage_crictl`](#-k8s--node--manage_crictl)
 * [`manage_firewall`](#-k8s--node--manage_firewall)
+* [`manage_packages`](#-k8s--node--manage_packages)
 * [`manage_kernel_modules`](#-k8s--node--manage_kernel_modules)
 * [`manage_kubelet`](#-k8s--node--manage_kubelet)
 * [`manage_proxy`](#-k8s--node--manage_proxy)
@@ -803,6 +804,14 @@ whether to manage firewall or not
 
 Default value: `$k8s::manage_firewall`
 
+##### <a name="-k8s--node--manage_packages"></a>`manage_packages`
+
+Data type: `Boolean`
+
+whether to manage packages
+
+Default value: `$k8s::manage_packages`
+
 ##### <a name="-k8s--node--manage_kernel_modules"></a>`manage_kernel_modules`
 
 Data type: `Boolean`
diff --git a/manifests/binary.pp b/manifests/binary.pp
@@ -136,7 +136,7 @@
     }
   }
 
-  if $active and $packaging != 'container' and !defined(File["/usr/bin/${name}"]) {
+  if $active and $packaging != 'container' and $_packaging != 'manual' and !defined(File["/usr/bin/${name}"]) {
     if $packaging == 'package' {
       file { "/usr/bin/${name}":
         ensure  => $ensure,
diff --git a/manifests/common.pp b/manifests/common.pp
@@ -69,9 +69,5 @@
     '/usr/libexec/kubernetes': ;
     '/var/lib/kubelet': ;
     '/var/lib/kubelet/pki': ;
-
-    '/usr/share/containers/': ;
-    '/usr/share/containers/oci/': ;
-    '/usr/share/containers/oci/hooks.d': ;
   }
 }
diff --git a/manifests/install/container_runtime.pp b/manifests/install/container_runtime.pp
@@ -86,6 +86,15 @@
     name   => $pkg,
   }
 
+  file {
+    default:
+      ensure => directory;
+
+    '/usr/share/containers/': ;
+    '/usr/share/containers/oci/': ;
+    '/usr/share/containers/oci/hooks.d': ;
+  }
+
   if $manage_repo {
     require k8s::repo
   }
diff --git a/manifests/node.pp b/manifests/node.pp
@@ -7,6 +7,7 @@
 # @param firewall_type define the type of firewall to use
 # @param manage_crictl toggle to install crictl
 # @param manage_firewall whether to manage firewall or not
+# @param manage_packages whether to manage packages
 # @param manage_kernel_modules whether to load kernel modules or not
 # @param manage_kubelet whether to manage kublet or not
 # @param manage_proxy whether to manage kube-proxy or not
@@ -33,6 +34,7 @@
   Boolean $manage_proxy             = $k8s::manage_kube_proxy == 'on-node',
   Boolean $manage_crictl            = false,
   Boolean $manage_firewall          = $k8s::manage_firewall,
+  Boolean $manage_packages          = $k8s::manage_packages,
   Boolean $manage_kernel_modules    = $k8s::manage_kernel_modules,
   Boolean $manage_sysctl_settings   = $k8s::manage_sysctl_settings,
   Boolean $manage_simple_cni        = false,
diff --git a/manifests/node/kubelet.pp b/manifests/node/kubelet.pp
@@ -69,7 +69,6 @@
   case $auth {
     'bootstrap': {
       $_ca_cert = pick($ca_cert, '/var/lib/kubelet/pki/ca.pem')
-      ensure_packages(['jq'])
       if !defined(K8s::Binary['kubectl']) {
         k8s::binary { 'kubectl':
           ensure => $ensure,
@@ -83,12 +82,9 @@
       ~> exec { 'Retrieve K8s CA':
         path    => ['/usr/local/bin','/usr/bin','/bin'],
         command => "kubectl --server='${control_plane_url}' --username=anonymous --insecure-skip-tls-verify=true \
-          get --raw /api/v1/namespaces/kube-system/configmaps/cluster-info | jq .data.ca -r > '${_ca_cert}'",
+          get --namespace=kube-system configmap cluster-info --output=jsonpath={.data.ca} > '${_ca_cert}'",
         creates => $_ca_cert,
-        require => [
-          K8s::Binary['kubectl'],
-          Package['jq'],
-        ],
+        require => K8s::Binary['kubectl'],
       }
       -> kubeconfig { $_bootstrap_kubeconfig:
         ensure          => $ensure,
@@ -275,7 +271,9 @@
     }
   }
 
-  Class['k8s::install::container_runtime'] -> Service['kubelet']
+  if defined(Class['k8s::install::container_runtime']) {
+    Class['k8s::install::container_runtime'] -> Service['kubelet']
+  }
   Package <| title == 'containernetworking-plugins' |> -> Service['kubelet']
 
   if $manage_firewall {

Original file line number	Diff line number	Diff line change
`@@ -136,7 +136,7 @@`
`136`	`136`	`}`
`137`	`137`	`}`
`138`	`138`
`139`		`- if $active and $packaging != 'container' and !defined(File["/usr/bin/${name}"]) {`
	`139`	`+ if $active and $packaging != 'container' and $_packaging != 'manual' and !defined(File["/usr/bin/${name}"]) {`
`140`	`140`	`if $packaging == 'package' {`
`141`	`141`	`file { "/usr/bin/${name}":`
`142`	`142`	`ensure => $ensure,`
Original file line number	Diff line number	Diff line change
`@@ -69,9 +69,5 @@`
`69`	`69`	`'/usr/libexec/kubernetes': ;`
`70`	`70`	`'/var/lib/kubelet': ;`
`71`	`71`	`'/var/lib/kubelet/pki': ;`
`72`		`-`
`73`		`- '/usr/share/containers/': ;`
`74`		`- '/usr/share/containers/oci/': ;`
`75`		`- '/usr/share/containers/oci/hooks.d': ;`
`76`	`72`	`}`
`77`	`73`	`}`