Merge pull request #66 from ananace/hieraify-defaults

Initial work on hiera-ifying and Puppet 8 support for standalone etcd

Author: ananace

REFERENCE.md

@@ -0,0 +1,74 @@
+# @summary Sets up common Kubernetes components - users/groups/folders/etc
+# @api private
+class k8s::common {
+  assert_private()
+
+  group { $k8s::group:
+    ensure => present,
+    system => true,
+    gid    => $k8s::gid,
+  }
+
+  user { $k8s::user:
+    ensure     => present,
+    comment    => 'Kubernetes user',
+    gid        => $k8s::group,
+    home       => '/srv/kubernetes',
+    managehome => false,
+    shell      => (fact('os.family') ? {
+        'Debian' => '/usr/sbin/nologin',
+        default  => '/sbin/nologin',
+    }),
+    system     => true,
+    uid        => $k8s::uid,
+  }
+
+  file {
+    default:
+      ensure  => directory,
+      force   => true,
+      purge   => true,
+      recurse => true;
+
+    '/opt/k8s': ;
+    '/opt/k8s/bin': ;
+  }
+
+  file { '/var/run/kubernetes':
+    ensure => directory,
+    owner  => $k8s::user,
+    group  => $k8s::group,
+  }
+
+  file { "${k8s::sysconfig_path}/kube-common":
+    ensure  => file,
+    content => epp('k8s/sysconfig.epp', {
+        comment               => 'General Kubernetes Configuration',
+        environment_variables => {
+          'KUBE_LOG_LEVEL'   => '',
+        },
+    }),
+  }
+
+  file {
+    default:
+      ensure => directory;
+
+    '/etc/kubernetes': ;
+    '/etc/kubernetes/certs': ;
+    '/etc/kubernetes/manifests':
+      purge   => $k8s::purge_manifests,
+      recurse => true;
+    '/root/.kube': ;
+    '/srv/kubernetes':
+      owner => $k8s::user,
+      group => $k8s::group;
+    '/usr/libexec/kubernetes': ;
+    '/var/lib/kubelet': ;
+    '/var/lib/kubelet/pki': ;
+
+    '/usr/share/containers/': ;
+    '/usr/share/containers/oci/': ;
+    '/usr/share/containers/oci/hooks.d': ;
+  }
+}

manifests/common.pp

@@ -37,10 +37,10 @@
 # @param puppetdb_discovery whether to use puppetdb for node discovery
 # @param puppetdb_discovery_tag tag to use for puppetdb node discovery
 # @param purge_manifests whether to purge manifests
-# @param role role of the node
+# @param role the role of the node
 # @param runc_version version of runc to install
 # @param service_cluster_cidr CIDR for the service network
-# @param sysconfig_path path to the sysconfig directory
+# @param sysconfig_path path to the sysconfig directory, per-OS values are configured in hiera
 # @param tarball_url_template template for tarball packaging
 # @param uid user id for kubernetes files and services
 # @param user username for kubernetes files and services
@@ -82,7 +82,7 @@
   String[1] $tarball_url_template            = 'https://dl.k8s.io/release/v%{version}/kubernetes-%{component}-%{kernel}-%{arch}.tar.gz',
   String[1] $package_template                = 'kubernetes-%{component}',
   String[1] $hyperkube_name                  = 'hyperkube',
-  Optional[Stdlib::Unixpath] $sysconfig_path = undef,
+  Stdlib::Unixpath $sysconfig_path           = '/etc/sysconfig',
 
   K8s::Node_auth $node_auth = 'bootstrap',
 
@@ -95,108 +95,19 @@
   Stdlib::Fqdn $cluster_domain                       = 'cluster.local',
   String[1] $etcd_cluster_name                       = 'default',
 
-  Enum['node','server','none']  $role    = 'none',
+  Optional[K8s::Node_role] $role = undef,
   Optional[K8s::Firewall] $firewall_type = undef,
 
   String[1] $user        = 'kube',
   String[1] $group       = 'kube',
   Integer[0, 65535] $uid = 888,
   Integer[0, 65535] $gid = 888,
 ) {
-  if $manage_container_manager {
-    include k8s::install::container_runtime
-  }
-
-  group { $group:
-    ensure => present,
-    system => true,
-    gid    => $gid,
-  }
-
-  user { $user:
-    ensure     => present,
-    comment    => 'Kubernetes user',
-    gid        => $group,
-    home       => '/srv/kubernetes',
-    managehome => false,
-    shell      => (fact('os.family') ? {
-        'Debian' => '/usr/sbin/nologin',
-        default  => '/sbin/nologin',
-    }),
-    system     => true,
-    uid        => $uid,
-  }
-
-  file {
-    default:
-      ensure  => directory,
-      force   => true,
-      purge   => true,
-      recurse => true;
-
-    '/opt/k8s': ;
-    '/opt/k8s/bin': ;
-  }
-
-  file { '/var/run/kubernetes':
-    ensure => directory,
-    owner  => $user,
-    group  => $group,
-  }
-
-  $_sysconfig_path = pick($sysconfig_path, '/etc/sysconfig')
-  file { "${_sysconfig_path}/kube-common":
-    ensure  => file,
-    content => epp('k8s/sysconfig.epp', {
-        comment               => 'General Kubernetes Configuration',
-        environment_variables => {
-          'KUBE_LOG_LEVEL'   => '',
-        },
-    }),
-  }
-
-  file {
-    default:
-      ensure => directory;
-
-    '/etc/kubernetes': ;
-    '/etc/kubernetes/certs': ;
-    '/etc/kubernetes/manifests':
-      purge   => $purge_manifests,
-      recurse => true;
-    '/root/.kube': ;
-    '/srv/kubernetes':
-      owner => $user,
-      group => $group;
-    '/usr/libexec/kubernetes': ;
-    '/var/lib/kubelet': ;
-    '/var/lib/kubelet/pki': ;
-
-    '/usr/share/containers/': ;
-    '/usr/share/containers/oci/': ;
-    '/usr/share/containers/oci/hooks.d': ;
-  }
-
-  if $manage_repo {
-    include k8s::repo
-  }
-
-  if $manage_packages {
-    # Ensure conntrack is installed to properly handle networking cleanup
-    if fact('os.family') == 'Debian' {
-      $_conntrack = 'conntrack'
-    } else {
-      $_conntrack = 'conntrack-tools'
-    }
-
-    ensure_packages([$_conntrack,])
-  }
-
-  include k8s::install::cni_plugins
-
-  if $role == 'server' {
-    include k8s::server
+  if $role == 'server' or $role == 'control-plane' {
+    contain k8s::server
   } elsif $role == 'node' {
-    include k8s::node
+    contain k8s::node
+  } elsif $role == 'etcd-replica' {
+    contain k8s::server::etcd
   }
 }

manifests/init.pp

@@ -87,6 +87,6 @@
   }
 
   if $manage_repo {
-    Class['k8s::repo'] -> Package['k8s container manager']
+    require k8s::repo
   }
 }

manifests/install/container_runtime.pp

@@ -21,8 +21,9 @@
   Stdlib::HTTPUrl $download_url_template = 'https://github.com/kubernetes-sigs/cri-tools/releases/download/%{version}/crictl-%{version}-linux-%{arch}.tar.gz',
 ) {
   if $manage_repo {
-    $pkg = pick($crictl_package, 'cri-tools')
+    include k8s::repo
 
+    $pkg = pick($crictl_package, 'cri-tools')
     package { $pkg:
       ensure => stdlib::ensure($ensure, 'package'),
     }

manifests/install/crictl.pp

@@ -54,6 +54,24 @@
 
   Optional[K8s::Firewall] $firewall_type = $k8s::firewall_type,
 ) {
+  include k8s::common
+  include k8s::install::cni_plugins
+
+  if $k8s::manage_container_manager {
+    include k8s::install::container_runtime
+  }
+  if $k8s::manage_repo {
+    include k8s::repo
+  }
+  if $k8s::manage_packages {
+    # Ensure conntrack is installed to properly handle networking cleanup
+    $_conntrack = fact('os.family') ? {
+      'Debian' => 'conntrack',
+      default  => 'conntrack-tools',
+    }
+    ensure_packages([$_conntrack,])
+  }
+
   if $manage_crictl {
     include k8s::install::crictl
   }

manifests/node.pp

@@ -1,4 +1,5 @@
 # @summary Sets up a on-node kube-proxy instance
+# @api private
 #
 # For most use-cases, running kube-proxy inside the cluster itself is recommended
 #
@@ -100,8 +101,7 @@
 
   if $k8s::packaging == 'container' {
   } else {
-    $_sysconfig_path = pick($k8s::sysconfig_path, '/etc/sysconfig')
-    file { "${_sysconfig_path}/kube-proxy":
+    file { "${k8s::sysconfig_path}/kube-proxy":
       ensure  => $_ensure,
       content => epp('k8s/sysconfig.epp', {
           comment               => 'Kubernetes kube-proxy configuration',
@@ -122,7 +122,7 @@
           bin  => 'kube-proxy',
       }),
       require => [
-        File["${_sysconfig_path}/kube-proxy"],
+        File["${k8s::sysconfig_path}/kube-proxy"],
         User[$k8s::user],
       ],
       notify  => Service['kube-proxy'],

manifests/node/kube_proxy.pp

@@ -1,4 +1,5 @@
 # @summary Installs and configures kubelet
+# @api private
 #
 # @param arguments additional arguments to pass to kubelet
 # @param auth type of node authentication
@@ -52,6 +53,8 @@
 
   Optional[K8s::Firewall] $firewall_type = $k8s::node::firewall_type,
 ) {
+  assert_private()
+
   k8s::binary { 'kubelet':
     ensure => $ensure,
     notify => Service['kubelet'],
@@ -231,8 +234,7 @@
       node_ip                    => $_node_ip,
   } + $arguments)
 
-  $_sysconfig_path = pick($k8s::sysconfig_path, '/etc/sysconfig')
-  file { "${_sysconfig_path}/kubelet":
+  file { "${k8s::sysconfig_path}/kubelet":
     content => epp('k8s/sysconfig.epp', {
         comment               => 'Kubernetes Kubelet configuration',
         environment_variables => {
@@ -252,7 +254,7 @@
         bin   => 'kubelet',
     }),
     require => [
-      File["${_sysconfig_path}/kubelet", '/etc/kubernetes/kubelet.conf'],
+      File["${k8s::sysconfig_path}/kubelet", '/etc/kubernetes/kubelet.conf'],
       User[$k8s::user],
     ],
     notify  => Service['kubelet'],

manifests/node/kubelet.pp

@@ -59,6 +59,8 @@
   Optional[K8s::Firewall] $firewall_type         = $k8s::firewall_type,
   String[1] $etcd_cluster_name                   = $k8s::etcd_cluster_name,
 ) {
+  include k8s::common
+
   if $manage_etcd {
     class { 'k8s::server::etcd':
       ensure          => $ensure,

manifests/server.pp

@@ -1,4 +1,5 @@
 # @summary Installs and configures a Kubernetes apiserver
+# @api private
 #
 # @param advertise_address bind address of the apiserver
 # @param aggregator_ca_cert path to the aggregator ca cert file
@@ -263,8 +264,7 @@
     }
     # TODO: Create a dummy kube-apiserver service that just requires kubelet
   } else {
-    $_sysconfig_path = pick($k8s::sysconfig_path, '/etc/sysconfig')
-    file { "${_sysconfig_path}/kube-apiserver":
+    file { "${k8s::sysconfig_path}/kube-apiserver":
       content => epp('k8s/sysconfig.epp', {
           comment               => 'Kubernetes API Server configuration',
           environment_variables => {
@@ -287,7 +287,7 @@
           group => $k8s::group,
       }),
       require => [
-        File["${_sysconfig_path}/kube-apiserver"],
+        File["${k8s::sysconfig_path}/kube-apiserver"],
         User[$k8s::user],
       ],
       notify  => Service['kube-apiserver'],