Puppet Class: profile::kubernetes::master

Defined in:
modules/profile/manifests/kubernetes/master.pp

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • version (K8s::KubernetesVersion) (defaults to: lookup('profile::kubernetes::version', { default_value => '1.16' }))
  • kubernetes_cluster_group (String) (defaults to: lookup('profile::kubernetes::master::cluster_group'))
  • master_fqdn (Stdlib::Fqdn) (defaults to: lookup('profile::kubernetes::master_fqdn'))
  • etcd_urls (Array[String]) (defaults to: lookup('profile::kubernetes::master::etcd_urls'))
  • accessible_to (String) (defaults to: lookup('profile::kubernetes::master::accessible_to'))
  • service_cluster_cidr (K8s::ClusterCIDR) (defaults to: lookup('profile::kubernetes::service_cluster_cidr'))
  • service_node_port_range (Optional[String]) (defaults to: lookup('profile::kubernetes::master::service_node_port_range', { 'default_value' => undef }))
  • service_cert (Optional[Stdlib::Fqdn]) (defaults to: lookup('profile::kubernetes::master::service_cert', { 'default_value' => undef }))
  • use_cergen (Boolean) (defaults to: lookup('profile::kubernetes::master::use_cergen', { default_value => false }))
  • ssl_cert_path (Stdlib::Unixpath) (defaults to: lookup('profile::kubernetes::master::ssl_cert_path'))
  • ssl_key_path (Stdlib::Unixpath) (defaults to: lookup('profile::kubernetes::master::ssl_key_path'))
  • authz_mode (String) (defaults to: lookup('profile::kubernetes::master::authz_mode'))
  • service_account_private_key_file (Optional[Stdlib::Unixpath]) (defaults to: lookup('profile::kubernetes::master::service_account_private_key_file', { 'default_value' => undef }))
  • prometheus_url (Stdlib::Httpurl) (defaults to: lookup('profile::kubernetes::master::prometheus_url', { 'default_value' => "http://prometheus.svc.${::site}.wmnet/k8s" }))
  • runtime_config (Optional[String]) (defaults to: lookup('profile::kubernetes::master::runtime_config', { 'default_value' => undef }))
  • allow_privileged (Boolean) (defaults to: lookup('profile::kubernetes::master::allow_privileged', { default_value => false }))
  • controllermanager_token (String) (defaults to: lookup('profile::kubernetes::master::controllermanager_token'))
  • scheduler_token (String) (defaults to: lookup('profile::kubernetes::master::scheduler_token'))
  • all_infrastructure_users (Hash[String, Profile::Kubernetes::User_tokens]) (defaults to: lookup('profile::kubernetes::infrastructure_users'))
  • admission_plugins (Optional[K8s::AdmissionPlugins]) (defaults to: lookup('profile::kubernetes::master::admission_plugins', { default_value => undef }))
  • admission_configuration (Optional[Array[Hash]]) (defaults to: lookup('profile::kubernetes::master::admission_configuration', { default_value => undef }))
  • ipv6dualstack (Boolean) (defaults to: lookup('profile::kubernetes::ipv6dualstack', { default_value => false }))


2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
# File 'modules/profile/manifests/kubernetes/master.pp', line 2

class profile::kubernetes::master (
    K8s::KubernetesVersion $version = lookup('profile::kubernetes::version', { default_value => '1.16' }),
    String $kubernetes_cluster_group = lookup('profile::kubernetes::master::cluster_group'),
    Stdlib::Fqdn $master_fqdn = lookup('profile::kubernetes::master_fqdn'),
    Array[String] $etcd_urls=lookup('profile::kubernetes::master::etcd_urls'),
    # List of hosts this is accessible to.
    # SPECIAL VALUE: use 'all' to have this port be open to the world
    String $accessible_to=lookup('profile::kubernetes::master::accessible_to'),
    K8s::ClusterCIDR $service_cluster_cidr=lookup('profile::kubernetes::service_cluster_cidr'),
    Optional[String] $service_node_port_range=lookup('profile::kubernetes::master::service_node_port_range', { 'default_value' => undef }),
    Optional[Stdlib::Fqdn] $service_cert=lookup('profile::kubernetes::master::service_cert', { 'default_value' => undef }),
    Boolean $use_cergen=lookup('profile::kubernetes::master::use_cergen', { default_value => false }),
    Stdlib::Unixpath $ssl_cert_path=lookup('profile::kubernetes::master::ssl_cert_path'),
    Stdlib::Unixpath $ssl_key_path=lookup('profile::kubernetes::master::ssl_key_path'),
    String $authz_mode=lookup('profile::kubernetes::master::authz_mode'),
    Optional[Stdlib::Unixpath] $service_account_private_key_file=lookup('profile::kubernetes::master::service_account_private_key_file', { 'default_value' => undef }),
    Stdlib::Httpurl $prometheus_url=lookup('profile::kubernetes::master::prometheus_url', { 'default_value' => "http://prometheus.svc.${::site}.wmnet/k8s" }),
    Optional[String] $runtime_config=lookup('profile::kubernetes::master::runtime_config', { 'default_value' => undef }),
    Boolean $allow_privileged = lookup('profile::kubernetes::master::allow_privileged', { default_value => false }),
    String $controllermanager_token = lookup('profile::kubernetes::master::controllermanager_token'),
    String $scheduler_token = lookup('profile::kubernetes::master::scheduler_token'),
    Hash[String, Profile::Kubernetes::User_tokens] $all_infrastructure_users = lookup('profile::kubernetes::infrastructure_users'),
    Optional[K8s::AdmissionPlugins] $admission_plugins = lookup('profile::kubernetes::master::admission_plugins', { default_value => undef }),
    Optional[Array[Hash]] $admission_configuration = lookup('profile::kubernetes::master::admission_configuration', { default_value => undef }),
    Boolean $ipv6dualstack = lookup('profile::kubernetes::ipv6dualstack', { default_value => false }),
) {
    if $service_cert {
        sslcert::certificate { $service_cert:
            ensure       => present,
            group        => 'kube',
            skip_private => false,
            use_cergen   => $use_cergen,
        }
    }

    $etcd_servers = join($etcd_urls, ',')
    # Get the local users and the corresponding tokens.
    $_users = $all_infrastructure_users[$kubernetes_cluster_group].filter |$_,$data| {
        # If "constrain_to" is defined, restrict the user to the masters that meet the regexp
        $data['constrain_to'] ? {
            undef => true,
            default => ($facts['fqdn'] =~ Regexp($data['constrain_to']))
        }
    }
    # Ensure all tokens are unique.
    # Kubernetes will use the last definition of a token, so strange things might
    # happen if a token is used twice.
    $_tokens = $_users.map |$_,$data| { $data['token'] }
    if $_tokens != $_tokens.unique {
        fail('Not all tokens in profile::kubernetes::infrastructure_users are unique')
    }

    class { 'k8s::apiserver':
        etcd_servers                => $etcd_servers,
        ssl_cert_path               => $ssl_cert_path,
        ssl_key_path                => $ssl_key_path,
        users                       => $_users,
        authz_mode                  => $authz_mode,
        allow_privileged            => $allow_privileged,
        version                     => $version,
        service_cluster_cidr        => $service_cluster_cidr,
        service_node_port_range     => $service_node_port_range,
        runtime_config              => $runtime_config,
        admission_plugins           => $admission_plugins,
        admission_configuration     => $admission_configuration,
        service_account_issuer      => "https://${master_fqdn}:6443",
        service_account_signing_key => $service_account_private_key_file,
        service_account_key         => $ssl_cert_path,
        ipv6dualstack               => $ipv6dualstack,
    }

    $scheduler_kubeconfig = '/etc/kubernetes/scheduler_config'
    k8s::kubeconfig { $scheduler_kubeconfig:
        master_host => $master_fqdn,
        username    => 'system:kube-scheduler',
        token       => $scheduler_token,
        owner       => 'kube',
        group       => 'kube',
    }
    class { 'k8s::scheduler':
        version    => $version,
        kubeconfig => $scheduler_kubeconfig,
    }

    $controllermanager_kubeconfig = '/etc/kubernetes/controller-manager_config'
    k8s::kubeconfig { $controllermanager_kubeconfig:
        master_host => $master_fqdn,
        username    => 'system:kube-controller-manager',
        token       => $controllermanager_token,
        owner       => 'kube',
        group       => 'kube',
    }
    class { 'k8s::controller':
        service_account_private_key_file => $service_account_private_key_file,
        kubeconfig                       => $controllermanager_kubeconfig,
        version                          => $version,
    }

    if $accessible_to == 'all' {
        $accessible_range = undef
    } else {
        $accessible_to_ferm = join($accessible_to, ' ')
        $accessible_range = "(@resolve((${accessible_to_ferm})) @resolve((${accessible_to_ferm}), AAAA))"
    }

    ferm::service { 'apiserver-https':
        proto  => 'tcp',
        port   => '6443',
        srange => $accessible_range,
    }
}