Puppet Class: profile::wmcs::kubeadm::etcd

Defined in:
modules/profile/manifests/wmcs/kubeadm/etcd.pp

Overview

Parameters:

  • peer_hosts (Array[Stdlib::Fqdn]) (defaults to: lookup('profile::wmcs::kubeadm::etcd_nodes', {default_value => ['localhost']}))
  • checker_hosts (Array[Stdlib::Fqdn]) (defaults to: lookup('profile::wmcs::kubeadm::checker_hosts',{default_value => ['tools-checker-03.tools.eqiad.wmflabs']}))
  • control_nodes (Array[Stdlib::Fqdn]) (defaults to: lookup('profile::wmcs::kubeadm::control_nodes',{default_value => ['localhost']}))
  • bootstrap (Boolean) (defaults to: lookup('profile::etcd::cluster_bootstrap', {default_value => false}))


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# File 'modules/profile/manifests/wmcs/kubeadm/etcd.pp', line 1

class profile::wmcs::kubeadm::etcd (
    Array[Stdlib::Fqdn] $peer_hosts    = lookup('profile::wmcs::kubeadm::etcd_nodes',   {default_value => ['localhost']}),
    Array[Stdlib::Fqdn] $checker_hosts = lookup('profile::wmcs::kubeadm::checker_hosts',{default_value => ['tools-checker-03.tools.eqiad.wmflabs']}),
    Array[Stdlib::Fqdn] $control_nodes = lookup('profile::wmcs::kubeadm::control_nodes',{default_value => ['localhost']}),
    Boolean             $bootstrap     = lookup('profile::etcd::cluster_bootstrap',     {default_value => false}),
) {
    if $bootstrap {
        $cluster_state = 'new'
    } else {
        $cluster_state = 'existing'
    }

    # for $peers_list we need a string like this:
    # node1=https://node1.project.eqiad.wmflabs:2380,node2=https://node2.project.eqiad.wmflabs:2380,node3=https://node3.project.eqiad.wmflabs:2380
    $protocol    = 'https://'
    $port        = ':2380'
    $peers_list_array = map($peer_hosts) |$element| {
        $value = "${element}=${protocol}${element}${port}"
    }
    $peers_list = join(($peers_list_array), ',')

    # the certificate trick
    $etcd_cert_pub    = "/etc/etcd/ssl/${::fqdn}.pem"
    $etcd_cert_priv   = "/etc/etcd/ssl/${::fqdn}.priv"
    $etcd_cert_ca     = '/etc/etcd/ssl/ca.pem'
    $puppet_cert_pub  = "/var/lib/puppet/ssl/certs/${::fqdn}.pem"
    $puppet_cert_priv = "/var/lib/puppet/ssl/private_keys/${::fqdn}.pem"
    $puppet_cert_ca   = '/var/lib/puppet/ssl/certs/ca.pem'

    file { ['/etc/etcd/', '/etc/etcd/ssl/']:
        ensure => directory,
    }

    file { $etcd_cert_pub:
        ensure  => present,
        source  => "file://${puppet_cert_pub}",
        owner   => 'etcd',
        group   => 'etcd',
        before  => Service['etcd'],
        require => Package['etcd-server'],
    }

    file { $etcd_cert_priv:
        ensure    => present,
        source    => "file://${puppet_cert_priv}",
        owner     => 'etcd',
        group     => 'etcd',
        mode      => '0640',
        show_diff => false,
        before    => Service['etcd'],
        require   => Package['etcd-server'],
    }

    file { $etcd_cert_ca:
        ensure  => present,
        source  => "file://${puppet_cert_ca}",
        owner   => 'etcd',
        group   => 'etcd',
        before  => Service['etcd'],
        require => Package['etcd-server'],
    }

    class { '::etcd::v3':
        member_name      => $::fqdn,
        cluster_state    => $cluster_state,
        peers_list       => $peers_list,
        client_cert      => $etcd_cert_pub,
        client_key       => $etcd_cert_priv,
        trusted_ca       => $etcd_cert_ca,
        peer_cert        => $etcd_cert_pub,
        peer_key         => $etcd_cert_priv,
        use_client_certs => true,
    }

    # restart the etcd service if a cert file changes
    File[$etcd_cert_pub]  ~> Service[etcd]
    File[$etcd_cert_priv] ~> Service[etcd]
    File[$etcd_cert_ca]   ~> Service[etcd]

    $checker_hosts_string = join(($checker_hosts), ' ')
    $control_hosts_string = join(($control_nodes), ' ')
    $peer_hosts_string    = join(($peer_hosts), ' ')
    $firewall_clients     = "@resolve((${checker_hosts_string} ${control_hosts_string} ${peer_hosts_string}))"
    ferm::service { 'etcd_clients':
        proto  => 'tcp',
        port   => 2379,
        srange => $firewall_clients,
    }

    $firewall_peers    = "@resolve((${peer_hosts_string}))"
    ferm::service { 'etcd_peers':
        proto  => 'tcp',
        port   => 2380,
        srange => $firewall_peers,
    }

    #
    # this is for metrics collections. The etcd server requires client certs
    # to fetch metrics. We have a nginx proxy to hide the TLS details from the
    # prometheus client.
    #
    $exposed_port = '9051'
    nginx::site { 'expose_etcd_metrics':
        content => template('profile/toolforge/k8s/etcd/etcd_expose_metrics.nginx.erb'),
    }

    ferm::service { 'etcd-metrics':
        proto => 'tcp',
        port  => $exposed_port,
    }

    # restart the nginx service if a cert file changes
    File[$etcd_cert_pub]  ~> Service[nginx]
    File[$etcd_cert_priv] ~> Service[nginx]
    File[$etcd_cert_ca]   ~> Service[nginx]
}