From 66bbb18764fd0cbd4a5b80f7c68e07ff94938ac4 Mon Sep 17 00:00:00 2001 From: Alexander Olofsson Date: Fri, 14 Jul 2023 13:56:25 +0200 Subject: [PATCH] Split actionable code from parameter definitions --- REFERENCE.md | 27 ++++--- data/common.yaml | 3 +- manifests/common.pp | 71 +++++++++++++++++++ manifests/init.pp | 97 +------------------------- manifests/install/container_runtime.pp | 1 + manifests/install/crictl.pp | 3 +- manifests/node.pp | 20 ++++++ manifests/server.pp | 2 + manifests/server/etcd.pp | 61 ++++++++-------- manifests/server/etcd/setup.pp | 55 +++++---------- spec/classes/k8s_spec.rb | 2 +- spec/classes/server/etcd_spec.rb | 6 +- 12 files changed, 169 insertions(+), 179 deletions(-) create mode 100644 manifests/common.pp diff --git a/REFERENCE.md b/REFERENCE.md index 34d278f..d3ee93e 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -7,6 +7,7 @@ ### Classes * [`k8s`](#k8s): Sets up a Kubernetes instance - either as a node or as a server +* [`k8s::common`](#k8s--common): Sets up common Kubernetes components - users/groups/folders/etc * [`k8s::install::cni_plugins`](#k8s--install--cni_plugins): Manages the installation of CNI plugins * [`k8s::install::container_runtime`](#k8s--install--container_runtime): Manages the installation of a container runtime / CRI * [`k8s::install::crictl`](#k8s--install--crictl): installs the crictl debugging tool @@ -429,7 +430,7 @@ Default value: `true` ##### `role` -Data type: `Enum['node','server','none']` +Data type: `Enum['node','server','etcd-replica','none']` role of the node @@ -491,6 +492,10 @@ version of kubernetes to install Default value: `'1.28.14'` +### `k8s::common` + +Sets up common Kubernetes components - users/groups/folders/etc + ### `k8s::install::cni_plugins` Manages the installation of CNI plugins @@ -2072,11 +2077,11 @@ Default value: `'etcd'` ##### `version` -Data type: `Optional[String[1]]` +Data type: `String[1]` version of ectd to install, will use k8s::etcd_version unless otherwise specified -Default value: `undef` +Default value: `$k8s::etcd_version` ### `k8s::server::etcd::setup` @@ -2186,11 +2191,11 @@ Default value: `"${etcd_name}.etcd"` ##### `ensure` -Data type: `Optional[K8s::Ensure]` +Data type: `K8s::Ensure` set ensure for installation or deinstallation -Default value: `undef` +Default value: `'present'` ##### `etcd_name` @@ -2218,11 +2223,11 @@ Default value: `undef` ##### `group` -Data type: `Optional[String[1]]` +Data type: `String[1]` etcd system user group -Default value: `undef` +Default value: `'etcd'` ##### `initial_advertise_peer_urls` @@ -2370,19 +2375,19 @@ Default value: `undef` ##### `user` -Data type: `Optional[String[1]]` +Data type: `String[1]` etcd system user -Default value: `undef` +Default value: `'etcd'` ##### `version` -Data type: `Optional[String[1]]` +Data type: `String[1]` The ectd version to install -Default value: `undef` +Default value: `$k8s::etcd_version` ### `k8s::server::resources` diff --git a/data/common.yaml b/data/common.yaml index 2fbf0ff..ac7cd48 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -1 +1,2 @@ ---- {} +--- +k8s::sysconfig_path: '/etc/sysconfig' diff --git a/manifests/common.pp b/manifests/common.pp new file mode 100644 index 0000000..39ef5b3 --- /dev/null +++ b/manifests/common.pp @@ -0,0 +1,71 @@ +# @summary Sets up common Kubernetes components - users/groups/folders/etc +class k8s::common { + group { $k8s::group: + ensure => present, + system => true, + gid => $k8s::gid, + } + + user { $k8s::user: + ensure => present, + comment => 'Kubernetes user', + gid => $k8s::group, + home => '/srv/kubernetes', + managehome => false, + shell => (fact('os.family') ? { + 'Debian' => '/usr/sbin/nologin', + default => '/sbin/nologin', + }), + system => true, + uid => $k8s::uid, + } + + file { + default: + ensure => directory, + force => true, + purge => true, + recurse => true; + + '/opt/k8s': ; + '/opt/k8s/bin': ; + } + + file { '/var/run/kubernetes': + ensure => directory, + owner => $k8s::user, + group => $k8s::group, + } + + file { "${k8s::sysconfig_path}/kube-common": + ensure => file, + content => epp('k8s/sysconfig.epp', { + comment => 'General Kubernetes Configuration', + environment_variables => { + 'KUBE_LOG_LEVEL' => '', + }, + }), + } + + file { + default: + ensure => directory; + + '/etc/kubernetes': ; + '/etc/kubernetes/certs': ; + '/etc/kubernetes/manifests': + purge => $k8s::purge_manifests, + recurse => true; + '/root/.kube': ; + '/srv/kubernetes': + owner => $k8s::user, + group => $k8s::group; + '/usr/libexec/kubernetes': ; + '/var/lib/kubelet': ; + '/var/lib/kubelet/pki': ; + + '/usr/share/containers/': ; + '/usr/share/containers/oci/': ; + '/usr/share/containers/oci/hooks.d': ; + } +} diff --git a/manifests/init.pp b/manifests/init.pp index eb62fa3..f11de32 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -95,7 +95,7 @@ Stdlib::Fqdn $cluster_domain = 'cluster.local', String[1] $etcd_cluster_name = 'default', - Enum['node','server','none'] $role = 'none', + Enum['node','server','etcd-replica','none'] $role = 'none', Optional[K8s::Firewall] $firewall_type = undef, String[1] $user = 'kube', @@ -103,102 +103,11 @@ Integer[0, 65535] $uid = 888, Integer[0, 65535] $gid = 888, ) { - if $manage_container_manager { - include k8s::install::container_runtime - } - - group { $group: - ensure => present, - system => true, - gid => $gid, - } - - user { $user: - ensure => present, - comment => 'Kubernetes user', - gid => $group, - home => '/srv/kubernetes', - managehome => false, - shell => (fact('os.family') ? { - 'Debian' => '/usr/sbin/nologin', - default => '/sbin/nologin', - }), - system => true, - uid => $uid, - } - - file { - default: - ensure => directory, - force => true, - purge => true, - recurse => true; - - '/opt/k8s': ; - '/opt/k8s/bin': ; - } - - file { '/var/run/kubernetes': - ensure => directory, - owner => $user, - group => $group, - } - - $_sysconfig_path = pick($sysconfig_path, '/etc/sysconfig') - file { "${_sysconfig_path}/kube-common": - ensure => file, - content => epp('k8s/sysconfig.epp', { - comment => 'General Kubernetes Configuration', - environment_variables => { - 'KUBE_LOG_LEVEL' => '', - }, - }), - } - - file { - default: - ensure => directory; - - '/etc/kubernetes': ; - '/etc/kubernetes/certs': ; - '/etc/kubernetes/manifests': - purge => $purge_manifests, - recurse => true; - '/root/.kube': ; - '/srv/kubernetes': - owner => $user, - group => $group; - '/usr/libexec/kubernetes': ; - '/var/lib/kubelet': ; - '/var/lib/kubelet/pki': ; - - '/usr/share/containers/': ; - '/usr/share/containers/oci/': ; - '/usr/share/containers/oci/hooks.d': ; - } - - if $manage_repo { - include k8s::repo - } - - if $manage_packages { - # Ensure conntrack is installed to properly handle networking cleanup - if fact('os.family') == 'Debian' { - $_conntrack = 'conntrack' - } else { - $_conntrack = 'conntrack-tools' - } - - ensure_packages([$_conntrack,]) - } - - if $role != 'none' { - include k8s::install::cni_plugins - } - if $role == 'server' { include k8s::server } elsif $role == 'node' { include k8s::node + } elsif $role == 'etcd-replica' { + include k8s::server::etcd } } diff --git a/manifests/install/container_runtime.pp b/manifests/install/container_runtime.pp index ff28af1..bffedc5 100644 --- a/manifests/install/container_runtime.pp +++ b/manifests/install/container_runtime.pp @@ -87,6 +87,7 @@ } if $manage_repo { + include k8s::repo Class['k8s::repo'] -> Package['k8s container manager'] } } diff --git a/manifests/install/crictl.pp b/manifests/install/crictl.pp index 9abd559..9fd4f93 100644 --- a/manifests/install/crictl.pp +++ b/manifests/install/crictl.pp @@ -21,8 +21,9 @@ Stdlib::HTTPUrl $download_url_template = 'https://github.com/kubernetes-sigs/cri-tools/releases/download/%{version}/crictl-%{version}-linux-%{arch}.tar.gz', ) { if $manage_repo { - $pkg = pick($crictl_package, 'cri-tools') + include k8s::repo + $pkg = pick($crictl_package, 'cri-tools') package { $pkg: ensure => stdlib::ensure($ensure, 'package'), } diff --git a/manifests/node.pp b/manifests/node.pp index 001988e..e197cff 100644 --- a/manifests/node.pp +++ b/manifests/node.pp @@ -54,6 +54,26 @@ Optional[K8s::Firewall] $firewall_type = $k8s::firewall_type, ) { + include k8s::common + include k8s::install::cni_plugins + + if $k8s::manage_container_manager { + include k8s::install::container_runtime + } + if $k8s::manage_repo { + include k8s::repo + } + if $k8s::manage_packages { + # Ensure conntrack is installed to properly handle networking cleanup + if fact('os.family') == 'Debian' { + $_conntrack = 'conntrack' + } else { + $_conntrack = 'conntrack-tools' + } + + ensure_packages([$_conntrack,]) + } + if $manage_crictl { include k8s::install::crictl } diff --git a/manifests/server.pp b/manifests/server.pp index 0d504a7..b9758b5 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -59,6 +59,8 @@ Optional[K8s::Firewall] $firewall_type = $k8s::firewall_type, String[1] $etcd_cluster_name = $k8s::etcd_cluster_name, ) { + include k8s::common + if $manage_etcd { class { 'k8s::server::etcd': ensure => $ensure, diff --git a/manifests/server/etcd.pp b/manifests/server/etcd.pp index ef4c8db..08f2a74 100644 --- a/manifests/server/etcd.pp +++ b/manifests/server/etcd.pp @@ -21,8 +21,8 @@ # @param version version of ectd to install, will use k8s::etcd_version unless otherwise specified # class k8s::server::etcd ( - K8s::Ensure $ensure = 'present', - Optional[String[1]] $version = undef, + K8s::Ensure $ensure = 'present', + String[1] $version = $k8s::etcd_version, Boolean $manage_setup = true, Boolean $manage_firewall = false, @@ -118,21 +118,9 @@ } } - if $manage_setup and !$manage_members { - include k8s::server::etcd::setup - } - if $ensure == 'present' and $manage_members { - if defined(Class['k8s']) { - $_k8s_cluster_name = $k8s::etcd_cluster_name - $_k8s_puppetdb_discovery_tag = $k8s::puppetdb_discovery_tag - } else { - $_k8s_cluster_name = lookup('k8s::cluster_name', undef, undef, undef) - $_k8s_puppetdb_discovery_tag = lookup('k8s::puppetdb_discovery_tag', undef, undef, undef) - } - - $_cluster_name = pick($cluster_name, $_k8s_cluster_name, 'default') - $_puppetdb_discovery_tag = pick($puppetdb_discovery_tag, $cluster_name, $_k8s_puppetdb_discovery_tag, 'default') + $_cluster_name = pick($cluster_name, $k8s::etcd_cluster_name, 'default') + $_puppetdb_discovery_tag = pick($puppetdb_discovery_tag, $cluster_name, $k8s::puppetdb_discovery_tag, 'default') # Needs the PuppetDB terminus installed $pql_query = [ @@ -152,16 +140,14 @@ ].join(' ') $cluster_nodes = puppetdb_query($pql_query) - if $manage_setup { - class { 'k8s::server::etcd::setup': - initial_cluster => $cluster_nodes.map |$node| { - "${node['parameters']['etcd_name']}=${node['parameters']['initial_advertise_peer_urls'][0]}" - }, - initial_cluster_state => ($cluster_nodes.size() ? { - 0 => 'new', - default => 'existing', - }), - } + $_setup_splat = { + initial_cluster => $cluster_nodes.map |$node| { + "${node['parameters']['etcd_name']}=${node['parameters']['initial_advertise_peer_urls'][0]}" + }, + initial_cluster_state => ($cluster_nodes.size() ? { + 0 => 'new', + default => 'existing', + }), } $cluster_nodes.each |$node| { @@ -173,22 +159,31 @@ cluster_key => "${cert_path}/etcd-client.key", } } + } else { + $_setup_splat = {} } - if $manage_firewall { - if defined(Class['k8s']) { - $_k8s_firewall_type = $k8s::firewall_type - } else { - $_k8s_firewall_type = lookup('k8s::firewall_type', undef, undef, undef) + if $manage_setup { + class { 'k8s::server::etcd::setup': + ensure => $ensure, + version => $version, + user => $user, + group => $group, + * => $_setup_splat, } + } + + if $manage_firewall { if $facts['firewalld_version'] { - $_firewall_type = pick($firewall_type, $_k8s_firewall_type, 'firewalld') + $_firewall_type = pick($firewall_type, $k8s::firewall_type, 'firewalld') } else { - $_firewall_type = pick($firewall_type, $_k8s_firewall_type, 'iptables') + $_firewall_type = pick($firewall_type, $k8s::firewall_type, 'iptables') } case $_firewall_type { 'firewalld' : { + include firewalld + firewalld_service { default: ensure => $ensure, diff --git a/manifests/server/etcd/setup.pp b/manifests/server/etcd/setup.pp index 88b840f..5e03b68 100644 --- a/manifests/server/etcd/setup.pp +++ b/manifests/server/etcd/setup.pp @@ -35,10 +35,10 @@ # @param version The ectd version to install # class k8s::server::etcd::setup ( - Optional[K8s::Ensure] $ensure = undef, + K8s::Ensure $ensure = 'present', Enum['archive','package'] $install = 'archive', String[1] $package = 'etcd', - Optional[String[1]] $version = undef, + String[1] $version = $k8s::etcd_version, String[1] $etcd_name = $facts['networking']['hostname'], String[1] $fqdn = $facts['networking']['fqdn'], @@ -72,44 +72,27 @@ Optional[Stdlib::Unixpath] $binary_path = undef, Stdlib::Unixpath $storage_path = '/var/lib/etcd', - Optional[String[1]] $user = undef, - Optional[String[1]] $group = undef, + String[1] $user = 'etcd', + String[1] $group = 'etcd', Optional[Integer[0, 65535]] $uid = undef, Optional[Integer[0, 65535]] $gid = undef, ) { - if defined(Class['k8s']) { - $_k8s_etcd_version = $k8s::etcd_version - } else { - $_k8s_etcd_version = lookup('k8s::etcd_version') - } if defined(Class['k8s::server::etcd']) { - $_k8s_server_etcd_ensure = $k8s::server::etcd::ensure - $_k8s_server_etcd_version = $k8s::server::etcd::version $_k8s_server_etcd_self_signed_tls = $k8s::server::etcd::self_signed_tls $_k8s_server_etcd_manage_certs = $k8s::server::etcd::manage_certs - $_k8s_server_etcd_user = $k8s::server::etcd::user - $_k8s_server_etcd_group = $k8s::server::etcd::group } else { - $_k8s_server_etcd_ensure = lookup('k8s::server::etcd::ensure', undef, undef, undef) - $_k8s_server_etcd_version = lookup('k8s::server::etcd::version', undef, undef, undef) - $_k8s_server_etcd_self_signed_tls = lookup('k8s::server::etcd::self_signed_tls', undef, undef, undef) - $_k8s_server_etcd_manage_certs = lookup('k8s::server::etcd::manage_certs', undef, undef, undef) - $_k8s_server_etcd_user = lookup('k8s::server::etcd::user', undef, undef, undef) - $_k8s_server_etcd_group = lookup('k8s::server::etcd::group', undef, undef, undef) + $_k8s_server_etcd_self_signed_tls = lookup('k8s::server::etcd::self_signed_tls', default_value => undef) + $_k8s_server_etcd_manage_certs = lookup('k8s::server::etcd::manage_certs', default_value => undef) } - $_ensure = pick($ensure, $_k8s_server_etcd_ensure, 'present') $_peer_auto_tls = pick($peer_auto_tls, $_k8s_server_etcd_self_signed_tls, false) $_auto_tls = pick($auto_tls, $_k8s_server_etcd_self_signed_tls, false) - $_version = pick($version, $_k8s_server_etcd_version, $_k8s_etcd_version) - $_user = pick($user, $_k8s_server_etcd_user, 'etcd') - $_group = pick($group, $_k8s_server_etcd_group, 'etcd') if $install == 'archive' { $_url = k8s::format_url($archive_template, { version => $version, }) $_file = basename($_url) archive { "/var/tmp/${_file}": - ensure => $_ensure, + ensure => $ensure, source => $_url, extract => true, extract_command => 'tar xfz %s --strip-components=1', @@ -119,20 +102,20 @@ notify => Service['etcd'], } - if $_ensure == 'absent' { + if $ensure == 'absent' { file { ['/usr/local/bin/etcd', '/usr/local/bin/etcdctl']: ensure => 'absent', } } - group { $_group: - ensure => $_ensure, + group { $group: + ensure => $ensure, system => true, gid => $gid, } - user { $_user: - ensure => $_ensure, + user { $user: + ensure => $ensure, comment => 'etcd user', gid => $gid, home => $storage_path, @@ -146,13 +129,13 @@ } } else { package { $package: - ensure => stdlib::ensure($_ensure, 'package'), + ensure => stdlib::ensure($ensure, 'package'), } } file { default: - ensure => stdlib::ensure($_ensure, 'directory'); + ensure => stdlib::ensure($ensure, 'directory'); '/etc/etcd': ; $storage_path: @@ -188,7 +171,7 @@ file { default: - ensure => stdlib::ensure($_ensure, 'file'), + ensure => stdlib::ensure($ensure, 'file'), owner => 'root', group => 'root'; @@ -231,21 +214,21 @@ $service_require = Package[$package] } else { $_binary_path = pick($binary_path, '/usr/local/bin/etcd') - $service_require = User[$_user] + $service_require = User[$user] } systemd::unit_file { 'etcd.service': - ensure => $_ensure, + ensure => $ensure, content => epp('k8s/etcd.service.epp', { binary_path => $_binary_path, workdir_path => $storage_path, - user => $_user, + user => $user, }), notify => Service['etcd'], } service { 'etcd': - ensure => stdlib::ensure($_ensure, 'service'), + ensure => stdlib::ensure($ensure, 'service'), enable => true, require => $service_require, subscribe => File['/etc/etcd/etcd.conf'], diff --git a/spec/classes/k8s_spec.rb b/spec/classes/k8s_spec.rb index 1473ccb..bd1bf48 100644 --- a/spec/classes/k8s_spec.rb +++ b/spec/classes/k8s_spec.rb @@ -10,7 +10,7 @@ it { is_expected.to compile } - %w[node server].each do |role| + %w[node server etcd-replica].each do |role| context "with role #{role}" do let(:params) do { diff --git a/spec/classes/server/etcd_spec.rb b/spec/classes/server/etcd_spec.rb index 59f3369..780916f 100644 --- a/spec/classes/server/etcd_spec.rb +++ b/spec/classes/server/etcd_spec.rb @@ -11,7 +11,7 @@ } end - context "with k8s included" do + context "with k8s included in server mode" do let(:pre_condition) do <<~PUPPET function puppetdb_query(String[1] $data) { @@ -61,7 +61,7 @@ class { '::k8s::server': end end - context "without k8s included" do + context "with k8s included" do let(:pre_condition) do <<~PUPPET function puppetdb_query(String[1] $data) { @@ -75,6 +75,8 @@ class { '::k8s::server': } ] } + + include ::k8s PUPPET end