Initial work on hiera-ifying and Puppet 8 support for standalone etcd

REFERENCE.md

@@ -7,6 +7,7 @@
 ### Classes
 
 * [`k8s`](#k8s): Sets up a Kubernetes instance - either as a node or as a server
+* [`k8s::common`](#k8s--common): Sets up common Kubernetes components - users/groups/folders/etc
 * [`k8s::install::cni_plugins`](#k8s--install--cni_plugins): Manages the installation of CNI plugins
 * [`k8s::install::container_runtime`](#k8s--install--container_runtime): Manages the installation of a container runtime / CRI
 * [`k8s::install::crictl`](#k8s--install--crictl): installs the crictl debugging tool
@@ -66,6 +67,7 @@ Uses the cni-plugins bridge binary to create a bridge interface to connect the c
 * [`K8s::IP_addresses`](#K8s--IP_addresses): a type to describe multiple IP addresses without subnet sizes
 * [`K8s::Native_packaging`](#K8s--Native_packaging): a type to describe Kubernetes native packaging methods
 * [`K8s::Node_auth`](#K8s--Node_auth): a type to describe node/kubelet authentication methods
+* [`K8s::Node_role`](#K8s--Node_role): a type to describe a type of Kubernetes node
 * [`K8s::PortRange`](#K8s--PortRange): This regexp matches port range values
 * [`K8s::Proxy_auth`](#K8s--Proxy_auth): a type to describe kube-proxy authentication methods
 * [`K8s::Proxy_method`](#K8s--Proxy_method): a type to describe how kube-proxy should be deployed
@@ -429,11 +431,11 @@ Default value: `true`
 
 ##### <a name="-k8s--role"></a>`role`
 
-Data type: `Enum['node','server','none']`
+Data type: `Optional[K8s::Node_role]`
 
-role of the node
+the role of the node
 
-Default value: `'none'`
+Default value: `undef`
 
 ##### <a name="-k8s--runc_version"></a>`runc_version`
 
@@ -491,6 +493,10 @@ version of kubernetes to install
 
 Default value: `'1.28.14'`
 
+### <a name="k8s--common"></a>`k8s::common`
+
+Sets up common Kubernetes components - users/groups/folders/etc
+
 ### <a name="k8s--install--cni_plugins"></a>`k8s::install::cni_plugins`
 
 Manages the installation of CNI plugins
@@ -1960,11 +1966,11 @@ Default value: `"${cert_path}/client-ca.key"`
 
 ##### <a name="-k8s--server--etcd--cluster_name"></a>`cluster_name`
 
-Data type: `String[1]`
+Data type: `Optional[String[1]]`
 
-name of the etcd cluster for searching its nodes in the puppetdb
+name of the etcd cluster for searching its nodes in the puppetdb, will use k8s::etcd_cluster_name unless otherwise specified
 
-Default value: `pick($k8s::server::etcd_cluster_name, 'default')`
+Default value: `undef`
 
 ##### <a name="-k8s--server--etcd--ensure"></a>`ensure`
 
@@ -1980,7 +1986,7 @@ Data type: `Optional[K8s::Firewall]`
 
 define the type of firewall to use
 
-Default value: `$k8s::server::firewall_type`
+Default value: `undef`
 
 ##### <a name="-k8s--server--etcd--generate_ca"></a>`generate_ca`
 
@@ -2048,11 +2054,11 @@ Default value: `"${cert_path}/peer-ca.key"`
 
 ##### <a name="-k8s--server--etcd--puppetdb_discovery_tag"></a>`puppetdb_discovery_tag`
 
-Data type: `String[1]`
+Data type: `Optional[String[1]]`
 
 enable puppetdb resource searching
 
-Default value: `pick($k8s::server::puppetdb_discovery_tag, $cluster_name)`
+Default value: `$cluster_name`
 
 ##### <a name="-k8s--server--etcd--self_signed_tls"></a>`self_signed_tls`
 
@@ -2074,9 +2080,9 @@ Default value: `'etcd'`
 
 Data type: `String[1]`
 
-version of ectd to install
+version of ectd to install, will use k8s::etcd_version unless otherwise specified
 
-Default value: `pick($k8s::etcd_version, '3.5.1')`
+Default value: `$k8s::etcd_version`
 
 ### <a name="k8s--server--etcd--setup"></a>`k8s::server::etcd::setup`
 
@@ -2146,11 +2152,11 @@ Default value: `undef`
 
 ##### <a name="-k8s--server--etcd--setup--auto_tls"></a>`auto_tls`
 
-Data type: `Boolean`
+Data type: `Optional[Boolean]`
 
 Use auto tls
 
-Default value: `$k8s::server::etcd::self_signed_tls`
+Default value: `undef`
 
 ##### <a name="-k8s--server--etcd--setup--binary_path"></a>`binary_path`
 
@@ -2190,7 +2196,7 @@ Data type: `K8s::Ensure`
 
 set ensure for installation or deinstallation
 
-Default value: `$k8s::server::etcd::ensure`
+Default value: `'present'`
 
 ##### <a name="-k8s--server--etcd--setup--etcd_name"></a>`etcd_name`
 
@@ -2222,7 +2228,7 @@ Data type: `String[1]`
 
 etcd system user group
 
-Default value: `$k8s::server::etcd::group`
+Default value: `'etcd'`
 
 ##### <a name="-k8s--server--etcd--setup--initial_advertise_peer_urls"></a>`initial_advertise_peer_urls`
 
@@ -2298,11 +2304,11 @@ Default value: `'etcd'`
 
 ##### <a name="-k8s--server--etcd--setup--peer_auto_tls"></a>`peer_auto_tls`
 
-Data type: `Boolean`
+Data type: `Optional[Boolean]`
 
 Use peer auto tls
 
-Default value: `$k8s::server::etcd::self_signed_tls`
+Default value: `undef`
 
 ##### <a name="-k8s--server--etcd--setup--peer_cert_file"></a>`peer_cert_file`
 
@@ -2374,15 +2380,15 @@ Data type: `String[1]`
 
 etcd system user
 
-Default value: `$k8s::server::etcd::user`
+Default value: `'etcd'`
 
 ##### <a name="-k8s--server--etcd--setup--version"></a>`version`
 
 Data type: `String[1]`
 
 The ectd version to install
 
-Default value: `$k8s::server::etcd::version`
+Default value: `$k8s::etcd_version`
 
 ### <a name="k8s--server--resources"></a>`k8s::server::resources`
 
@@ -4178,6 +4184,14 @@ a type to describe node/kubelet authentication methods
 
 Alias of `Enum['cert', 'token', 'bootstrap']`
 
+### <a name="K8s--Node_role"></a>`K8s::Node_role`
+
+a type to describe a type of Kubernetes node
+
+* **Note** server/control-plane are identical, one using the Puppet term, the other the Kubernetes term
+
+Alias of `Enum['node', 'server', 'control-plane', 'etcd-replica', 'none']`
+
 ### <a name="K8s--PortRange"></a>`K8s::PortRange`
 
 This regexp matches port range values

data/common.yaml

@@ -1 +1,2 @@
---- {}
+---
+k8s::sysconfig_path: '/etc/sysconfig'

manifests/common.pp

@@ -0,0 +1,71 @@
+# @summary Sets up common Kubernetes components - users/groups/folders/etc
+class k8s::common {
+  group { $k8s::group:
+    ensure => present,
+    system => true,
+    gid    => $k8s::gid,
+  }
+
+  user { $k8s::user:
+    ensure     => present,
+    comment    => 'Kubernetes user',
+    gid        => $k8s::group,
+    home       => '/srv/kubernetes',
+    managehome => false,
+    shell      => (fact('os.family') ? {
+        'Debian' => '/usr/sbin/nologin',
+        default  => '/sbin/nologin',
+    }),
+    system     => true,
+    uid        => $k8s::uid,
+  }
+
+  file {
+    default:
+      ensure  => directory,
+      force   => true,
+      purge   => true,
+      recurse => true;
+
+    '/opt/k8s': ;
+    '/opt/k8s/bin': ;
+  }
+
+  file { '/var/run/kubernetes':
+    ensure => directory,
+    owner  => $k8s::user,
+    group  => $k8s::group,
+  }
+
+  file { "${k8s::sysconfig_path}/kube-common":
+    ensure  => file,
+    content => epp('k8s/sysconfig.epp', {
+        comment               => 'General Kubernetes Configuration',
+        environment_variables => {
+          'KUBE_LOG_LEVEL'   => '',
+        },
+    }),
+  }
+
+  file {
+    default:
+      ensure => directory;
+
+    '/etc/kubernetes': ;
+    '/etc/kubernetes/certs': ;
+    '/etc/kubernetes/manifests':
+      purge   => $k8s::purge_manifests,
+      recurse => true;
+    '/root/.kube': ;
+    '/srv/kubernetes':
+      owner => $k8s::user,
+      group => $k8s::group;
+    '/usr/libexec/kubernetes': ;
+    '/var/lib/kubelet': ;
+    '/var/lib/kubelet/pki': ;
+
+    '/usr/share/containers/': ;
+    '/usr/share/containers/oci/': ;
+    '/usr/share/containers/oci/hooks.d': ;
+  }
+}

manifests/init.pp

@@ -37,7 +37,7 @@
 # @param puppetdb_discovery whether to use puppetdb for node discovery
 # @param puppetdb_discovery_tag tag to use for puppetdb node discovery
 # @param purge_manifests whether to purge manifests
-# @param role role of the node
+# @param role the role of the node
 # @param runc_version version of runc to install
 # @param service_cluster_cidr CIDR for the service network
 # @param sysconfig_path path to the sysconfig directory
@@ -95,108 +95,19 @@
   Stdlib::Fqdn $cluster_domain                       = 'cluster.local',
   String[1] $etcd_cluster_name                       = 'default',
 
-  Enum['node','server','none']  $role    = 'none',
+  Optional[K8s::Node_role] $role = undef,
   Optional[K8s::Firewall] $firewall_type = undef,
 
   String[1] $user        = 'kube',
   String[1] $group       = 'kube',
   Integer[0, 65535] $uid = 888,
   Integer[0, 65535] $gid = 888,
 ) {
-  if $manage_container_manager {
-    include k8s::install::container_runtime
-  }
-
-  group { $group:
-    ensure => present,
-    system => true,
-    gid    => $gid,
-  }
-
-  user { $user:
-    ensure     => present,
-    comment    => 'Kubernetes user',
-    gid        => $group,
-    home       => '/srv/kubernetes',
-    managehome => false,
-    shell      => (fact('os.family') ? {
-        'Debian' => '/usr/sbin/nologin',
-        default  => '/sbin/nologin',
-    }),
-    system     => true,
-    uid        => $uid,
-  }
-
-  file {
-    default:
-      ensure  => directory,
-      force   => true,
-      purge   => true,
-      recurse => true;
-
-    '/opt/k8s': ;
-    '/opt/k8s/bin': ;
-  }
-
-  file { '/var/run/kubernetes':
-    ensure => directory,
-    owner  => $user,
-    group  => $group,
-  }
-
-  $_sysconfig_path = pick($sysconfig_path, '/etc/sysconfig')
-  file { "${_sysconfig_path}/kube-common":
-    ensure  => file,
-    content => epp('k8s/sysconfig.epp', {
-        comment               => 'General Kubernetes Configuration',
-        environment_variables => {
-          'KUBE_LOG_LEVEL'   => '',
-        },
-    }),
-  }
-
-  file {
-    default:
-      ensure => directory;
-
-    '/etc/kubernetes': ;
-    '/etc/kubernetes/certs': ;
-    '/etc/kubernetes/manifests':
-      purge   => $purge_manifests,
-      recurse => true;
-    '/root/.kube': ;
-    '/srv/kubernetes':
-      owner => $user,
-      group => $group;
-    '/usr/libexec/kubernetes': ;
-    '/var/lib/kubelet': ;
-    '/var/lib/kubelet/pki': ;
-
-    '/usr/share/containers/': ;
-    '/usr/share/containers/oci/': ;
-    '/usr/share/containers/oci/hooks.d': ;
-  }
-
-  if $manage_repo {
-    include k8s::repo
-  }
-
-  if $manage_packages {
-    # Ensure conntrack is installed to properly handle networking cleanup
-    if fact('os.family') == 'Debian' {
-      $_conntrack = 'conntrack'
-    } else {
-      $_conntrack = 'conntrack-tools'
-    }
-
-    ensure_packages([$_conntrack,])
-  }
-
-  include k8s::install::cni_plugins
-
-  if $role == 'server' {
+  if $role == 'server' or $role == 'control-plane' {
     include k8s::server
   } elsif $role == 'node' {
     include k8s::node
+  } elsif $role == 'etcd-replica' {
+    include k8s::server::etcd
   }
 }

manifests/install/container_runtime.pp

@@ -87,6 +87,7 @@
   }
 
   if $manage_repo {
+    include k8s::repo
     Class['k8s::repo'] -> Package['k8s container manager']
   }
 }

manifests/install/crictl.pp

@@ -21,8 +21,9 @@
   Stdlib::HTTPUrl $download_url_template = 'https://github.com/kubernetes-sigs/cri-tools/releases/download/%{version}/crictl-%{version}-linux-%{arch}.tar.gz',
 ) {
   if $manage_repo {
-    $pkg = pick($crictl_package, 'cri-tools')
+    include k8s::repo
 
+    $pkg = pick($crictl_package, 'cri-tools')
     package { $pkg:
       ensure => stdlib::ensure($ensure, 'package'),
     }