Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 8.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'puppet-k8s', '2.0.1'Learn more about managing modules with a PuppetfileDocumentation
k8s
Table of Contents
Description
This module installs, configures, and manages a Kubernetes cluster built from loose components.
The main focus is towards the current stable versions of K8s (1.18.x+), but it should be able to handle both older and newer versions without issues.
Usage
Set k8s::server::etcd_servers to a list of servers or k8s::puppetdb_discovery to true.
Setting up a server node (apiserver, controller-manager, scheduler):
class { 'k8s':
role => 'server',
control_plane_url => 'https://kubernetes.example.com:6443',
# generate_ca => true, # Only set true temporarily to avoid overwriting the old secrets
# puppetdb_discovery => true, # Will use PuppetDB PQL queries to manage etcd and nodes
}
Setting up a client node (kubelet, kube-proxy):
class { 'k8s':
role => 'node',
control_plane_url => 'https://kubernetes.example.com:6443',
}
Examples
For more in-detail examples see the examples.
Reference
All parameters are documented within the classes. Markdown documentation is available in the REFERENCE.md file, it also contains examples.
Reference
Table of Contents
Classes
k8s: Sets up a Kubernetes instance - either as a node or as a serverk8s::install::cni_plugins: manages the installation of the cni pluginsk8s::install::container_runtime: manages the installation of crik8s::install::crictl: installs the crictl debugging toolk8s::install::kubeadm: Installs the kubeadm binaryk8s::install::kubectl: Installs the kubectl binaryk8s::node: Installs a Kubernetes nodek8s::node::kube_proxy: Sets up a on-node kube-proxy instancek8s::node::kubectl: Installs the kubectl binaryk8s::node::kubelet: Installs and configures kubeletk8s::node::simple_cni: Provide a simple bridged standard network interface. For basic usage if one does not have flannel, cilium, calico or something else yet. Uses the cni-plugins bridge binary to create a bridge interface to connect the containersk8s::repo: Handles repositories for the container runtimek8s::server: Sets up a Kubernetes server instancek8s::server::apiserver: Installs and configures a Kubernetes apiserverk8s::server::controller_manager: Installs and configures a Kubernetes controller managerk8s::server::etcd: Sets up an etcd cluster nodek8s::server::etcd::setup: Installs and configures an etcd instancek8s::server::resources: Generates and deploys standard Kubernetes in-cluster servicesk8s::server::resources::bootstrap: Generates and deploys the default Puppet boostrap configuration into the clusterk8s::server::resources::coredns: Generates and deploys the default CoreDNS DNS provider for Kubernetesk8s::server::resources::flannel: Generates and deploys the default CoreDNS DNS provider for Kubernetesk8s::server::resources::kube_proxy: Generates and deploys the default kube-proxy service for Kubernetesk8s::server::scheduler: Installs and configures a Kubernetes schedulerk8s::server::tls: Generates the necessary Kubernetes certificates for a serverk8s::server::wait_online: Creates a dummy exec to allow deferring applies until the Kubernetes API server has started
Defined types
k8s::binary: Deploys a Kubernetes binaryk8s::server::bootstrap_token: Generates and stores a kubelet bootstrap token into the clusterk8s::server::etcd::member: Adds another member to a local etcd clusterk8s::server::tls::ca: Generates a TLS CAk8s::server::tls::cert: Generates and signs a TLS certificatek8s::server::tls::k8s_sign: Signs pending CSR requests for bootstrapping clients
Resource types
kubeconfig: Example: kubeconfig { '/var/lib/kubernetes/utility.conf': ca_cert => '/etc/kubernetes.ca.pem', token => 'utility-token', }kubectl_apply: Example: To encode the bootstrap token "tokenid.tokensecret" into a Kubernetes secret; $tokenid = 'tokenid' $tokensecret = 'tokense
Functions
k8s::format_arguments: Formats a hash of arguments into something that can be passed to a kubernetes applicationk8s::format_url: Formats a download URL for K8s binariesk8s::ip_in_cidr: Retrieves an IP inside of a CIDR based on an index
Data types
K8s::Bootstrap_token: A Kubernetes bootstrap token, must be 16-characters lowercase alphanumericalK8s::CIDR: a type to describe one or more IPv4/6 CIDRK8s::Container_runtimes: a type to describe the supported container runtimesK8s::Duration: This regexp matches Go duration values, as taken from;K8s::Ensure: a type to describe the ensure patternK8s::Extended_key_usage: a type to describe extended key usage for a TLS certificateK8s::Firewall: a type to describe the type of the firewall to useK8s::IP_addresses: a type to describe multiple IP addresses without subnet sizesK8s::Native_packaging: a type to describe Kubernetes native packaging methodsK8s::Node_auth: a type to describe node/kubelet authentication methodsK8s::PortRange: This regexp matches port range valuesK8s::Proxy_auth: a type to describe kube-proxy authentication methodsK8s::Proxy_method: a type to describe how kube-proxy should be deployedK8s::Quantity: This regexp matches quantities, like those for resource requests/limitsK8s::TLS_altnames: a type to describe TLS alternative names in certificatesK8s::Timestamp: This regexp matches RFC3339 timestamps, the same as what Kubernetes expects to findK8s::URI: This regexp matches URI valuesK8s::Version: A type for handling Kubernetes version numbers
Classes
k8s
Sets up a Kubernetes instance - either as a node or as a server
Parameters
The following parameters are available in the k8s class:
api_service_addresscluster_cidrcluster_domaincontainer_image_tagcontainer_managercontainer_registrycontainer_runtime_servicecontainerd_packagecontrol_plane_urlcrictl_packagecrio_packagedns_service_addressensureetcd_cluster_nameetcd_versionfirewall_typegidgrouphyperkube_nameincluster_control_plane_urlmanage_container_managermanage_etcdmanage_firewallmanage_imagemanage_kernel_modulesmanage_kube_proxymanage_packagesmanage_repomanage_sysctl_settingsnative_packagingnative_url_templatenode_authpackage_templatepackagingpuppetdb_discoverypuppetdb_discovery_tagpurge_manifestsrolerunc_versionservice_cluster_cidrsysconfig_pathtarball_url_templateuiduserversion
api_service_address
Data type: Stdlib::IP::Address::Nosubnet
IP address for the API service
Default value: k8s::ip_in_cidr($service_cluster_cidr, 'first')
cluster_cidr
Data type: K8s::CIDR
CIDR for the pod network
Default value: '10.0.0.0/16'
cluster_domain
Data type: Stdlib::Fqdn
domain name for the cluster
Default value: 'cluster.local'
container_image_tag
Data type: Optional[String[1]]
container image tag to use
Default value: undef
container_manager
Data type: K8s::Container_runtimes
container manager to use
Default value: 'crio'
container_registry
Data type: String[1]
container registry to use
Default value: 'registry.k8s.io'
container_runtime_service
Data type: String[1]
name of the container runtime service
Default value: "${container_manager}.service"
containerd_package
Data type: Optional[String[1]]
name of the containerd package
Default value: undef
control_plane_url
Data type: Stdlib::HTTPUrl
URL for the control plane
Default value: 'https://kubernetes:6443'
crictl_package
Data type: Optional[String[1]]
name of the crictl package
Default value: undef
crio_package
Data type: Optional[String[1]]
name of the crio package
Default value: undef
dns_service_address
Data type: K8s::IP_addresses
IP address for the DNS service
Default value: k8s::ip_in_cidr($service_cluster_cidr, 'second')
ensure
Data type: K8s::Ensure
whether kubernetes should be present or absent
Default value: 'present'
etcd_cluster_name
Data type: String[1]
name of the etcd cluster for searching its nodes in the puppetdb
Default value: 'default'
etcd_version
Data type: String[1]
version of etcd to install
Default value: '3.5.1'
firewall_type
Data type: Optional[K8s::Firewall]
type of firewall to use
Default value: undef
gid
Data type: Integer[0, 65535]
group id for kubernetes files and services
Default value: 888
group
Data type: String[1]
groupname for kubernetes files and services
Default value: 'kube'
hyperkube_name
Data type: String[1]
name of the hyperkube binary
Default value: 'hyperkube'
incluster_control_plane_url
Data type: Stdlib::HTTPUrl
URL for the control plane from within the cluster
Default value: 'https://kubernetes.default.svc'
manage_container_manager
Data type: Boolean
whether to manage the container manager
Default value: true
manage_etcd
Data type: Boolean
whether to manage etcd
Default value: true
manage_firewall
Data type: Boolean
whether to manage the firewall
Default value: false
manage_image
Data type: Boolean
whether to manage the image
Default value: false
manage_kernel_modules
Data type: Boolean
A flag to manage required Kernel modules.
Default value: true
manage_kube_proxy
Data type: K8s::Proxy_method
How/if the kube-proxy component should be managed, either as an in-cluster component (default), or as an on-node component for advanced use-cases.
Default value: true
manage_packages
Data type: Boolean
whether to manage packages
Default value: true
manage_repo
Data type: Boolean
whether to manage the repo
Default value: true
manage_sysctl_settings
Data type: Boolean
A flag to manage required sysctl settings.
Default value: true
native_packaging
Data type: K8s::Native_packaging
type of native packaging to use
Default value: 'loose'
native_url_template
Data type: String[1]
template for native packaging
Default value: 'https://storage.googleapis.com/kubernetes-release/release/v%{version}/bin/%{kernel}/%{arch}/%{binary}'
node_auth
Data type: K8s::Node_auth
authentication method for nodes
Default value: 'bootstrap'
package_template
Data type: String[1]
template for package names
Default value: 'kubernetes-%{component}'
packaging
Data type: Enum['container', 'native']
whether to use native or container packaging
Default value: 'native'
puppetdb_discovery
Data type: Boolean
whether to use puppetdb for node discovery
Default value: false
puppetdb_discovery_tag
Data type: String[1]
tag to use for puppetdb node discovery
Default value: 'default'
purge_manifests
Data type: Boolean
whether to purge manifests
Default value: true
role
Data type: Enum['node','server','none']
role of the node
Default value: 'none'
runc_version
Data type: String[1]
version of runc to install
Default value: 'installed'
service_cluster_cidr
Data type: K8s::CIDR
CIDR for the service network
Default value: '10.1.0.0/24'
sysconfig_path
Data type: Optional[Stdlib::Unixpath]
path to the sysconfig directory
Default value: undef
tarball_url_template
Data type: String[1]
template for tarball packaging
Default value: 'https://dl.k8s.io/v%{version}/kubernetes-%{component}-%{kernel}-%{arch}.tar.gz'
uid
Data type: Integer[0, 65535]
user id for kubernetes files and services
Default value: 888
user
Data type: String[1]
username for kubernetes files and services
Default value: 'kube'
version
Data type: String[1]
version of kubernetes to install
Default value: '1.26.1'
k8s::install::cni_plugins
Class: k8s::install::cni_plugins
Parameters
The following parameters are available in the k8s::install::cni_plugins class:
ensure
Data type: K8s::Ensure
set ensure for installation or deinstallation
Default value: $k8s::ensure
method
Data type: String[1]
installation method
Default value: $k8s::native_packaging
version
Data type: String[1]
sets the version to use
Default value: 'v1.2.0'
download_url_template
Data type: String[1]
template string for the cni_plugins download url
Default value: 'https://github.com/containernetworking/plugins/releases/download/%{version}/cni-plugins-linux-%{arch}-%{version}.tgz'
k8s::install::container_runtime
Class: k8s::install::container_runtime
Parameters
The following parameters are available in the k8s::install::container_runtime class:
container_managercontainerd_packagecrio_packagek8s_versionmanage_repopackage_ensurerunc_version
container_manager
Data type: K8s::Container_runtimes
set the cri to use
Default value: $k8s::container_manager
containerd_package
Data type: Optional[String[1]]
the containerd package anme
Default value: $k8s::containerd_package
crio_package
Data type: Optional[String[1]]
cri-o the package name
Default value: $k8s::crio_package
k8s_version
Data type: String[1]
the k8s version
Default value: $k8s::version
manage_repo
Data type: Boolean
whether to manage the repo or not
Default value: $k8s::manage_repo
package_ensure
Data type: String[1]
the ensure value to set on the cri package
Default value: installed
runc_version
Data type: String[1]
the runc version
Default value: $k8s::runc_version
k8s::install::crictl
Class: k8s::install::crictl
Parameters
The following parameters are available in the k8s::install::crictl class:
ensure
Data type: K8s::Ensure
set ensure for installation or deinstallation
Default value: $k8s::ensure
version
Data type: String[1]
the k8s version
Default value: 'v1.26.0'
config
Data type: Hash
config for crictl, for example: k8s::install::crictl::config: 'runtime-endpoint': 'unix:///run/containerd/containerd.sock' 'image-endpoint': 'unix:///run/containerd/containerd.sock'
Default value: {}
crictl_package
Data type: Optional[String[1]]
the package name of crictl
Default value: $k8s::crictl_package
manage_repo
Data type: Boolean
whether to manage the repo or not
Default value: $k8s::manage_repo
download_url_template
Data type: Stdlib::HTTPUrl
template string for the URL to download tar.gz from
Default value: 'https://github.com/kubernetes-sigs/cri-tools/releases/download/%{version}/crictl-%{version}-linux-%{arch}.tar.gz'
k8s::install::kubeadm
Installs the kubeadm binary
Parameters
The following parameters are available in the k8s::install::kubeadm class:
ensure
Data type: K8s::Ensure
set ensure for installation or deinstallation
Default value: $k8s::ensure
k8s::install::kubectl
Installs the kubectl binary
Parameters
The following parameters are available in the k8s::install::kubectl class:
ensure
Data type: K8s::Ensure
set ensure for installation or deinstallation
Default value: $k8s::ensure
k8s::node
Installs a Kubernetes node
Parameters
The following parameters are available in the k8s::node class:
ca_certcert_pathcontrol_plane_urlensurefirewall_typemanage_crictlmanage_firewallmanage_kernel_modulesmanage_kubeletmanage_proxymanage_simple_cnimanage_sysctl_settingsnode_authnode_certnode_keynode_tokenproxy_authproxy_certproxy_keyproxy_tokenpuppetdb_discovery_tag
ca_cert
Data type: Stdlib::Unixpath
path to the ca cert
Default value: "${cert_path}/ca.pem"
cert_path
Data type: Stdlib::Unixpath
path to cert files
Default value: '/var/lib/kubelet/pki'
control_plane_url
Data type: Stdlib::HTTPUrl
cluster API connection
Default value: $k8s::control_plane_url
ensure
Data type: K8s::Ensure
set ensure for installation or deinstallation
Default value: $k8s::ensure
firewall_type
Data type: Optional[K8s::Firewall]
define the type of firewall to use
Default value: $k8s::firewall_type
manage_crictl
Data type: Boolean
toggle to install crictl
Default value: false
manage_firewall
Data type: Boolean
whether to manage firewall or not
Default value: $k8s::manage_firewall
manage_kernel_modules
Data type: Boolean
whether to load kernel modules or not
Default value: $k8s::manage_kernel_modules
manage_kubelet
Data type: Boolean
whether to manage kublet or not
Default value: true
manage_proxy
Data type: Boolean
whether to manage kube-proxy or not
Default value: $k8s::manage_kube_proxy == 'on-node'
manage_simple_cni
Data type: Boolean
toggle to use a simple bridge network for containers
Default value: false
manage_sysctl_settings
Data type: Boolean
whether to manage sysctl settings or not
Default value: $k8s::manage_sysctl_settings
node_auth
Data type: K8s::Node_auth
type of node authentication
Default value: $k8s::node_auth
node_cert
Data type: Optional[Stdlib::Unixpath]
path to node cert file
Default value: undef
node_key
Data type: Optional[Stdlib::Unixpath]
path to node key file
Default value: undef
node_token
Data type: Optional[Sensitive[String]]
k8s token to join a cluster
Default value: undef
proxy_auth
Data type: K8s::Proxy_auth
which proxy auth to use
Default value: 'incluster'
proxy_cert
Data type: Optional[Stdlib::Unixpath]
path to proxy cert file
Default value: undef
proxy_key
Data type: Optional[Stdlib::Unixpath]
path to proxy key file
Default value: undef
proxy_token
Data type: Optional[Sensitive[String]]
k8s token for kube-proxy
Default value: undef
puppetdb_discovery_tag
Data type: String[1]
enable puppetdb resource searching
Default value: $k8s::puppetdb_discovery_tag
k8s::node::kube_proxy
For most use-cases, running kube-proxy inside the cluster itself is recommended
Parameters
The following parameters are available in the k8s::node::kube_proxy class:
argumentsauthca_certcertcluster_cidrconfigcontrol_plane_urlensurekeypuppetdb_discovery_tagtoken
arguments
Data type: Hash[String, Data]
A hash of additional arguments to pass to kube-proxy
Default value: {}
auth
Data type: K8s::Proxy_auth
The authentication method to use for the API server
Default value: $k8s::node::proxy_auth
ca_cert
Data type: Optional[Stdlib::Unixpath]
The path to the CA certificate to use for the API server
Default value: $k8s::node::ca_cert
cert
Data type: Optional[Stdlib::Unixpath]
The path to the client certificate to use for the API server
Default value: $k8s::node::proxy_cert
cluster_cidr
Data type: K8s::CIDR
The CIDR range of the cluster
Default value: $k8s::cluster_cidr
config
Data type: Hash[String, Data]
A hash of additional configuration options to pass to kube-proxy
Default value: {}
control_plane_url
Data type: Stdlib::HTTPUrl
The URL of the Kubernetes API server
Default value: $k8s::node::control_plane_url
ensure
Data type: K8s::Ensure
Whether the kube-proxy service should be configured
Default value: $k8s::node::ensure
key
Data type: Optional[Stdlib::Unixpath]
The path to the client key to use for the API server
Default value: $k8s::node::proxy_key
puppetdb_discovery_tag
Data type: String
The tag to use for PuppetDB service discovery
Default value: $k8s::node::puppetdb_discovery_tag
token
Data type: Optional[Sensitive[String]]
The token to use for the API server
Default value: $k8s::node::proxy_token
k8s::node::kubectl
Installs the kubectl binary
Parameters
The following parameters are available in the k8s::node::kubectl class:
ensure
Data type: K8s::Ensure
Whether to install the binary
Default value: $k8s::ensure
k8s::node::kubelet
Installs and configures kubelet
Parameters
The following parameters are available in the k8s::node::kubelet class:
argumentsauthca_certcertcert_pathconfigcontrol_plane_urlensurefirewall_typekeykubeconfigmanage_firewallmanage_kernel_modulesmanage_sysctl_settingspuppetdb_discovery_tagrotate_server_tlsruntimeruntime_servicesupport_dualstacktoken
arguments
Data type: Hash[String, Data]
additional arguments to pass to kubelet
Default value: {}
auth
Data type: K8s::Node_auth
type of node authentication
Default value: $k8s::node::node_auth
ca_cert
Data type: Optional[Stdlib::Unixpath]
path to the ca cert
Default value: $k8s::node::ca_cert
cert
Data type: Optional[Stdlib::Unixpath]
path to node cert file
Default value: $k8s::node::node_cert
cert_path
Data type: Stdlib::Unixpath
path to cert files
Default value: $k8s::node::cert_path
config
Data type: Hash[String, Data]
additional config to pass to kubelet
Default value: {}
control_plane_url
Data type: Stdlib::HTTPUrl
cluster API connection
Default value: $k8s::node::control_plane_url
ensure
Data type: K8s::Ensure
set ensure for installation or deinstallation
Default value: $k8s::node::ensure
firewall_type
Data type: Optional[K8s::Firewall]
define the type of firewall to use
Default value: $k8s::node::firewall_type
key
Data type: Optional[Stdlib::Unixpath]
path to node key file
Default value: $k8s::node::node_key
kubeconfig
Data type: Stdlib::Unixpath
path to kubeconfig
Default value: '/srv/kubernetes/kubelet.kubeconf'
manage_firewall
Data type: Boolean
whether to manage firewall or not
Default value: $k8s::node::manage_firewall
manage_kernel_modules
Data type: Boolean
whether to load kernel modules or not
Default value: $k8s::node::manage_kernel_modules
manage_sysctl_settings
Data type: Boolean
whether to manage sysctl settings or not
Default value: $k8s::node::manage_sysctl_settings
puppetdb_discovery_tag
Data type: String[1]
enable puppetdb resource searching
Default value: $k8s::node::puppetdb_discovery_tag
rotate_server_tls
Data type: Boolean
whether to rotate server tls or not
Default value: $auth == 'bootstrap'
runtime
Data type: String
which container runtime to use
Default value: $k8s::container_manager
runtime_service
Data type: String
name of the service of the container runtime
Default value: $k8s::container_runtime_service
support_dualstack
Data type: Boolean
whether to support dualstack or not
Default value: $k8s::cluster_cidr =~ Array[Data, 2]
token
Data type: Optional[Sensitive[String]]
k8s token to join a cluster
Default value: $k8s::node::node_token
k8s::node::simple_cni
Class: k8s::node::simple_cni
Parameters
The following parameters are available in the k8s::node::simple_cni class:
pod_cidr
Data type: K8s::CIDR
cidr for pods in the network
Default value: $k8s::cluster_cidr
k8s::repo
Handles repositories for the container runtime
Parameters
The following parameters are available in the k8s::repo class:
container_manager
Data type: K8s::Container_runtimes
The name of the container manager
Default value: $k8s::container_manager
crio_version
Data type: String[1]
version o cri-o
Default value: $k8s::version.split('\.')[0, 2].join('.')
manage_container_manager
Data type: Boolean
whether to add cri-o repository or not
Default value: $k8s::manage_container_manager
k8s::server
Sets up a Kubernetes server instance
Parameters
The following parameters are available in the k8s::server class:
aggregator_ca_certaggregator_ca_keyapi_portca_certca_keycert_pathcluster_cidrcluster_domaincontrol_plane_urldirect_control_plane_urldns_service_addressensureetcd_cluster_nameetcd_serversfirewall_typegenerate_camanage_certsmanage_componentsmanage_crictlmanage_etcdmanage_firewallmanage_kubeadmmanage_resourcesmanage_signingnode_on_serverpuppetdb_discovery_tag
aggregator_ca_cert
Data type: Stdlib::Unixpath
path to the aggregator ca cert
Default value: "${cert_path}/aggregator-ca.pem"
aggregator_ca_key
Data type: Stdlib::Unixpath
path to the aggregator ca key
Default value: "${cert_path}/aggregator-ca.key"
api_port
Data type: Integer[1]
Cluster API port
Default value: 6443
ca_cert
Data type: Stdlib::Unixpath
path to the ca cert
Default value: "${cert_path}/ca.pem"
ca_key
Data type: Stdlib::Unixpath
path to the ca key
Default value: "${cert_path}/ca.key"
cert_path
Data type: Stdlib::Unixpath
path to cert files
Default value: '/etc/kubernetes/certs'
cluster_cidr
Data type: K8s::CIDR
cluster cidr
Default value: $k8s::cluster_cidr
cluster_domain
Data type: String
cluster domain name
Default value: $k8s::cluster_domain
control_plane_url
Data type: String
cluster API connection
Default value: $k8s::control_plane_url
direct_control_plane_url
Data type: String
direct clust API connection
Default value: "https://${fact('networking.ip')}:${api_port}"
dns_service_address
Data type: K8s::IP_addresses
cluster dns service address
Default value: $k8s::dns_service_address
ensure
Data type: K8s::Ensure
set ensure for installation or deinstallation
Default value: $k8s::ensure
etcd_cluster_name
Data type: String[1]
name of the etcd cluster for searching its nodes in the puppetdb
Default value: $k8s::etcd_cluster_name
etcd_servers
Data type: Optional[Array[Stdlib::HTTPUrl]]
list etcd servers if no puppetdb is used
Default value: undef
firewall_type
Data type: Optional[K8s::Firewall]
define the type of firewall to use
Default value: $k8s::firewall_type
generate_ca
Data type: Boolean
initially generate ca
Default value: false
manage_certs
Data type: Boolean
whether to manage certs or not
Default value: true
manage_components
Data type: Boolean
whether to manage components or not
Default value: true
manage_crictl
Data type: Boolean
whether to install crictl or not
Default value: false
manage_etcd
Data type: Boolean
whether to manage etcd or not
Default value: $k8s::manage_etcd
manage_firewall
Data type: Boolean
whether to manage firewall or not
Default value: $k8s::manage_firewall
manage_kubeadm
Data type: Boolean
whether to install kubeadm or not
Default value: false
manage_resources
Data type: Boolean
whether to manage cluster internal resources or not
Default value: true
manage_signing
Data type: Boolean
whether to manage cert signing or not
Default value: $k8s::puppetdb_discovery
node_on_server
Data type: Boolean
whether to use controller also as nodes or not
Default value: true
puppetdb_discovery_tag
Data type: String[1]
enable puppetdb resource searching
Default value: $k8s::puppetdb_discovery_tag
k8s::server::apiserver
Installs and configures a Kubernetes apiserver
Parameters
The following parameters are available in the k8s::server::apiserver class:
advertise_addressaggregator_ca_certapiserver_certapiserver_client_certapiserver_client_keyapiserver_keyargumentsca_certcert_pathcontainer_imagecontainer_image_tagcontainer_registrydiscover_etcd_serversensureetcd_caetcd_certetcd_cluster_nameetcd_keyetcd_serversfirewall_typefront_proxy_certfront_proxy_keymanage_firewallpuppetdb_discovery_tagservice_cluster_cidrserviceaccount_privateserviceaccount_public
advertise_address
Data type: Stdlib::IP::Address::Nosubnet
bind address of the apiserver
Default value: fact('networking.ip')
aggregator_ca_cert
Data type: Stdlib::Unixpath
path to the aggregator ca cert file
Default value: $k8s::server::tls::aggregator_ca_cert
apiserver_cert
Data type: Stdlib::Unixpath
path to the apiserver cert file
Default value: "${cert_path}/kube-apiserver.pem"
apiserver_client_cert
Data type: Stdlib::Unixpath
path to the apiserver client cert file
Default value: "${cert_path}/apiserver-kubelet-client.pem"
apiserver_client_key
Data type: Stdlib::Unixpath
path to the apiserver client key file
Default value: "${cert_path}/apiserver-kubelet-client.key"
apiserver_key
Data type: Stdlib::Unixpath
path to the apiserver cert file
Default value: "${cert_path}/kube-apiserver.key"
arguments
Data type: Hash[String, Data]
additional arguments for the apiserver
Default value: {}
ca_cert
Data type: Stdlib::Unixpath
path to the ca cert
Default value: $k8s::server::tls::ca_cert
cert_path
Data type: Stdlib::Unixpath
path to cert files
Default value: $k8s::server::tls::cert_path
container_image
Data type: String[1]
container image to use for the apiserver
Default value: 'kube-apiserver'
container_image_tag
Data type: Optional[String[1]]
container image tag to use for the apiserver
Default value: $k8s::container_image_tag
container_registry
Data type: String[1]
container registry to pull the image from
Default value: $k8s::container_registry
discover_etcd_servers
Data type: Boolean
enable puppetdb resource searching
Default value: $k8s::puppetdb_discovery
ensure
Data type: K8s::Ensure
set ensure for installation or deinstallation
Default value: $k8s::server::ensure
etcd_ca
Data type: Stdlib::Unixpath
path to the etcd ca cert file
Default value: "${cert_path}/etcd-ca.pem"
etcd_cert
Data type: Stdlib::Unixpath
path to the etcd cert file
Default value: "${cert_path}/etcd.pem"
etcd_cluster_name
Data type: String[1]
name of the etcd cluster for searching its nodes in the puppetdb
Default value: $k8s::server::etcd_cluster_name
etcd_key
Data type: Stdlib::Unixpath
path to the etcd key file
Default value: "${cert_path}/etcd.key"
etcd_servers
Data type: Optional[Array[Stdlib::HTTPUrl]]
list etcd servers if no puppetdb is used
Default value: $k8s::server::etcd_servers
firewall_type
Data type: Optional[K8s::Firewall]
define the type of firewall to use
Default value: $k8s::server::firewall_type
front_proxy_cert
Data type: Stdlib::Unixpath
path to the front proxy cert file
Default value: "${cert_path}/front-proxy-client.pem"
front_proxy_key
Data type: Stdlib::Unixpath
path to the front proxy key file
Default value: "${cert_path}/front-proxy-client.key"
manage_firewall
Data type: Boolean
whether to manage firewall or not
Default value: $k8s::server::manage_firewall
puppetdb_discovery_tag
Data type: String
enable puppetdb resource searching
Default value: $k8s::server::puppetdb_discovery_tag
service_cluster_cidr
Data type: K8s::CIDR
cidr of the service cluster
Default value: $k8s::service_cluster_cidr
serviceaccount_private
Data type: Stdlib::Unixpath
path to the service account private key file
Default value: "${cert_path}/service-account.key"
serviceaccount_public
Data type: Stdlib::Unixpath
path to the service account public key file
Default value: "${cert_path}/service-account.pub"
k8s::server::controller_manager
Installs and configures a Kubernetes controller manager
Parameters
The following parameters are available in the k8s::server::controller_manager class:
argumentsca_certca_keycertcert_pathcluster_cidrcontainer_imagecontainer_image_tagcontainer_registrycontrol_plane_urlensurekeyservice_cluster_cidr
arguments
Data type: Hash[String, Data]
Additional arguments to pass to the controller manager.
Default value: {}
ca_cert
Data type: Stdlib::Unixpath
The path to the CA certificate.
Default value: $k8s::server::tls::ca_cert
ca_key
Data type: Stdlib::Unixpath
The path to the CA key.
Default value: $k8s::server::tls::ca_key
cert
Data type: Stdlib::Unixpath
The path to the controller manager certificate.
Default value: "${cert_path}/kube-controller-manager.pem"
cert_path
Data type: Stdlib::Unixpath
The path to the TLS certificates.
Default value: $k8s::server::tls::cert_path
cluster_cidr
Data type: K8s::CIDR
The CIDR of the cluster.
Default value: $k8s::cluster_cidr
container_image
Data type: String[1]
The container image to use for the controller manager.
Default value: 'kube-controller-manager'
container_image_tag
Data type: Optional[String[1]]
The container image tag to use for the controller manager.
Default value: $k8s::container_image_tag
container_registry
Data type: String[1]
The container registry to pull the controller manager image from.
Default value: $k8s::container_registry
control_plane_url
Data type: Stdlib::HTTPUrl
The URL of the Kubernetes API server.
Default value: $k8s::control_plane_url
ensure
Data type: K8s::Ensure
Whether the controller manager should be configured.
Default value: $k8s::server::ensure
key
Data type: Stdlib::Unixpath
The path to the controller manager key.
Default value: "${cert_path}/kube-controller-manager.key"
service_cluster_cidr
Data type: K8s::CIDR
The CIDR of the service cluster.
Default value: $k8s::service_cluster_cidr
k8s::server::etcd
Sets up an etcd cluster node
Parameters
The following parameters are available in the k8s::server::etcd class:
addn_namescert_pathclient_ca_certclient_ca_keycluster_nameensurefirewall_typegenerate_cagroupmanage_certsmanage_firewallmanage_membersmanage_setuppeer_ca_certpeer_ca_keypuppetdb_discovery_tagself_signed_tlsuserversion
addn_names
Data type: K8s::TLS_altnames
additional names for certificates
Default value: []
cert_path
Data type: Stdlib::Unixpath
path to cert files
Default value: '/var/lib/etcd/certs'
client_ca_cert
Data type: Stdlib::Unixpath
path to the client ca cert
Default value: "${cert_path}/client-ca.pem"
client_ca_key
Data type: Stdlib::Unixpath
path to the client ca key
Default value: "${cert_path}/client-ca.key"
cluster_name
Data type: String[1]
name of the etcd cluster for searching its nodes in the puppetdb
Default value: pick($k8s::server::etcd_cluster_name, 'default')
ensure
Data type: K8s::Ensure
set ensure for installation or deinstallation
Default value: 'present'
firewall_type
Data type: Optional[K8s::Firewall]
define the type of firewall to use
Default value: $k8s::server::firewall_type
generate_ca
Data type: Boolean
whether to generate a own ca or not
Default value: false
group
Data type: String[1]
group to run etcd as
Default value: 'etcd'
manage_certs
Data type: Boolean
whether to manage certs or not
Default value: true
manage_firewall
Data type: Boolean
whether to manage firewall or not
Default value: false
manage_members
Data type: Boolean
whether to manage the ectd cluster member joining or not
Default value: false
manage_setup
Data type: Boolean
whether to manage the setup of etcd or not
Default value: true
peer_ca_cert
Data type: Stdlib::Unixpath
path to the peer ca cert
Default value: "${cert_path}/peer-ca.pem"
peer_ca_key
Data type: Stdlib::Unixpath
path to the peer ca key
Default value: "${cert_path}/peer-ca.key"
puppetdb_discovery_tag
Data type: String[1]
enable puppetdb resource searching
Default value: pick($k8s::server::puppetdb_discovery_tag, $cluster_name)
self_signed_tls
Data type: Boolean
whether to use self signed tls or not
Default value: false
user
Data type: String[1]
user to run etcd as
Default value: 'etcd'
version
Data type: String[1]
version of ectd to install
Default value: pick($k8s::etcd_version, '3.5.1')
k8s::server::etcd::setup
Installs and configures an etcd instance
Parameters
The following parameters are available in the k8s::server::etcd::setup class:
advertise_client_urlsarchive_templateauto_compaction_retentionauto_tlsbinary_pathcert_fileclient_cert_authdata_dirensureetcd_namefqdngidgroupinitial_advertise_peer_urlsinitial_clusterinitial_cluster_stateinitial_cluster_tokeninstallkey_filelisten_client_urlslisten_peer_urlspackagepeer_auto_tlspeer_cert_filepeer_client_cert_authpeer_key_filepeer_trusted_ca_fileproxystorage_pathtrusted_ca_fileuiduserversion
advertise_client_urls
Data type: Array[Stdlib::HTTPUrl]
The client urls to advertise
Default value: ["https://${fqdn}:2379"]
archive_template
Data type: Stdlib::HTTPUrl
The download url template for the etc archive
Default value: 'https://storage.googleapis.com/etcd/v%{version}/etcd-v%{version}-%{kernel}-%{arch}.%{kernel_ext}'
auto_compaction_retention
Data type: Optional[Integer]
The auto compaction retention
Default value: undef
auto_tls
Data type: Boolean
Use auto tls
Default value: $k8s::server::etcd::self_signed_tls
binary_path
Data type: Optional[Stdlib::Unixpath]
path to the etcd binary
Default value: undef
cert_file
Data type: Optional[Stdlib::Unixpath]
path to the cert file
Default value: undef
client_cert_auth
Data type: Boolean
Use client cert auth
Default value: false
data_dir
Data type: String[1]
path to the data dir
Default value: "${etcd_name}.etcd"
ensure
Data type: K8s::Ensure
set ensure for installation or deinstallation
Default value: $k8s::server::etcd::ensure
etcd_name
Data type: String[1]
The etcd instance name
Default value: $facts['networking']['hostname']
fqdn
Data type: String[1]
fully qualified domain name
Default value: $facts['networking']['fqdn']
gid
Data type: Optional[Integer[0, 65535]]
The group system id
Default value: undef
group
Data type: String[1]
etcd system user group
Default value: $k8s::server::etcd::group
initial_advertise_peer_urls
Data type: Array[Stdlib::HTTPUrl]
The peer urls to advertise
Default value: ["https://${fqdn}:2380"]
initial_cluster
Data type: Array[String[1]]
The initial cluster
Default value: []
initial_cluster_state
Data type: Optional[Enum['existing', 'new']]
The initial cluster state
Default value: undef
initial_cluster_token
Data type: Optional[String[1]]
The initial cluster token
Default value: undef
install
Data type: Enum['archive','package']
etcd installation method
Default value: 'archive'
key_file
Data type: Optional[Stdlib::Unixpath]
path to the key file
Default value: undef
listen_client_urls
Data type: Array[Stdlib::HTTPUrl]
The client urls to listen on
Default value: ['https://[::]:2379']
listen_peer_urls
Data type: Array[Stdlib::HTTPUrl]
The peer urls to listen on
Default value: ['https://[::]:2380']
package
Data type: String[1]
etcd package name
Default value: 'etcd'
peer_auto_tls
Data type: Boolean
Use peer auto tls
Default value: $k8s::server::etcd::self_signed_tls
peer_cert_file
Data type: Optional[Stdlib::Unixpath]
path to the peer cert file
Default value: undef
peer_client_cert_auth
Data type: Boolean
Use peer client cert auth
Default value: false
peer_key_file
Data type: Optional[Stdlib::Unixpath]
path to the peer key file
Default value: undef
peer_trusted_ca_file
Data type: Optional[Stdlib::Unixpath]
path to the peer trusted ca file
Default value: undef
proxy
Data type: Enum['on','off','readonly']
The proxy mode
Default value: 'off'
storage_path
Data type: Stdlib::Unixpath
path to the working dir of etcd
Default value: '/var/lib/etcd'
trusted_ca_file
Data type: Optional[Stdlib::Unixpath]
path to the trusted ca file
Default value: undef
uid
Data type: Optional[Integer[0, 65535]]
The user system id
Default value: undef
user
Data type: String[1]
etcd system user
Default value: $k8s::server::etcd::user
version
Data type: String[1]
The ectd version to install
Default value: $k8s::server::etcd::version
k8s::server::resources
Generates and deploys standard Kubernetes in-cluster services
Parameters
The following parameters are available in the k8s::server::resources class:
ca_certcluster_cidrcluster_domaincontrol_plane_urlcoredns_deployment_configcoredns_imagecoredns_registrycoredns_tagdns_service_addressextra_kube_proxy_argsflannel_cni_imageflannel_cni_registryflannel_cni_tagflannel_daemonset_configflannel_imageflannel_registryflannel_tagimage_pull_secretskube_proxy_daemonset_configkube_proxy_imagekube_proxy_registrykube_proxy_tagkubeconfigmanage_bootstrapmanage_corednsmanage_flannelmanage_kube_proxy
ca_cert
Data type: Stdlib::Unixpath
the path to the CA certificate to use for the cluster
Default value: $k8s::server::tls::ca_cert
cluster_cidr
Data type: K8s::CIDR
the CIDR to use for the cluster
Default value: $k8s::server::cluster_cidr
cluster_domain
Data type: String[1]
the domain to use for the cluster
Default value: $k8s::server::cluster_domain
control_plane_url
Data type: String[1]
the URL to use for the control plane
Default value: $k8s::server::control_plane_url
coredns_deployment_config
Data type: Hash[String,Data]
the configuration to use for the CoreDNS Deployment
Default value: {}
coredns_image
Data type: String[1]
the image to use for the CoreDNS
Default value: 'coredns/coredns'
coredns_registry
Data type: String[1]
the registry to use for the CoreDNS image
Default value: 'docker.io'
coredns_tag
Data type: String[1]
the tag to use for the CoreDNS image
Default value: '1.8.7'
dns_service_address
Data type: K8s::IP_addresses
the IP address to use for the DNS service
Default value: $k8s::server::dns_service_address
extra_kube_proxy_args
Data type: Hash[String,Data]
the extra arguments to pass to the kube-proxy
Default value: {}
flannel_cni_image
Data type: String[1]
the image to use for the Flannel CNI
Default value: 'rancher/mirrored-flannelcni-flannel-cni-plugin'
flannel_cni_registry
Data type: String[1]
the registry to use for the Flannel CNI image
Default value: 'docker.io'
flannel_cni_tag
Data type: String[1]
the tag to use for the Flannel CNI image
Default value: 'v1.0.0'
flannel_daemonset_config
Data type: Hash[String,Data]
the configuration to use for the Flannel DaemonSet
Default value: {}
flannel_image
Data type: String[1]
the image to use for the Flannel
Default value: 'rancher/mirrored-flannelcni-flannel'
flannel_registry
Data type: String[1]
the registry to use for the Flannel image
Default value: 'docker.io'
flannel_tag
Data type: String[1]
the tag to use for the Flannel image
Default value: 'v0.16.1'
image_pull_secrets
Data type: Optional[Array]
the secrets to pull from private registries
Default value: undef
kube_proxy_daemonset_config
Data type: Hash[String,Data]
the configuration to use for the kube-proxy DaemonSet
Default value: {}
kube_proxy_image
Data type: String[1]
the image to use for the kube-proxy
Default value: 'kube-proxy'
kube_proxy_registry
Data type: String[1]
the registry to use for the kube-proxy image
Default value: $k8s::container_registry
kube_proxy_tag
Data type: String[1]
the tag to use for the kube-proxy image
Default value: "v${k8s::version}"
kubeconfig
Data type: Stdlib::Unixpath
the path to the kubeconfig file to use for kubectl
Default value: '/root/.kube/config'
manage_bootstrap
Data type: Boolean
whether to manage the bootstrap resources
Default value: true
manage_coredns
Data type: Boolean
whether to manage the CoreDNS resources
Default value: true
manage_flannel
Data type: Boolean
whether to manage the Flannel resources
Default value: true
manage_kube_proxy
Data type: K8s::Proxy_method
whether to manage the kube-proxy resources
Default value: $k8s::manage_kube_proxy
k8s::server::resources::bootstrap
Generates and deploys the default Puppet boostrap configuration into the cluster
Parameters
The following parameters are available in the k8s::server::resources::bootstrap class:
control_plane_url
Data type: String[1]
The main API URL to encode in the bootstrap configuration
Default value: $k8s::server::resources::control_plane_url
ensure
Data type: K8s::Ensure
Whether the resources should be present or absent
Default value: $k8s::ensure
kubeconfig
Data type: Stdlib::Unixpath
The path to the kubeconfig file to use for the bootstrap configuration
Default value: $k8s::server::resources::kubeconfig
secret
Data type: Optional[Sensitive[K8s::Bootstrap_token]]
The exact token secret to use, will be generated as a random 16-char string if left blank. The generated value can be retrieved from the bootstrap-token-puppet Secret in kube-system.
Default value: undef
k8s::server::resources::coredns
Generates and deploys the default CoreDNS DNS provider for Kubernetes
Parameters
The following parameters are available in the k8s::server::resources::coredns class:
cluster_domaincorefile_contentdeployment_configdns_service_addressensurehostsimageimage_pull_secretsimage_tagkubeconfigregistrytemplate_pathtemplate_variables
cluster_domain
Data type: Stdlib::Fqdn
The cluster domain to use for the CoreDNS ConfigMap
Default value: $k8s::server::resources::cluster_domain
corefile_content
Data type: Optional[String[1]]
The content to use for the CoreDNS ConfigMap
Default value: undef
deployment_config
Data type: Hash[String,Data]
Additional configuration to merge into the Kubernetes Deployment object
Default value: $k8s::server::resources::coredns_deployment_config
dns_service_address
Data type: K8s::IP_addresses
The address for the DNS service
Default value: $k8s::server::resources::dns_service_address
ensure
Data type: K8s::Ensure
Whether the resource should be present or absent on the target system
Default value: $k8s::ensure
hosts
Data type: Array[String[1]]
Additional host-style entries for the CoreDNS deployment to serve
Default value: []
image
Data type: String[1]
The CoreDNS image name to use
Default value: $k8s::server::resources::coredns_image
image_pull_secrets
Data type: Optional[Array]
the secrets to pull from private registries
Default value: $k8s::server::resources::image_pull_secrets
image_tag
Data type: String[1]
The CoreDNS image tag to use
Default value: $k8s::server::resources::coredns_tag
kubeconfig
Data type: Stdlib::Unixpath
The path to the kubeconfig to use for kubectl commands
Default value: $k8s::server::resources::kubeconfig
registry
Data type: String[1]
The CoreDNS image registry to use
Default value: $k8s::server::resources::coredns_registry
template_path
Data type: String[1]
The path to the template to use for the CoreDNS ConfigMap
Default value: 'k8s/server/resources/coredns_corefile.epp'
template_variables
Data type: Hash[String, Any]
The variables to use for the CoreDNS ConfigMap template
Default value: { cluster_domain => $cluster_domain }
k8s::server::resources::flannel
Generates and deploys the default CoreDNS DNS provider for Kubernetes
Parameters
The following parameters are available in the k8s::server::resources::flannel class:
cluster_cidrcni_imagecni_image_tagcni_registrydaemonset_configensureimageimage_pull_secretsimage_tagkubeconfignet_configregistry
cluster_cidr
Data type: K8s::CIDR
The internal cluster CIDR to proxy for
Default value: $k8s::server::resources::cluster_cidr
cni_image
Data type: String[1]
The Flannel CNI plugin image name to use
Default value: $k8s::server::resources::flannel_cni_image
cni_image_tag
Data type: String[1]
The Flannel CNI plugin image tag to use
Default value: $k8s::server::resources::flannel_cni_tag
cni_registry
Data type: String[1]
The Flannel CNI plugin image registry to use
Default value: $k8s::server::resources::flannel_cni_registry
daemonset_config
Data type: Hash[String,Data]
Additional configuration to merge into the DaemonSet object
Default value: $k8s::server::resources::flannel_daemonset_config
ensure
Data type: K8s::Ensure
Whether the resource should be present or absent on the system
Default value: $k8s::ensure
image
Data type: String[1]
The Flannel image name to use
Default value: $k8s::server::resources::flannel_image
image_pull_secrets
Data type: Optional[Array]
the secrets to pull from private registries
Default value: $k8s::server::resources::image_pull_secrets
image_tag
Data type: String[1]
The Flannel image tag to use
Default value: $k8s::server::resources::flannel_tag
kubeconfig
Data type: Stdlib::Unixpath
The path to the kubeconfig file to use
Default value: $k8s::server::resources::kubeconfig
net_config
Data type: Hash[String,Data]
Additional configuration to merge into net-conf.json for Flannel
Default value: {}
registry
Data type: String[1]
The Flannel image registry to use
Default value: $k8s::server::resources::flannel_registry
k8s::server::resources::kube_proxy
Generates and deploys the default kube-proxy service for Kubernetes
Parameters
The following parameters are available in the k8s::server::resources::kube_proxy class:
cluster_cidrdaemonset_configensureextra_argsextra_configimageimage_pull_secretsimage_tagkubeconfigregistry
cluster_cidr
Data type: K8s::CIDR
The internal cluster CIDR to proxy for
Default value: $k8s::server::resources::cluster_cidr
daemonset_config
Data type: Hash[String,Data]
Additional configuration to merge into the DaemonSet object
Default value: {}
ensure
Data type: K8s::Ensure
Whether the resource should be present or absent
Default value: $k8s::ensure
extra_args
Data type: Hash[String,Data]
Additional arguments to specify to the kube-proxy application
Default value: {}
extra_config
Data type: Hash[String,Data]
Additional configuration data to apply to the kube-proxy configuration file
Default value: {}
image
Data type: String[1]
The kube-proxy image name to use
Default value: $k8s::server::resources::kube_proxy_image
image_pull_secrets
Data type: Optional[Array]
the secrets to pull from private registries
Default value: $k8s::server::resources::image_pull_secrets
image_tag
Data type: String[1]
The kube-proxy image tag to use
Default value: $k8s::server::resources::kube_proxy_tag
kubeconfig
Data type: Stdlib::Unixpath
The path to the kubeconfig file to use
Default value: $k8s::server::resources::kubeconfig
registry
Data type: String[1]
The kube-proxy image registry to use
Default value: $k8s::server::resources::kube_proxy_registry
k8s::server::scheduler
Installs and configures a Kubernetes scheduler
Parameters
The following parameters are available in the k8s::server::scheduler class:
ensurecontrol_plane_urlargumentscert_pathca_certcertkeycontainer_registrycontainer_imagecontainer_image_tag
ensure
Data type: K8s::Ensure
Whether the scheduler should be configured.
Default value: $k8s::server::ensure
control_plane_url
Data type: Stdlib::HTTPUrl
The URL of the Kubernetes API server.
Default value: $k8s::control_plane_url
arguments
Data type: Hash[String, Data]
Additional arguments to pass to the scheduler.
Default value: {}
cert_path
Data type: Stdlib::Unixpath
The path to the directory containing the TLS certificates.
Default value: $k8s::server::tls::cert_path
ca_cert
Data type: Stdlib::Unixpath
The path to the CA certificate.
Default value: $k8s::server::tls::ca_cert
cert
Data type: Stdlib::Unixpath
The path to the scheduler certificate.
Default value: "${cert_path}/kube-scheduler.pem"
key
Data type: Stdlib::Unixpath
The path to the scheduler key.
Default value: "${cert_path}/kube-scheduler.key"
container_registry
Data type: String[1]
The container registry to pull images from.
Default value: $k8s::container_registry
container_image
Data type: String[1]
The container image to use for the scheduler.
Default value: 'kube-scheduler'
container_image_tag
Data type: Optional[String[1]]
The container image tag to use for the scheduler.
Default value: $k8s::container_image_tag
k8s::server::tls
Generates the necessary Kubernetes certificates for a server
Parameters
The following parameters are available in the k8s::server::tls class:
aggregator_ca_certaggregator_ca_keyapi_addn_namesapi_service_addressca_certca_keycert_pathcluster_domainensuregenerate_cakey_bitsmanage_certsvalid_days
aggregator_ca_cert
Data type: Stdlib::Unixpath
The path to the aggregator CA certificate
Default value: $k8s::server::aggregator_ca_cert
aggregator_ca_key
Data type: Stdlib::Unixpath
The path to the aggregator CA key
Default value: $k8s::server::aggregator_ca_key
api_addn_names
Data type: K8s::TLS_altnames
Additional names to add to the API server certificate
Default value: []
api_service_address
Data type: Stdlib::IP::Address::Nosubnet
The API service address
Default value: $k8s::api_service_address
ca_cert
Data type: Stdlib::Unixpath
The path to the CA certificate
Default value: $k8s::server::ca_cert
ca_key
Data type: Stdlib::Unixpath
The path to the CA key
Default value: $k8s::server::ca_key
cert_path
Data type: Stdlib::Unixpath
The path to the certificates
Default value: $k8s::server::cert_path
cluster_domain
Data type: String[1]
The cluster domain
Default value: $k8s::cluster_domain
ensure
Data type: K8s::Ensure
Whether to generate the certificates or not
Default value: 'present'
generate_ca
Data type: Boolean
Whether to generate the CA or not
Default value: $k8s::server::generate_ca
key_bits
Data type: Integer[512]
The number of bits to use for the key
Default value: 2048
manage_certs
Data type: Boolean
Whether to manage the certificates or not
Default value: $k8s::server::manage_certs
valid_days
Data type: Integer[1]
The number of days the certificate is valid for
Default value: 10000
k8s::server::wait_online
Creates a dummy exec to allow deferring applies until the Kubernetes API server has started
Defined types
k8s::binary
Deploys a Kubernetes binary
Parameters
The following parameters are available in the k8s::binary defined type:
ensure
Data type: K8s::Ensure
Whether the binary should be present or absent
Default value: $k8s::ensure
version
Data type: String[1]
The version to deploy
Default value: $k8s::version
packaging
Data type: String[1]
The packaging method to use
Default value: $k8s::packaging
target
Data type: String[1]
The directory to deploy the binary to
Default value: "/opt/k8s/${$version}"
tarball_target
Data type: String[1]
The directory to download tarballs to
Default value: '/opt/k8s/archives'
active
Data type: Boolean
Whether the binary should be active
Default value: true
component
Data type: Optional[String]
The component to deploy
Default value: undef
k8s::server::bootstrap_token
You generally only want this to be done on a single Kubernetes server
Parameters
The following parameters are available in the k8s::server::bootstrap_token defined type:
addn_datadescriptionensureexpirationextra_groupsidkubeconfigsecretupdateuse_authenticationuse_signing
addn_data
Data type: Hash[String,Data]
Additional data to add to the token
Default value: {}
description
Data type: Optional[String]
A description of the token
Default value: undef
ensure
Data type: K8s::Ensure
Whether the token should be present or absent
Default value: 'present'
expiration
Data type: Optional[K8s::Timestamp]
The expiration time of the token
Default value: undef
extra_groups
Data type: Optional[Array[String]]
An array of extra groups to add to the token
Default value: undef
id
Data type: Pattern[/^[a-z0-9]{6}$/]
The ID of the token to generate
Default value: $name
kubeconfig
Data type: Stdlib::Unixpath
The path to the kubeconfig file to use
secret
Data type: Sensitive[K8s::Bootstrap_token]
The secret to use for the token
Default value: Sensitive(fqdn_rand_string(16).downcase())
update
Data type: Boolean
Whether to update the token if it already exists
Default value: false
use_authentication
Data type: Boolean
Whether the token should be used for authentication
Default value: true
use_signing
Data type: Optional[Boolean]
Whether the token should be used for signing
Default value: undef
k8s::server::etcd::member
TODO - Convert to native type
Parameters
The following parameters are available in the k8s::server::etcd::member defined type:
cluster_ca
Data type: Optional[Stdlib::Unixpath]
The cluster CA for the new member
Default value: undef
cluster_cert
Data type: Optional[Stdlib::Unixpath]
The cluster cert for the new member
Default value: undef
cluster_key
Data type: Optional[Stdlib::Unixpath]
The cluster key for the new member
Default value: undef
cluster_urls
Data type: Optional[Array[Stdlib::HTTPUrl]]
The cluster URLs for the new member
Default value: undef
peer_urls
Data type: Array[String, 1]
The peer URLs for the new member
k8s::server::tls::ca
Generates a TLS CA
Parameters
The following parameters are available in the k8s::server::tls::ca defined type:
key
Data type: Stdlib::Unixpath
The path to the CA key
cert
Data type: Stdlib::Unixpath
The path to the CA certificate
ensure
Data type: K8s::Ensure
Whether the CA should be present or absent
Default value: present
subject
Data type: String[1]
The subject of the CA certificate
Default value: "/CN=${title}"
owner
Data type: String[1]
The owner of the CA key and certificate
Default value: 'root'
group
Data type: String[1]
The group of the CA key and certificate
Default value: 'root'
key_bits
Data type: Integer[512]
The number of bits in the CA key
Default value: 2048
valid_days
Data type: Integer[1]
The number of days the CA certificate is valid
Default value: 10000
generate
Data type: Boolean
Whether to generate the CA key and certificate
Default value: true
k8s::server::tls::cert
Generates and signs a TLS certificate
Parameters
The following parameters are available in the k8s::server::tls::cert defined type:
addn_namesca_certca_keycertcert_pathconfigcsrdistinguished_nameensureextended_key_usagegroupkeykey_bitsownervalid_days
addn_names
Data type: K8s::TLS_altnames
The additional names for the certificate
Default value: []
ca_cert
Data type: Stdlib::Unixpath
The path to the CA certificate
ca_key
Data type: Stdlib::Unixpath
The path to the CA key
cert
Data type: Stdlib::Unixpath
The path to the certificate file
Default value: "${cert_path}/${title}.pem"
cert_path
Data type: Stdlib::Unixpath
The path to the directory where the certificate will be stored
config
Data type: Stdlib::Unixpath
The path to the OpenSSL config file
Default value: "${cert_path}/${title}.cnf"
csr
Data type: Stdlib::Unixpath
The path to the CSR file
Default value: "${cert_path}/${title}.csr"
distinguished_name
Data type: Hash[String, String]
The distinguished name for the certificate
ensure
Data type: K8s::Ensure
Whether the certificate should be present or absent
Default value: present
extended_key_usage
Data type: K8s::Extended_key_usage
The extended key usage for the certificate
Default value: ['clientAuth']
group
Data type: String[1]
The group of the certificate files
Default value: 'root'
key
Data type: Stdlib::Unixpath
The path to the key file
Default value: "${cert_path}/${title}.key"
key_bits
Data type: Integer[512]
The number of bits in the key
Default value: 2048
owner
Data type: String[1]
The owner of the certificate files
Default value: 'root'
valid_days
Data type: Integer[1]
The number of days the certificate should be valid
Default value: 10000
k8s::server::tls::k8s_sign
TODO - This should probably be done as a service next to the apiservers
Parameters
The following parameters are available in the k8s::server::tls::k8s_sign defined type:
kubeconfig
Data type: Any
Path to the kubeconfig file
Default value: '/root/.kube/config'
Resource types
kubeconfig
Example:
Changelog
All notable changes to this project will be documented in this file. Each new release typically also includes the latest modulesync defaults. These should not affect the functionality of the module.
v2.0.1 (2024-02-23)
Fixed bugs:
v2.0.0 (2024-02-21)
Breaking changes:
- Use a template string for the crictl download URL #83 (olavst-spk)
- Make cni_plugins download url configurable with a template string #82 (olavst-spk)
Implemented enhancements:
- Make Coredns config configurable #74 (rwaffen)
- Expose ensure param for container runtime package #73 (ananace)
Fixed bugs:
- Do not allow bootstrap tokens with a leading newline #80 (olavst-spk)
- Do not allow bootstrap tokens with a trailing newline #79 (olavst-spk)
- Fix RedHat urls #72 (GMZwinge)
Merged pull requests:
- update firewall resources to use jump instead of action; require puppetlabs/firewall 7.x #78 (rwaffen)
- Add parameter documentation to every class/define #76 (rwaffen)
v1.0.0 (2023-08-07)
Breaking changes:
- remove --container-runtime for k8s versions > 1.26 #65 (rwaffen)
- do more precisely naming #59 (rwaffen)
- Drop Puppet 6 support #53 (bastelfreak)
Implemented enhancements:
- all K8s::Server::Resources/Kubectl_apply fail on bootstrapping a new cluster #23
- Update ruby code to meet rubocops criterias #9
- [improvement] Use puppet-kmod module to handle Kernel modules #8
- [improvement] Use puppet-augeasproviders_sysctl module to handle sysctl configuration #7
- add possibillity to use imagePullSecrets #62 (rwaffen)
- puppetlabs/stdlib: Allow 9.x #60 (bastelfreak)
- remove duplicate CRB and move SA to kube-proxy class #58 (rwaffen)
- Update container references to active registry #57 (ananace)
- make crictl download url dynamic #54 (rwaffen)
- refactor repo.pp - cleanup code, add case instead of if-blocks, remove old debian, only install needed repos #49 (rwaffen)
- update etcd installation #48 (rwaffen)
- use etcd cluster name also in apiserver to collect only the matching etcd cluster #46 (rwaffen)
- Handle file mode for kubeconfig files #42 (ananace)
- Improve bootstrap token handling #35 (ananace)
- Add a wait online class to improve the first-run experience #34 (ananace)
Fixed bugs:
- kubelet fails to start when updated to 1.27.x #64
- bootstrap token is sensitive, node_token is not #51
- etcd ca gets recreated on each run #37
- Expand use of Sensitive to match node tokens #52 (ananace)
- Fix unintentional CA recreation if missing serial #40 (ananace)
- Fix generated kube-proxy configmap #27 (ananace)
- prevent undef value if ipv6 is turned off, fail if not etcd_servers are defined #20 (rwaffen)
Closed issues:
- manage kube proxy parameter defaults and name differs between k8s and k8s::node #28
- Real world example / Documentation needed #18
Merged pull requests:
- puppet-lint: list optional parameters after mandatory parameters #69 (bastelfreak)
- Allow latest module dependencies #68 (bastelfreak)
- fix forgotten user and group values #41 (rwaffen)
- Revert "Include every IP address into a cert's SAN field" #39 (ananace)
- make user and group dynamic #38 (rwaffen)
- Update docu #33 (rwaffen)
- Include every IP address into a cert's SAN field #32 (jay7x)
- Some improvements to certificate generation #30 (ananace)
- Improve the kube-proxy management flag #29 (ananace)
- Split out managed resources into separate classes #26 (ananace)
- Use cascade=orphan for kubectl_apply resources when told to recreate #25 (ananace)
- add features #24 (rwaffen)
- Patching v3 #21 (rwaffen)
- add some patches to get this working #19 (rwaffen)
- Use herculesteam-augeasproviders_sysctl to manage sysctl settings #16 (SimonHoenscheid)
- Use puppet-kmod to manage kernel_modules #15 (SimonHoenscheid)
- Update names/documentation on type aliases #13 (ananace)
- fix rubocop complains, activate rubocop again, add .rubocop_todo.yml #10 (SimonHoenscheid)
- Fix linting and add some type_aliases #5 (rwaffen)
- Add barebone documentation to missing places #4 (ananace)
- modulesync 5.4.0 #3 (ananace)
- Fixup tests to work with vox modulesync #2 (ananace)
- Add dual-stack support for DNS service configuration #1 (ananace)
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- puppet-archive (>= 4.0.0 < 8.0.0)
- puppetlabs-stdlib (>= 5.0.0 < 10.0.0)
- puppet-kmod (>= 3.2.0 < 5.0.0)
- puppet-augeasproviders_sysctl (>= 3.0.0 < 4.0.0)
- puppet-systemd (>= 2.0.0 < 6.0.0)
- puppetlabs-firewall (>= 7.0.0 < 8.0.0)
- puppet-firewalld (>= 4.5.0 < 6.0.0)
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.