Yuvipanda has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/343790 )
Change subject: tools: Use k8s master profile in role ...................................................................... tools: Use k8s master profile in role Bug: T158452 Change-Id: I152c9135bbc37882d586cc80781bea4916df2bf0 --- M hieradata/role/common/kubernetes/master.yaml M modules/profile/manifests/kubernetes/master.pp M modules/role/manifests/toollabs/k8s/master.pp 3 files changed, 35 insertions(+), 38 deletions(-) Approvals: Yuvipanda: Verified; Looks good to me, approved diff --git a/hieradata/role/common/kubernetes/master.yaml b/hieradata/role/common/kubernetes/master.yaml index ad3d19a..2b7a66c 100644 --- a/hieradata/role/common/kubernetes/master.yaml +++ b/hieradata/role/common/kubernetes/master.yaml @@ -7,7 +7,7 @@ - https://etcd1002.eqiad.wmnet:2379 - https://etcd1003.eqiad.wmnet:2379 profile::kubernetes::master::docker_registry: darmstadtium.eqiad.wmnet -profile::kubernetes::master::kubenodes: +profile::kubernetes::master::accessible_to: - kubernetes1001.eqiad.wmnet - kubernetes1002.eqiad.wmnet - kubernetes1003.eqiad.wmnet diff --git a/modules/profile/manifests/kubernetes/master.pp b/modules/profile/manifests/kubernetes/master.pp index adbaafe..34ccadd 100644 --- a/modules/profile/manifests/kubernetes/master.pp +++ b/modules/profile/manifests/kubernetes/master.pp @@ -1,11 +1,13 @@ class profile::kubernetes::master( $etcd_urls=hiera('profile::kubernetes::master::etcd_urls'), - $kubenodes=hiera('profile::kubernetes::master::kubenodes'), + # List of hosts this is accessible to. + # SPECIAL VALUE: use 'all' to have this port be open to the world + $accessible_to=hiera('profile::kubernetes::master::accessible_to'), $docker_registry=hiera('profile::kubernetes::master::docker_registry'), $service_cluster_ip_range=hiera('profile::kubernetes::master::service_cluster_ip_range'), $apiserver_count=hiera('profile::kubernetes::master::apiserver_count'), $admission_controllers=hiera('profile::kubernetes::master::admission_controllers'), - $expose_puppet_certs=hiera('profile::kubernetes::master::use_puppet_certs'), + $expose_puppet_certs=hiera('profile::kubernetes::master::expose_puppet_certs'), $ssl_cert_path=hiera('profile::kubernetes::master::ssl_cert_path'), $ssl_key_path=hiera('profile::kubernetes::master::ssl_cert_path'), $authz_mode=hiera('profile::kubernetes::master::authz_mode'), @@ -38,12 +40,18 @@ class { '::k8s::scheduler': use_package => true } class { '::k8s::controller': use_package => true } - $kubenodes_ferm = join($kubenodes, ' ') + + if $accessible_to == 'all' { + $accessible_range = undef + } else { + $accessible_to_ferm = join($accesible_to, ' ') + $accessible_range = "(@resolve((${accessible_to_ferm})))" + } ferm::service { 'apiserver-https': proto => 'tcp', port => '6443', - srange => "(@resolve((${kubenodes_ferm})))", + srange => $accessible_to_range, } diamond::collector { 'Kubernetes': diff --git a/modules/role/manifests/toollabs/k8s/master.pp b/modules/role/manifests/toollabs/k8s/master.pp index 109cec7..5c39038 100644 --- a/modules/role/manifests/toollabs/k8s/master.pp +++ b/modules/role/manifests/toollabs/k8s/master.pp @@ -6,18 +6,9 @@ include ::toollabs::infrastructure $master_host = hiera('k8s::master_host', $::fqdn) - $etcd_url = join(prefix(suffix(hiera('k8s::etcd_hosts'), ':2379'), 'https://'), ',') + $etcd_url = prefix(suffix(hiera('k8s::etcd_hosts'), ':2379'), 'https://') if $use_puppet_certs { - # Do not explicitly set a before here, since it - # seems to make puppet think there's a circular - # dependency cycle?! - base::expose_puppet_certs { '/etc/kubernetes': - provide_private => true, - user => 'kubernetes', - group => 'kubernetes', - } - $ssl_cert_path = '/etc/kubernetes/ssl/cert.pem' $ssl_key_path = '/etc/kubernetes/ssl/server.key' @@ -31,38 +22,36 @@ $ssl_key_path = "/etc/ssl/private/${ssl_certificate_name}.key" } - class { '::k8s::apiserver': - etcd_servers => $etcd_url, - use_package => true, - docker_registry => hiera('docker::registry'), - host_automounts => ['/var/run/nslcd/socket'], + class { '::profile::kubernetes::master': + etcd_urls => $etcd_url, + service_cluster_ip_range => '192.168.0.0/17', + apiserver_count => 1, + accessible_to => 'all', + expose_puppet_certs => $use_puppet_certs, ssl_cert_path => $ssl_cert_path, ssl_key_path => $ssl_key_path, host_path_prefixes_allowed => [ '/data/project/', - '/data/scratch/', '/public/dumps/', + '/data/scratch/', + ], + docker_registry => hiera('docker::registry'), + host_automounts => [ + '/var/run/nslcd/socket', + ], + authz_mode => 'abac', + admission_controllers => [ + 'NamespaceLifecycle', + 'ResourceQuota', + 'LimitRanger', + 'UidEnforcer', + 'RegistryEnforcer', + 'HostAutomounter', + 'HostPathEnforcer', ], } class { '::toollabs::maintain_kubeusers': k8s_master => $master_host, - } - - class { '::k8s::scheduler': - use_package => true, - } - - class { '::k8s::controller': - use_package => true, - } - - ferm::service { 'apiserver-https': - proto => 'tcp', - port => '6443', - } - - diamond::collector { 'Kubernetes': - source => 'puppet:///modules/diamond/collector/kubernetes.py', } } -- To view, visit https://gerrit.wikimedia.org/r/343790 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I152c9135bbc37882d586cc80781bea4916df2bf0 Gerrit-PatchSet: 4 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Yuvipanda <yuvipa...@wikimedia.org> Gerrit-Reviewer: Giuseppe Lavagetto <glavage...@wikimedia.org> Gerrit-Reviewer: Yuvipanda <yuvipa...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits