Puppet Class: k8s::node::kube_proxy

Defined in:

manifests/node/kube_proxy.pp

Summary

Sets up a on-node kube-proxy instance

Overview

For most use-cases, running kube-proxy inside the cluster itself is recommended

Parameters:

• ensure (K8s::Ensure) (defaults to: $k8s::node::ensure)
• control_plane_url (Stdlib::HTTPUrl) (defaults to: $k8s::node::control_plane_url)
• config (Hash[String, Data]) (defaults to: {})
• arguments (Hash[String, Data]) (defaults to: {})
• puppetdb_discovery_tag (String) (defaults to: $k8s::node::puppetdb_discovery_tag)
• cluster_cidr (K8s::CIDR) (defaults to: $k8s::cluster_cidr)
• auth (K8s::Proxy_auth) (defaults to: $k8s::node::proxy_auth)
• ca_cert (Optional[Stdlib::Unixpath]) (defaults to: $k8s::node::ca_cert)
• cert (Optional[Stdlib::Unixpath]) (defaults to: $k8s::node::proxy_cert)
• key (Optional[Stdlib::Unixpath]) (defaults to: $k8s::node::proxy_key)
• token (Optional[Sensitive[String]]) (defaults to: $k8s::node::proxy_token)

# File 'manifests/node/kube_proxy.pp', line 4

class k8s::node::kube_proxy (
  K8s::Ensure $ensure = $k8s::node::ensure,

  Stdlib::HTTPUrl $control_plane_url = $k8s::node::control_plane_url,

  Hash[String, Data] $config     = {},
  Hash[String, Data] $arguments  = {},
  String $puppetdb_discovery_tag = $k8s::node::puppetdb_discovery_tag,

  K8s::CIDR $cluster_cidr = $k8s::cluster_cidr,

  K8s::Proxy_auth $auth = $k8s::node::proxy_auth,

  # For cert auth
  Optional[Stdlib::Unixpath] $ca_cert = $k8s::node::ca_cert,
  Optional[Stdlib::Unixpath] $cert    = $k8s::node::proxy_cert,
  Optional[Stdlib::Unixpath] $key     = $k8s::node::proxy_key,

  # For token and bootstrap auth
  Optional[Sensitive[String]] $token = $k8s::node::proxy_token,
) {
  assert_private()

  if $auth == 'incluster' and $k8s::packaging != 'container' {
    # If the proxy is set to incluster auth then it will expect to run as a cluster service
    $_ensure = absent
  } else {
    $_ensure = $ensure
  }

  k8s::binary { 'kube-proxy':
    ensure => $_ensure,
  }

  $kubeconfig = '/srv/kubernetes/kube-proxy.kubeconf'
  case $auth {
    'token': {
      kubeconfig { $kubeconfig:
        ensure          => $_ensure,
        owner           => $k8s::user,
        group           => $k8s::group,
        server          => $control_plane_url,
        token           => $token.unwrap,
        current_context => 'default',
        ca_cert         => $ca_cert,
        notify          => Service['kube-proxy'],
      }
    }
    'cert': {
      kubeconfig { $kubeconfig:
        ensure          => $_ensure,
        owner           => $k8s::user,
        group           => $k8s::group,
        server          => $control_plane_url,
        client_cert     => $cert,
        client_key      => $key,
        current_context => 'default',
        ca_cert         => $ca_cert,
        notify          => Service['kube-proxy'],
      }
    }
    default: {}
  }

  $config_hash = {
    'apiVersion'       => 'kubeproxy.config.k8s.io/v1alpha1',
    'kind'             => 'KubeProxyConfiguration',

    'clusterCIDR'      => $cluster_cidr,
  } + $config

  file { '/etc/kubernetes/kube-proxy.conf':
    ensure  => $_ensure,
    content => to_yaml($config_hash),
    owner   => $k8s::user,
    group   => $k8s::group,
    notify  => Service['kube-proxy'],
  }

  $_args = k8s::format_arguments({
      config     => '/etc/kubernetes/kube-proxy.conf',
      kubeconfig => $kubeconfig,
  } + $arguments)

  if $k8s::packaging == 'container' {
  } else {
    $_sysconfig_path = pick($k8s::sysconfig_path, '/etc/sysconfig')
    file { "${_sysconfig_path}/kube-proxy":
      ensure  => $_ensure,
      content => epp('k8s/sysconfig.epp', {
          comment               => 'Kubernetes kube-proxy configuration',
          environment_variables => {
            'KUBE_PROXY_ARGS' => $_args.join(' '),
          },
      }),
      notify  => Service['kube-proxy'],
    }

    systemd::unit_file { 'kube-proxy.service':
      ensure  => $_ensure,
      content => epp('k8s/service.epp', {
          name => 'kube-proxy',

          desc => 'Kubernetes Network Proxy',
          doc  => 'https://github.com/GoogleCloudPlatform/kubernetes',
          bin  => 'kube-proxy',
      }),
      require => [
        File["${_sysconfig_path}/kube-proxy"],
        User[$k8s::user],
      ],
      notify  => Service['kube-proxy'],
    }
    service { 'kube-proxy':
      ensure    => stdlib::ensure($_ensure, 'service'),
      enable    => $_ensure == 'present',
      subscribe => K8s::Binary['kube-proxy'],
    }
  }
}