diff --git a/facts.d/has_microk8s.sh b/facts.d/has_microk8s.sh index f299a1de0..cc23332d9 100755 --- a/facts.d/has_microk8s.sh +++ b/facts.d/has_microk8s.sh @@ -1,6 +1,10 @@ #!/bin/sh - -if [ -f /snap/bin/microk8s ]; then +if [ -e /var/snap/microk8s/current/var/lock/clustered.lock ]; then + echo 'microk8s_role=worker' + echo 'microk8s=yes' + echo 'microk8s_peers=unknown' +elif [ -f /snap/bin/microk8s ]; then + echo 'microk8s_role=controller' echo 'microk8s=yes' modules=$(/snap/bin/microk8s status --format short) for module in dns ha-cluster openebs traefik; do @@ -32,4 +36,5 @@ else echo 'microk8s_peers=unknown' echo 'microk8s_rbac=no' echo 'microk8s_traefik=no' + echo 'microk8s_role=none' fi diff --git a/manifests/microk8s/node.pp b/manifests/microk8s/node.pp index ecb03ce44..51a7fb8a7 100644 --- a/manifests/microk8s/node.pp +++ b/manifests/microk8s/node.pp @@ -10,7 +10,7 @@ include sunet::packages::snapd $hiera_peers = lookup('microk8s_peers', undef, undef, []) - if $facts['hostname'] =~ /(^kubew|k8sw-)[0-9]/ { + if $facts['microk8s_role'] == 'worker' { $type = 'worker' } else { $type = 'controller' @@ -20,35 +20,33 @@ $final_peers = $peers } elsif $hiera_peers != [] { $final_peers = $hiera_peers + } + elsif $facts['configured_hosts_in_cosmos']['sunet::microk8s::node'] != [] { + $final_peers = $facts['configured_hosts_in_cosmos']['sunet::microk8s::node'] } else { - $final_peers = map(split($facts['microk8s_peers'], ',')) | String $peer| { - $peer_ip = $facts[join(['microk8s_peer_', $peer])] - "${peer_ip} ${peer}" - } + warning('Unable to figure out our peers, leaving BROKEN firewalls') } - # Loop through peers and do things that require their ip:s - $final_peers.each | String $peer_tuple| { - $peer_ip = split($peer_tuple, ' ')[0] - $peer = split($peer_tuple, ' ')[1] - unless $peer == 'unknown' or $peer_ip == $facts['ipaddress'] { - file_line { "hosts_${peer}": - path => '/etc/hosts', - line => "${peer_ip} ${peer}", + notice('microk8s peers: ',$final_peers) + $public_controller_ports = [8080, 8443, 16443] + $private_controller_ports = [10250, 10255, 25000, 12379, 10257, 10259, 19001] + $private_worker_ports = [10250, 10255, 16443, 25000, 12379, 10257, 10259, 19001] + # Loop through peers and do things that require their ip:s + $final_peers.each | String $peer| { + $peer_ip = dns_lookup($peer) + unless $peer == 'unknown' or $facts['ipaddress'] in $peer_ip { + $peer_ip.each | String $ip | { + file_line { "hosts_${peer}_${ip}": + path => '/etc/hosts', + line => "${ip} ${peer}", + } } } - $public_controller_ports = [8080, 8443, 16443] - $private_controller_ports = [10250, 10255, 25000, 12379, 10257, 10259, 19001] - $private_worker_ports = [10250, 10255, 16443, 25000, 12379, 10257, 10259, 19001] if $::facts['sunet_nftables_enabled'] == 'yes' { if $type == 'controller' { sunet::nftables::allow { "nft_${peer}_private": port => $private_controller_ports, from => $peer_ip, } - sunet::nftables::allow { "nft_${peer}_public": - port => $public_controller_ports, - from => 'any', - } } else { sunet::nftables::allow { "nft_${peer}_private": port => $private_worker_ports, @@ -62,14 +60,10 @@ } } else { if $type == 'controller' { - sunet::misc::ufw_allow {"nft_${peer}_private": + sunet::misc::ufw_allow { "nft_${peer}_private": port => $private_controller_ports, from => $peer_ip, } - sunet::misc::ufw_allow { "nft_${peer}_public": - port => $public_controller_ports, - from => 'any', - } } else { sunet::misc::ufw_allow { "nft_${peer}_private": port => $private_worker_ports, @@ -83,6 +77,22 @@ } } } + if $::facts['sunet_nftables_enabled'] == 'yes' { + if $type == 'controller' { + sunet::nftables::allow { 'nft_public': + port => $public_controller_ports, + from => 'any', + } + } + } + else { + if $type == 'controller' { + sunet::misc::ufw_allow { 'nft_public': + port => $public_controller_ports, + from => 'any', + } + } + } if $::facts['sunet_nftables_enabled'] == 'yes' { file { '/etc/nftables/conf.d/500-microk8s-rules.nft': ensure => file, @@ -161,8 +171,8 @@ } $namespaces = lookup('microk8s_secrets', undef, undef, {}) $namespaces.each |String $namespace, Hash $secrets| { - $secrets.each |String $name, Array $secret| { - set_microk8s_secret($namespace, $name, $secret) + $secrets.each |String $name, Array $secret| { + set_microk8s_secret($namespace, $name, $secret) } } } diff --git a/templates/microk8s/500-microk8s-rules.nft.erb b/templates/microk8s/500-microk8s-rules.nft.erb index 01fdb5fc8..af31f52c5 100644 --- a/templates/microk8s/500-microk8s-rules.nft.erb +++ b/templates/microk8s/500-microk8s-rules.nft.erb @@ -1,22 +1,6 @@ -table ip filter { - chain OUTPUT { - oifname "vxlan.calico" counter packets 0 bytes 0 accept - } - chain INPUT { - iifname "vxlan.calico" counter packets 0 bytes 0 accept - } - chain FORWARD { - type filter hook forward priority filter; policy accept; - } -} -table ip6 filter { - chain OUTPUT { - oifname "vxlan.calico" counter packets 0 bytes 0 accept - } - chain INPUT { - iifname "vxlan.calico" counter packets 0 bytes 0 accept - } - chain FORWARD { - type filter hook forward priority filter; policy accept; - } -} +add rule inet filter input iifname "vxlan.calico" counter accept +add rule inet filter forward iifname "vxlan.calico" counter accept +add rule inet filter forward iifname "cali*" counter accept +add rule inet filter forward oifname "cali*" counter accept +add rule inet filter forward ip saddr 10.1.0.0/16 counter accept +add rule inet filter forward ip daddr 10.1.0.0/16 counter accept