Unmanaged tls

REFERENCE.md

@@ -1004,6 +1004,8 @@ Sets up a Kubernetes server instance
 
 The following parameters are available in the `k8s::server` class:
 
+* [`admin_cert`](#-k8s--server--admin_cert)
+* [`admin_key`](#-k8s--server--admin_key)
 * [`aggregator_ca_cert`](#-k8s--server--aggregator_ca_cert)
 * [`aggregator_ca_key`](#-k8s--server--aggregator_ca_key)
 * [`api_port`](#-k8s--server--api_port)
@@ -1031,6 +1033,22 @@ The following parameters are available in the `k8s::server` class:
 * [`node_on_server`](#-k8s--server--node_on_server)
 * [`puppetdb_discovery_tag`](#-k8s--server--puppetdb_discovery_tag)
 
+##### <a name="-k8s--server--admin_cert"></a>`admin_cert`
+
+Data type: `Stdlib::Unixpath`
+
+path to the admin cert
+
+Default value: `"${cert_path}/admin.pem"`
+
+##### <a name="-k8s--server--admin_key"></a>`admin_key`
+
+Data type: `Stdlib::Unixpath`
+
+path to the admin key
+
+Default value: `"${cert_path}/admin.key"`
+
 ##### <a name="-k8s--server--aggregator_ca_cert"></a>`aggregator_ca_cert`
 
 Data type: `Stdlib::Unixpath`

manifests/server.pp

@@ -1,5 +1,7 @@
 # @summary Sets up a Kubernetes server instance
 #
+# @param admin_cert path to the admin cert
+# @param admin_key path to the admin key
 # @param aggregator_ca_cert path to the aggregator ca cert
 # @param aggregator_ca_key path to the aggregator ca key
 # @param api_port Cluster API port
@@ -42,6 +44,8 @@
   Stdlib::Unixpath $ca_cert            = "${cert_path}/ca.pem",
   Stdlib::Unixpath $aggregator_ca_key  = "${cert_path}/aggregator-ca.key",
   Stdlib::Unixpath $aggregator_ca_cert = "${cert_path}/aggregator-ca.pem",
+  Stdlib::Unixpath $admin_cert         = "${cert_path}/admin.pem",
+  Stdlib::Unixpath $admin_key          = "${cert_path}/admin.key",
 
   Boolean $generate_ca              = false,
   Boolean $manage_etcd              = $k8s::manage_etcd,
@@ -126,23 +130,29 @@
     current_context => 'default',
 
     ca_cert         => $ca_cert,
-    client_cert     => "${cert_path}/admin.pem",
-    client_key      => "${cert_path}/admin.key",
+    client_cert     => $admin_cert,
+    client_key      => $admin_key,
   }
 
   if $node_on_server {
-    $_dir = $k8s::server::tls::cert_path
-
-    class { 'k8s::node':
-      ensure            => $ensure,
-      control_plane_url => "https://localhost:${api_port}",
-      node_auth         => 'cert',
-      proxy_auth        => 'cert',
-      ca_cert           => $ca_cert,
-      node_cert         => "${_dir}/node.pem",
-      node_key          => "${_dir}/node.key",
-      proxy_cert        => "${_dir}/kube-proxy.pem",
-      proxy_key         => "${_dir}/kube-proxy.key",
+    if $manage_certs {
+      $_dir = $k8s::server::tls::cert_path
+
+      class { 'k8s::node':
+        ensure            => $ensure,
+        control_plane_url => "https://localhost:${api_port}",
+        node_auth         => 'cert',
+        proxy_auth        => 'cert',
+        ca_cert           => $ca_cert,
+        node_cert         => "${_dir}/node.pem",
+        node_key          => "${_dir}/node.key",
+        proxy_cert        => "${_dir}/kube-proxy.pem",
+        proxy_key         => "${_dir}/kube-proxy.key",
+      }
+    } else {
+      class { 'k8s::node':
+        ensure => $ensure,
+      }
     }
   }
 }

manifests/server/apiserver.pp

@@ -40,7 +40,7 @@
   Boolean $discover_etcd_servers                 = $k8s::puppetdb_discovery,
   Boolean $manage_firewall                       = $k8s::server::manage_firewall,
   String[1] $puppetdb_discovery_tag              = $k8s::server::puppetdb_discovery_tag,
-  Stdlib::Unixpath $cert_path              = $k8s::server::tls::cert_path,
+  Optional[Stdlib::Unixpath] $cert_path          = $k8s::server::tls::cert_path,
   Stdlib::Unixpath $ca_cert                = $k8s::server::tls::ca_cert,
   Stdlib::Unixpath $aggregator_ca_cert     = $k8s::server::tls::aggregator_ca_cert,
   Stdlib::Unixpath $serviceaccount_public  = "${cert_path}/service-account.pub",

manifests/server/controller_manager.pp

@@ -4,6 +4,8 @@
 # @param arguments Additional arguments to pass to the controller manager.
 # @param ca_cert The path to the CA certificate.
 # @param ca_key The path to the CA key.
+# @param ca_sign_cert The path to the CA signing certificate.
+# @param ca_sign_key The path to the CA signing key.
 # @param cert The path to the controller manager certificate.
 # @param cert_path The path to the TLS certificates.
 # @param cluster_cidr The CIDR of the cluster.
@@ -13,6 +15,7 @@
 # @param control_plane_url The URL of the Kubernetes API server.
 # @param ensure Whether the controller manager should be configured.
 # @param key The path to the controller manager key.
+# @param sa_key The path to the service account key.
 # @param service_cluster_cidr The CIDR of the service cluster.
 #
 class k8s::server::controller_manager (
@@ -25,11 +28,14 @@
   K8s::CIDR $service_cluster_cidr = $k8s::service_cluster_cidr,
   K8s::CIDR $cluster_cidr         = $k8s::cluster_cidr,
 
-  Stdlib::Unixpath $cert_path = $k8s::server::tls::cert_path,
-  Stdlib::Unixpath $ca_cert   = $k8s::server::tls::ca_cert,
-  Stdlib::Unixpath $ca_key    = $k8s::server::tls::ca_key,
-  Stdlib::Unixpath $cert      = "${cert_path}/kube-controller-manager.pem",
-  Stdlib::Unixpath $key       = "${cert_path}/kube-controller-manager.key",
+  Optional[Stdlib::Unixpath] $cert_path = $k8s::server::tls::cert_path,
+  Stdlib::Unixpath $ca_sign_cert        = $k8s::server::tls::ca_cert,
+  Stdlib::Unixpath $ca_sign_key         = $k8s::server::tls::ca_key,
+  Stdlib::Unixpath $ca_cert             = $k8s::server::tls::ca_cert,
+  Stdlib::Unixpath $ca_key              = $k8s::server::tls::ca_key,
+  Stdlib::Unixpath $cert                = "${cert_path}/kube-controller-manager.pem",
+  Stdlib::Unixpath $key                 = "${cert_path}/kube-controller-manager.key",
+  Stdlib::Unixpath $sa_key              = "${cert_path}/service-account.key",
 
   String[1] $container_registry            = $k8s::container_registry,
   String[1] $container_image               = 'kube-controller-manager',
@@ -61,11 +67,11 @@
       ],
       cluster_cidr                     => $cluster_cidr,
       service_cluster_ip_range         => $service_cluster_cidr,
-      cluster_signing_cert_file        => $ca_cert,
-      cluster_signing_key_file         => $ca_key,
+      cluster_signing_cert_file        => $ca_sign_cert,
+      cluster_signing_key_file         => $ca_sign_key,
       leader_elect                     => true,
       root_ca_file                     => $ca_cert,
-      service_account_private_key_file => "${cert_path}/service-account.key",
+      service_account_private_key_file => $sa_key,
   } + $_addn_args + $arguments)
 
   if $k8s::packaging == 'container' {

manifests/server/resources.pp

@@ -35,7 +35,7 @@
 
   K8s::CIDR $cluster_cidr                = $k8s::server::cluster_cidr,
   K8s::IP_addresses $dns_service_address = $k8s::server::dns_service_address,
-  Stdlib::Unixpath $ca_cert              = $k8s::server::tls::ca_cert,
+  Optional[Stdlib::Unixpath] $ca_cert    = $k8s::server::tls::ca_cert,
   String[1] $cluster_domain              = $k8s::server::cluster_domain,
   String[1] $control_plane_url           = $k8s::server::control_plane_url,
 

manifests/server/scheduler.pp

@@ -19,10 +19,10 @@
 
   Hash[String, Data] $arguments = {},
 
-  Stdlib::Unixpath $cert_path = $k8s::server::tls::cert_path,
-  Stdlib::Unixpath $ca_cert   = $k8s::server::tls::ca_cert,
-  Stdlib::Unixpath $cert      = "${cert_path}/kube-scheduler.pem",
-  Stdlib::Unixpath $key       = "${cert_path}/kube-scheduler.key",
+  Optional[Stdlib::Unixpath] $cert_path = $k8s::server::tls::cert_path,
+  Stdlib::Unixpath $ca_cert             = $k8s::server::tls::ca_cert,
+  Stdlib::Unixpath $cert                = "${cert_path}/kube-scheduler.pem",
+  Stdlib::Unixpath $key                 = "${cert_path}/kube-scheduler.key",
 
   String[1] $container_registry            = $k8s::container_registry,
   String[1] $container_image               = 'kube-scheduler',