KubeZero/charts/kubeadm/templates/ClusterConfiguration.yaml

apiVersion: kubeadm.k8s.io/v1beta4
kind: ClusterConfiguration
kubernetesVersion: {{ .Chart.Version }}
clusterName: {{ .Values.global.clusterName }}
#featureGates:
#  NonGracefulFailover: true
controlPlaneEndpoint: {{ .Values.api.endpoint }}
networking:
  podSubnet: 10.244.0.0/16
etcd:
  local:
    # imageTag: 3.5.12-0
    extraArgs:
      - name: advertise-client-urls
        value: https://{{ .Values.etcd.nodeName }}:2379
      - name: initial-advertise-peer-urls
        value: https://{{ .Values.etcd.nodeName }}:2380
      - name: initial-cluster
        value: {{ include "kubeadm.etcd.initialCluster" .Values.etcd | quote }}
      - name: initial-cluster-state
        value: {{ .Values.etcd.state }}
      - name: initial-cluster-token
        value: etcd-{{ .Values.global.clusterName }}
      - name: name
        value: {{ .Values.etcd.nodeName }}
      - name: listen-peer-urls
        value: https://{{ .Values.listenAddress }}:2380
      - name: listen-client-urls
        value: https://{{ .Values.listenAddress }}:2379
      - name: listen-metrics-urls
        value: http://0.0.0.0:2381
      - name: logger
        value: zap
      - name: log-level
        value: warn
      ### DNS discovery
      #- name: discovery-srv
      #  value: {{ .Values.domain }}
      #- name: discovery-srv-name
      #  value: {{ .Values.global.clusterName }}
      {{- with .Values.etcd.extraArgs }}
      {{- toYaml . | nindent 6 }}
      {{- end }}
    serverCertSANs:
    - "{{ .Values.etcd.nodeName }}"
    - "{{ .Values.etcd.nodeName }}.{{ .Values.domain }}"
    - "{{ .Values.domain }}"
    peerCertSANs:
    - "{{ .Values.etcd.nodeName }}"
    - "{{ .Values.etcd.nodeName }}.{{ .Values.domain }}"
    - "{{ .Values.domain }}"
controllerManager:
  extraArgs:
    - name: profiling
      value: "false"
    - name: terminated-pod-gc-threshold
      value: "300"
    - name: leader-elect
      value: {{ .Values.global.highAvailable | quote }}
    - name: logging-format
      value: json
    - name: feature-gates
      value: {{ include "kubeadm.featuregates" ( dict "return" "csv" ) | trimSuffix "," | quote }}
scheduler:
  extraArgs:
    - name: feature-gates
      value: {{ include "kubeadm.featuregates" ( dict "return" "csv" ) | trimSuffix "," | quote }}
    - name: leader-elect
      value: {{ .Values.global.highAvailable | quote }}
    - name: logging-format
      value: json
    - name: profiling
      value: "false"
apiServer:
  certSANs:
  -  {{ regexSplit ":" .Values.api.endpoint -1 | first }}
  extraArgs:
    - name: profiling
      value: "false"
    - name: etcd-servers
      value: {{ .Values.api.etcdServers }}
    - name: audit-log-path
      value: /var/log/kubernetes/audit.log
    - name: audit-policy-file
      value: /etc/kubernetes/apiserver/audit-policy.yaml
    - name: audit-log-maxage
      value: "7"
    - name: audit-log-maxsize
      value: "100"
    - name: audit-log-maxbackup
      value: "1"
    - name: audit-log-compress
      value: "true"
    {{- if .Values.api.falco.enabled }}
    - name: audit-webhook-config-file
      value: /etc/kubernetes/apiserver/audit-webhook.yaml
    {{- end }}
    - name: tls-cipher-suites
      value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
    - name: admission-control-config-file
      value: /etc/kubernetes/apiserver/admission-configuration.yaml
    - name: api-audiences
      value: {{ .Values.api.apiAudiences }}
    {{- if .Values.api.serviceAccountIssuer }}
    - name: service-account-issuer
      value: "{{ .Values.api.serviceAccountIssuer }}"
    - name: service-account-jwks-uri
      value: "{{ .Values.api.serviceAccountIssuer }}/openid/v1/jwks"
    {{- end }}
    {{- if .Values.api.awsIamAuth }}
    - name: authentication-token-webhook-config-file
      value: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml
    - name: authentication-token-webhook-cache-ttl
      value: 3600s
    - name: authentication-token-webhook-version
      value: v1
    {{- end }}
    - name: feature-gates
      value: {{ include "kubeadm.featuregates" ( dict "return" "csv" ) | trimSuffix "," | quote }}
    - name: authorization-config
      value: /etc/kubernetes/apiserver/authz-config.yaml
    - name: enable-admission-plugins
      value: DenyServiceExternalIPs,NodeRestriction,EventRateLimit,ExtendedResourceToleration
    {{- if .Values.global.highAvailable }}
    - name: goaway-chance
      value: ".001"
    {{- end }}
    - name: logging-format
      value: json
    {{- with .Values.api.extraArgs }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
  extraVolumes:
  - name: kubezero-apiserver
    hostPath: /etc/kubernetes/apiserver
    mountPath: /etc/kubernetes/apiserver
    readOnly: true
    pathType: DirectoryOrCreate
  - name: audit-log
    hostPath: /var/log/kubernetes
    mountPath: /var/log/kubernetes
    pathType: DirectoryOrCreate
feat: reorg cluster upgrade logic, migrate aws-iam-authenticator to system service, basic network and addons for 1.31 2025-02-12 12:37:47 +00:00			`apiVersion: kubeadm.k8s.io/v1beta4`
Remove stable repo 2021-01-03 15:33:13 +00:00			`kind: ClusterConfiguration`
feat: kubeadm for v1.20.1 2021-05-28 15:16:36 +00:00			`kubernetesVersion: {{ .Chart.Version }}`
feat: bootstrap / upgrade reorg as part of 1.23 2022-09-11 11:54:56 +00:00			`clusterName: {{ .Values.global.clusterName }}`
feat: first working v1.30 base 2024-10-16 11:20:20 +00:00			`#featureGates:`
feat: v1.24 alpha 2022-10-27 12:27:42 +00:00			`# NonGracefulFailover: true`
feat: kubeadm for v1.20.1 2021-05-28 15:16:36 +00:00			`controlPlaneEndpoint: {{ .Values.api.endpoint }}`
Remove stable repo 2021-01-03 15:33:13 +00:00			`networking:`
			`podSubnet: 10.244.0.0/16`
			`etcd:`
			`local:`
Feat: first WIP of v1.28 2024-03-21 13:00:50 +00:00			`# imageTag: 3.5.12-0`
Remove stable repo 2021-01-03 15:33:13 +00:00			`extraArgs:`
feat: reorg cluster upgrade logic, migrate aws-iam-authenticator to system service, basic network and addons for 1.31 2025-02-12 12:37:47 +00:00			`- name: advertise-client-urls`
			`value: https://{{ .Values.etcd.nodeName }}:2379`
			`- name: initial-advertise-peer-urls`
			`value: https://{{ .Values.etcd.nodeName }}:2380`
			`- name: initial-cluster`
			`value: {{ include "kubeadm.etcd.initialCluster" .Values.etcd \| quote }}`
			`- name: initial-cluster-state`
			`value: {{ .Values.etcd.state }}`
			`- name: initial-cluster-token`
			`value: etcd-{{ .Values.global.clusterName }}`
			`- name: name`
			`value: {{ .Values.etcd.nodeName }}`
			`- name: listen-peer-urls`
			`value: https://{{ .Values.listenAddress }}:2380`
			`- name: listen-client-urls`
			`value: https://{{ .Values.listenAddress }}:2379`
			`- name: listen-metrics-urls`
			`value: http://0.0.0.0:2381`
			`- name: logger`
			`value: zap`
			`- name: log-level`
			`value: warn`
feat: kubeadm for v1.20.1 2021-05-28 15:16:36 +00:00			`### DNS discovery`
feat: reorg cluster upgrade logic, migrate aws-iam-authenticator to system service, basic network and addons for 1.31 2025-02-12 12:37:47 +00:00			`#- name: discovery-srv`
			`# value: {{ .Values.domain }}`
			`#- name: discovery-srv-name`
			`# value: {{ .Values.global.clusterName }}`
feat: kubeadm for v1.20.1 2021-05-28 15:16:36 +00:00			`{{- with .Values.etcd.extraArgs }}`
Remove stable repo 2021-01-03 15:33:13 +00:00			`{{- toYaml . \| nindent 6 }}`
			`{{- end }}`
feat: kubeadm for v1.20.1 2021-05-28 15:16:36 +00:00			`serverCertSANs:`
			`- "{{ .Values.etcd.nodeName }}"`
			`- "{{ .Values.etcd.nodeName }}.{{ .Values.domain }}"`
			`- "{{ .Values.domain }}"`
			`peerCertSANs:`
			`- "{{ .Values.etcd.nodeName }}"`
			`- "{{ .Values.etcd.nodeName }}.{{ .Values.domain }}"`
			`- "{{ .Values.domain }}"`
Remove stable repo 2021-01-03 15:33:13 +00:00			`controllerManager:`
			`extraArgs:`
feat: reorg cluster upgrade logic, migrate aws-iam-authenticator to system service, basic network and addons for 1.31 2025-02-12 12:37:47 +00:00			`- name: profiling`
			`value: "false"`
			`- name: terminated-pod-gc-threshold`
			`value: "300"`
			`- name: leader-elect`
			`value: {{ .Values.global.highAvailable \| quote }}`
			`- name: logging-format`
			`value: json`
			`- name: feature-gates`
			`value: {{ include "kubeadm.featuregates" ( dict "return" "csv" ) \| trimSuffix "," \| quote }}`
Remove stable repo 2021-01-03 15:33:13 +00:00			`scheduler:`
			`extraArgs:`
feat: reorg cluster upgrade logic, migrate aws-iam-authenticator to system service, basic network and addons for 1.31 2025-02-12 12:37:47 +00:00			`- name: feature-gates`
			`value: {{ include "kubeadm.featuregates" ( dict "return" "csv" ) \| trimSuffix "," \| quote }}`
			`- name: leader-elect`
			`value: {{ .Values.global.highAvailable \| quote }}`
			`- name: logging-format`
			`value: json`
			`- name: profiling`
			`value: "false"`
Remove stable repo 2021-01-03 15:33:13 +00:00			`apiServer:`
			`certSANs:`
feat: kubeadm for v1.20.1 2021-05-28 15:16:36 +00:00			`- {{ regexSplit ":" .Values.api.endpoint -1 \| first }}`
Remove stable repo 2021-01-03 15:33:13 +00:00			`extraArgs:`
feat: reorg cluster upgrade logic, migrate aws-iam-authenticator to system service, basic network and addons for 1.31 2025-02-12 12:37:47 +00:00			`- name: profiling`
			`value: "false"`
			`- name: etcd-servers`
			`value: {{ .Values.api.etcdServers }}`
			`- name: audit-log-path`
			`value: /var/log/kubernetes/audit.log`
			`- name: audit-policy-file`
			`value: /etc/kubernetes/apiserver/audit-policy.yaml`
			`- name: audit-log-maxage`
			`value: "7"`
			`- name: audit-log-maxsize`
			`value: "100"`
			`- name: audit-log-maxbackup`
			`value: "1"`
			`- name: audit-log-compress`
			`value: "true"`
WIP: 1.26.7 2023-08-16 10:17:39 +00:00			`{{- if .Values.api.falco.enabled }}`
feat: reorg cluster upgrade logic, migrate aws-iam-authenticator to system service, basic network and addons for 1.31 2025-02-12 12:37:47 +00:00			`- name: audit-webhook-config-file`
			`value: /etc/kubernetes/apiserver/audit-webhook.yaml`
WIP: 1.26.7 2023-08-16 10:17:39 +00:00			`{{- end }}`
feat: reorg cluster upgrade logic, migrate aws-iam-authenticator to system service, basic network and addons for 1.31 2025-02-12 12:37:47 +00:00			`- name: tls-cipher-suites`
			`value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"`
			`- name: admission-control-config-file`
			`value: /etc/kubernetes/apiserver/admission-configuration.yaml`
			`- name: api-audiences`
			`value: {{ .Values.api.apiAudiences }}`
feat: support Kubernetes 1.20.11 2021-10-21 15:08:40 +00:00			`{{- if .Values.api.serviceAccountIssuer }}`
feat: reorg cluster upgrade logic, migrate aws-iam-authenticator to system service, basic network and addons for 1.31 2025-02-12 12:37:47 +00:00			`- name: service-account-issuer`
			`value: "{{ .Values.api.serviceAccountIssuer }}"`
			`- name: service-account-jwks-uri`
			`value: "{{ .Values.api.serviceAccountIssuer }}/openid/v1/jwks"`
feat: support Kubernetes 1.20.11 2021-10-21 15:08:40 +00:00			`{{- end }}`
feat: reorg cluster upgrade logic, migrate aws-iam-authenticator to system service, basic network and addons for 1.31 2025-02-12 12:37:47 +00:00			`{{- if .Values.api.awsIamAuth }}`
			`- name: authentication-token-webhook-config-file`
			`value: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml`
			`- name: authentication-token-webhook-cache-ttl`
			`value: 3600s`
			`- name: authentication-token-webhook-version`
			`value: v1`
Make kubeadm config work on bare-metal, minor tuning 2021-02-22 13:41:32 +00:00			`{{- end }}`
feat: reorg cluster upgrade logic, migrate aws-iam-authenticator to system service, basic network and addons for 1.31 2025-02-12 12:37:47 +00:00			`- name: feature-gates`
			`value: {{ include "kubeadm.featuregates" ( dict "return" "csv" ) \| trimSuffix "," \| quote }}`
			`- name: authorization-config`
			`value: /etc/kubernetes/apiserver/authz-config.yaml`
			`- name: enable-admission-plugins`
			`value: DenyServiceExternalIPs,NodeRestriction,EventRateLimit,ExtendedResourceToleration`
Minor fixed for 1.26 2023-08-29 16:30:43 +00:00			`{{- if .Values.global.highAvailable }}`
feat: reorg cluster upgrade logic, migrate aws-iam-authenticator to system service, basic network and addons for 1.31 2025-02-12 12:37:47 +00:00			`- name: goaway-chance`
			`value: ".001"`
Minor fixed for 1.26 2023-08-29 16:30:43 +00:00			`{{- end }}`
feat: reorg cluster upgrade logic, migrate aws-iam-authenticator to system service, basic network and addons for 1.31 2025-02-12 12:37:47 +00:00			`- name: logging-format`
			`value: json`
feat: kubeadm for v1.20.1 2021-05-28 15:16:36 +00:00			`{{- with .Values.api.extraArgs }}`
Remove stable repo 2021-01-03 15:33:13 +00:00			`{{- toYaml . \| nindent 4 }}`
			`{{- end }}`
			`extraVolumes:`
			`- name: kubezero-apiserver`
			`hostPath: /etc/kubernetes/apiserver`
			`mountPath: /etc/kubernetes/apiserver`
			`readOnly: true`
			`pathType: DirectoryOrCreate`
			`- name: audit-log`
			`hostPath: /var/log/kubernetes`
			`mountPath: /var/log/kubernetes`
			`pathType: DirectoryOrCreate`