feat: support Kubernetes 1.20.11

2021-10-21 17:08:40 +02:00 · 2021-10-21 17:08:40 +02:00 · 4fe6221ead
commit 4fe6221ead
parent 794ca70ed9
7 changed files with 67 additions and 17 deletions
--- a/charts/kubeadm/README.md
+++ b/charts/kubeadm/README.md
@ -0,0 +1,54 @@
 # kubeadm
 ![Version: 1.20.11](https://img.shields.io/badge/Version-1.20.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 KubeZero Kubeadm golden config
 **Homepage:** <https://kubezero.com>
 ## Maintainers
 | Name | Email | Url |
 | ---- | ------ | --- |
 | Quarky9 |  |  |
 ## Requirements
 Kubernetes: `>= 1.18.0`
 ## Values
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | api.allEtcdEndpoints | string | `""` |  |
 | api.apiAudiences | string | `"istio-ca"` |  |
 | api.endpoint | string | `"kube-api.changeme.org:6443"` |  |
 | api.extraArgs | object | `{}` |  |
 | api.listenPort | int | `6443` |  |
 | api.serviceAccountIssuer | string | `""` |  |
 | clusterName | string | `"pleasechangeme"` |  |
 | domain | string | `"changeme.org"` |  |
 | etcd.extraArgs | object | `{}` |  |
 | etcd.nodeName | string | `"set_via_cmdline"` |  |
 | highAvailable | bool | `false` |  |
 | kubeAdminRole | string | `"arn:aws:iam::000000000000:role/KubernetesNode"` |  |
 | listenAddress | string | `"0.0.0.0"` |  |
 | platform | string | `"aws"` |  |
 | protectKernelDefaults | bool | `true` |  |
 | systemd | bool | `true` |  |
 | workerNodeRole | string | `"arn:aws:iam::000000000000:role/KubernetesNode"` |  |
 ## Resources
 - https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/
 - https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2
 - https://pkg.go.dev/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3
 - https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/kubelet/config/v1beta1/types.go
 - https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/control-plane-flags/
 - https://godoc.org/k8s.io/kube-proxy/config/v1alpha1#KubeProxyConfiguration
 - https://github.com/awslabs/amazon-eks-ami
 ### Etcd
 - https://itnext.io/breaking-down-and-fixing-etcd-cluster-d81e35b9260d
--- a/charts/kubeadm/README.md.gotmpl
+++ b/charts/kubeadm/README.md.gotmpl
@ -15,14 +15,6 @@
 {{ template "chart.valuesSection" . }}
 ## Changes for 1.19
 ### Logging to json of control plane components
 - https://github.com/kubernetes/website/blob/dev-1.19/content/en/docs/concepts/cluster-administration/system-logs.md
 ### PodTopologySpread
 - https://kubernetes.io/blog/2020/05/introducing-podtopologyspread/#podtopologyspread-defaults
 ## Resources
 - https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/
--- a/charts/kubeadm/templates/ClusterConfiguration.yaml
+++ b/charts/kubeadm/templates/ClusterConfiguration.yaml
@ -62,13 +62,13 @@ apiServer:
    bind-address: {{ .Values.listenAddress }}
    tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
    admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml
    api-audiences: {{ .Values.api.apiAudiences }}
    {{- if .Values.api.serviceAccountIssuer }}
    service-account-issuer: "{{ .Values.api.serviceAccountIssuer }}"
    service-account-jwks-uri: "{{ .Values.api.serviceAccountIssuer }}/openid/v1/jwks"
    {{- end }}
    {{- if eq .Values.platform "aws" }}
    service-account-issuer: "{{ .Values.serviceAccountIssuer }}"
    service-account-jwks-uri: "{{ .Values.serviceAccountIssuer }}/openid/v1/jwks"
    api-audiences: "istio-ca,sts.amazonaws.com"
    authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml
    {{- else }}
    api-audiences: "istio-ca"
    {{- end }}
    feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
    # for 1.21
--- a/charts/kubeadm/templates/JoinConfiguration.yaml
+++ b/charts/kubeadm/templates/JoinConfiguration.yaml
@ -1,3 +1,4 @@
 # This is for controllers only, workers dont use kubeadm
 apiVersion: kubeadm.k8s.io/v1beta2
 kind: JoinConfiguration
 discovery:
@ -5,7 +6,7 @@ discovery:
    kubeConfigPath: /root/.kube/config
 controlPlane:
  localAPIEndpoint:
-    advertiseAddress: {{ .Values.serviceIp }}
+    advertiseAddress: {{ .Values.listenAddress }}
    bindPort: {{ .Values.api.listenPort }}
 nodeRegistration:
  ignorePreflightErrors:
--- a/charts/kubeadm/templates/KubeProxyConfiguration.yaml
+++ b/charts/kubeadm/templates/KubeProxyConfiguration.yaml
@ -2,5 +2,6 @@ apiVersion: kubeproxy.config.k8s.io/v1alpha1
 kind: KubeProxyConfiguration
 metadata:
  name: kubezero-kubeproxyconfiguration
 # kube-proxy doesnt really support setting dynamic bind-address via config, replaced by cilium long-term anyways
 metricsBindAddress: "0.0.0.0:10249"
 mode: ""
--- a/charts/kubeadm/templates/resources/20-oicd-public-rbac.yaml
+++ b/charts/kubeadm/templates/resources/20-oicd-public-rbac.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.platform "aws" }}
+{{- if .Values.api.serviceAccountIssuer }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
--- a/charts/kubeadm/values.yaml
+++ b/charts/kubeadm/values.yaml
@ -1,20 +1,22 @@
 clusterName: pleasechangeme
 domain: changeme.org
-serviceIp: set_via_cmdline
+# Needs to be set to primary node IP
 listenAddress: 0.0.0.0
 api:
  endpoint: kube-api.changeme.org:6443
  listenPort: 6443
  allEtcdEndpoints: ""
  extraArgs: {}
  serviceAccountIssuer: ""
  apiAudiences: "istio-ca"
 etcd:
  nodeName: set_via_cmdline
  extraArgs: {}
 highAvailable: false
 listenAddress: 0.0.0.0
 # supported values aws,bare-metal
 platform: "aws"