feat: support Kubernetes 1.20.11

2021-10-21 17:08:40 +02:00 · 2021-10-21 17:08:40 +02:00 · 4fe6221ead
commit 4fe6221ead
parent 794ca70ed9
7 changed files with 67 additions and 17 deletions
--- a/charts/kubeadm/README.md
+++ b/charts/kubeadm/README.md
@ -0,0 +1,54 @@
+# kubeadm
+
+![Version: 1.20.11](https://img.shields.io/badge/Version-1.20.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+
+KubeZero Kubeadm golden config
+
+**Homepage:** <https://kubezero.com>
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| Quarky9 |  |  |
+
+## Requirements
+
+Kubernetes: `>= 1.18.0`
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| api.allEtcdEndpoints | string | `""` |  |
+| api.apiAudiences | string | `"istio-ca"` |  |
+| api.endpoint | string | `"kube-api.changeme.org:6443"` |  |
+| api.extraArgs | object | `{}` |  |
+| api.listenPort | int | `6443` |  |
+| api.serviceAccountIssuer | string | `""` |  |
+| clusterName | string | `"pleasechangeme"` |  |
+| domain | string | `"changeme.org"` |  |
+| etcd.extraArgs | object | `{}` |  |
+| etcd.nodeName | string | `"set_via_cmdline"` |  |
+| highAvailable | bool | `false` |  |
+| kubeAdminRole | string | `"arn:aws:iam::000000000000:role/KubernetesNode"` |  |
+| listenAddress | string | `"0.0.0.0"` |  |
+| platform | string | `"aws"` |  |
+| protectKernelDefaults | bool | `true` |  |
+| systemd | bool | `true` |  |
+| workerNodeRole | string | `"arn:aws:iam::000000000000:role/KubernetesNode"` |  |
+
+## Resources
+
+- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/
+- https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2
+- https://pkg.go.dev/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3
+- https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/kubelet/config/v1beta1/types.go
+- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/control-plane-flags/
+- https://godoc.org/k8s.io/kube-proxy/config/v1alpha1#KubeProxyConfiguration
+
+- https://github.com/awslabs/amazon-eks-ami
+
+### Etcd
+- https://itnext.io/breaking-down-and-fixing-etcd-cluster-d81e35b9260d
+
--- a/charts/kubeadm/README.md.gotmpl
+++ b/charts/kubeadm/README.md.gotmpl
@ -15,14 +15,6 @@

 {{ template "chart.valuesSection" . }}

-## Changes for 1.19
-
-### Logging to json of control plane components
- https://github.com/kubernetes/website/blob/dev-1.19/content/en/docs/concepts/cluster-administration/system-logs.md
-
-### PodTopologySpread
- https://kubernetes.io/blog/2020/05/introducing-podtopologyspread/#podtopologyspread-defaults
-
 ## Resources

 - https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/
--- a/charts/kubeadm/templates/ClusterConfiguration.yaml
+++ b/charts/kubeadm/templates/ClusterConfiguration.yaml
@ -62,13 +62,13 @@ apiServer:
    bind-address: {{ .Values.listenAddress }}
    tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
    admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml
+    api-audiences: {{ .Values.api.apiAudiences }}
+    {{- if .Values.api.serviceAccountIssuer }}
+    service-account-issuer: "{{ .Values.api.serviceAccountIssuer }}"
+    service-account-jwks-uri: "{{ .Values.api.serviceAccountIssuer }}/openid/v1/jwks"
+    {{- end }}
    {{- if eq .Values.platform "aws" }}
-    service-account-issuer: "{{ .Values.serviceAccountIssuer }}"
-    service-account-jwks-uri: "{{ .Values.serviceAccountIssuer }}/openid/v1/jwks"
-    api-audiences: "istio-ca,sts.amazonaws.com"
    authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml
-    {{- else }}
-    api-audiences: "istio-ca"
    {{- end }}
    feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
    # for 1.21
--- a/charts/kubeadm/templates/JoinConfiguration.yaml
+++ b/charts/kubeadm/templates/JoinConfiguration.yaml
@ -1,3 +1,4 @@
+# This is for controllers only, workers dont use kubeadm
 apiVersion: kubeadm.k8s.io/v1beta2
 kind: JoinConfiguration
 discovery:
@ -5,7 +6,7 @@ discovery:
    kubeConfigPath: /root/.kube/config
 controlPlane:
  localAPIEndpoint:
-    advertiseAddress: {{ .Values.serviceIp }}
+    advertiseAddress: {{ .Values.listenAddress }}
    bindPort: {{ .Values.api.listenPort }}
 nodeRegistration:
  ignorePreflightErrors:
--- a/charts/kubeadm/templates/KubeProxyConfiguration.yaml
+++ b/charts/kubeadm/templates/KubeProxyConfiguration.yaml
@ -2,5 +2,6 @@ apiVersion: kubeproxy.config.k8s.io/v1alpha1
 kind: KubeProxyConfiguration
 metadata:
  name: kubezero-kubeproxyconfiguration
+# kube-proxy doesnt really support setting dynamic bind-address via config, replaced by cilium long-term anyways
 metricsBindAddress: "0.0.0.0:10249"
 mode: ""
--- a/charts/kubeadm/templates/resources/20-oicd-public-rbac.yaml
+++ b/charts/kubeadm/templates/resources/20-oicd-public-rbac.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.platform "aws" }}
+{{- if .Values.api.serviceAccountIssuer }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
--- a/charts/kubeadm/values.yaml
+++ b/charts/kubeadm/values.yaml
@ -1,20 +1,22 @@
 clusterName: pleasechangeme
 domain: changeme.org

-serviceIp: set_via_cmdline
+# Needs to be set to primary node IP
+listenAddress: 0.0.0.0

 api:
  endpoint: kube-api.changeme.org:6443
  listenPort: 6443
  allEtcdEndpoints: ""
  extraArgs: {}
+  serviceAccountIssuer: ""
+  apiAudiences: "istio-ca"

 etcd:
  nodeName: set_via_cmdline
  extraArgs: {}

 highAvailable: false
-listenAddress: 0.0.0.0

 # supported values aws,bare-metal
 platform: "aws"