feat: kubeadm for v1.20.1

This commit is contained in:
Stefan Reimer 2021-05-28 17:16:36 +02:00
parent 94165efff3
commit 7e61463b21
13 changed files with 70 additions and 26 deletions

View File

@ -1,2 +1,2 @@
*.sh
*.md
*.md.gotmpl

View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubeadm
description: KubeZero Kubeadm golden config
type: application
version: 1.20.0
version: 1.20.1
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:

View File

@ -35,3 +35,7 @@ Installs the Istio control plane
- https://godoc.org/k8s.io/kube-proxy/config/v1alpha1#KubeProxyConfiguration
- https://github.com/awslabs/amazon-eks-ami
### Etcd
- https://itnext.io/breaking-down-and-fixing-etcd-cluster-d81e35b9260d

View File

@ -0,0 +1,3 @@
#!/bin/bash
echo "Minor uppgrade from 1.19!"

View File

@ -0,0 +1,3 @@
#!/bin/bash
echo "Patch upgrade within 1.20"

View File

@ -2,40 +2,61 @@ apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
metadata:
name: kubezero-clusterconfiguration
kubernetesVersion: {{ .Values.clusterVersion }}
kubernetesVersion: {{ .Chart.Version }}
clusterName: {{ .Values.clusterName }}
controlPlaneEndpoint: {{ .Values.apiEndpoint }}
controlPlaneEndpoint: {{ .Values.api.endpoint }}
networking:
podSubnet: 10.244.0.0/16
etcd:
local:
extraArgs:
#name: {{ .Values.etcd.nodeName }}
### DNS discovery
#discovery-srv: {{ .Values.domain }}
#discovery-srv-name: {{ .Values.clusterName }}
#initial-cluster:
### Regular
#{{- if .Values.etcd.initialCluster }}
#initial-cluster: {{ .Values.etcd.initialCluster }}
#{{- end }}
#initial-advertise-peer-urls: "https://{{ .Values.etcd.nodeName }}:2380"
#advertise-client-urls: "https://{{ .Values.etcd.nodeName }}:2379"
initial-cluster-token: etcd-{{ .Values.clusterName }}
listen-metrics-urls: "http://{{ .Values.listenAddress }}:2381"
logger: "zap"
# log-level: "warn"
{{- with .Values.etcdExtraArgs }}
{{- with .Values.etcd.extraArgs }}
{{- toYaml . | nindent 6 }}
{{- end }}
# These will only be used to create the etcd certs but removed for Init/Join kudeadm calls allowing us to sneak in aliases for etcd nodes
serverCertSANs:
- "{{ .Values.etcd.nodeName }}"
- "{{ .Values.etcd.nodeName }}.{{ .Values.domain }}"
- "{{ .Values.domain }}"
peerCertSANs:
- "{{ .Values.etcd.nodeName }}"
- "{{ .Values.etcd.nodeName }}.{{ .Values.domain }}"
- "{{ .Values.domain }}"
controllerManager:
extraArgs:
profiling: "false"
bind-address: {{ .Values.listenAddress }}
terminated-pod-gc-threshold: "300"
leader-elect: {{ .Values.clusterHighAvailable | quote }}
leader-elect: {{ .Values.highAvailable | quote }}
logging-format: json
feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
scheduler:
extraArgs:
profiling: "false"
bind-address: {{ .Values.listenAddress }}
leader-elect: {{ .Values.clusterHighAvailable | quote }}
leader-elect: {{ .Values.highAvailable | quote }}
logging-format: json
feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
apiServer:
certSANs:
- {{ regexSplit ":" .Values.apiEndpoint -1 | first }}
- {{ regexSplit ":" .Values.api.endpoint -1 | first }}
extraArgs:
etcd-servers: {{ .Values.allEtcdEndpoints }}
etcd-servers: {{ ternary .Values.api.allEtcdEndpoints "https://127.0.0.1:2379" .Values.highAvailable }}
profiling: "false"
audit-log-path: "/var/log/kubernetes/audit.log"
audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml
@ -50,11 +71,11 @@ apiServer:
{{- end }}
feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
enable-admission-plugins: NodeRestriction,EventRateLimit
{{- if .Values.clusterHighAvailable }}
{{- if .Values.highAvailable }}
goaway-chance: ".001"
{{- end }}
logging-format: json
{{- with .Values.apiExtraArgs }}
{{- with .Values.api.extraArgs }}
{{- toYaml . | nindent 4 }}
{{- end }}
extraVolumes:

View File

@ -3,10 +3,11 @@ kind: InitConfiguration
metadata:
name: kubezero-initconfiguration
localAPIEndpoint:
bindPort: {{ regexSplit ":" .Values.apiEndpoint -1 | last }}
bindPort: {{ .Values.api.listenPort }}
nodeRegistration:
ignorePreflightErrors:
- Swap
- DirAvailable--var-lib-etcd
- KubeletVersion
kubeletExtraArgs:
node-labels: {{ .Values.nodeLabels | quote }}

View File

@ -5,12 +5,13 @@ discovery:
kubeConfigPath: /root/.kube/config
controlPlane:
localAPIEndpoint:
advertiseAddress: IP_ADDRESS
bindPort: {{ regexSplit ":" .Values.apiEndpoint -1 | last }}
advertiseAddress: {{ .Values.serviceIp }}
bindPort: {{ .Values.api.listenPort }}
nodeRegistration:
ignorePreflightErrors:
- DirAvailable--var-lib-etcd
- FileAvailable--etc-kubernetes-pki-ca.crt
- Swap
- KubeletVersion
kubeletExtraArgs:
node-labels: {{ .Values.nodeLabels | quote }}

View File

@ -3,7 +3,7 @@ apiVersion: v1
kind: Config
clusters:
- cluster:
server: https://{{ .Values.apiEndpoint }}
server: https://{{ .Values.api.endpoint }}
name: {{ .Values.clusterName }}
contexts:
- context:

View File

@ -1,5 +1,5 @@
spec:
replicas: {{ ternary 3 1 .Values.clusterHighAvailable }}
replicas: {{ ternary 3 1 .Values.highAvailable }}
template:
spec:
containers:

View File

@ -5,3 +5,4 @@ spec:
requests:
cpu: 200m
memory: 192Mi
ephemeral-storage: 1Gi

View File

@ -5,7 +5,7 @@ kind: IAMIdentityMapping
metadata:
name: kubezero-worker-nodes
spec:
arn: {{ .Values.WorkerNodeRole }}
arn: {{ .Values.workerNodeRole }}
username: system:node:{{ "{{" }}EC2PrivateDNSName{{ "}}" }}
groups:
# For now use masters, define properly with 1.20

View File

@ -1,16 +1,26 @@
clusterVersion: 1.19.0
listenAddress: 0.0.0.0
clusterName: pleasechangeme
apiEndpoint: kube-api.changeme.org:6443
etcdExtraArgs: {}
apiExtraArgs: {}
clusterHighAvailable: false
allEtcdEndpoints: ""
domain: changeme.org
serviceIp: set_via_cmdline
api:
endpoint: kube-api.changeme.org:6443
listenPort: 6443
allEtcdEndpoints: ""
extraArgs: {}
etcd:
nodeName: set_via_cmdline
extraArgs: {}
highAvailable: false
listenAddress: 0.0.0.0
# supported values aws,bare-metal
platform: "aws"
# Set to false for openrc, eg. on Gentoo or Alpine
systemd: true
protectKernelDefaults: true
WorkerNodeRole: "arn:aws:iam::000000000000:role/KubernetesNode"
KubeAdminRole: "arn:aws:iam::000000000000:role/KubernetesNode"
workerNodeRole: "arn:aws:iam::000000000000:role/KubernetesNode"
kubeAdminRole: "arn:aws:iam::000000000000:role/KubernetesNode"