feat: kubeadm for v1.20.1

charts/kubeadm/.helmignore

@@ -1,2 +1,2 @@
-*.sh
 *.md
+*.md.gotmpl

charts/kubeadm/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubeadm
 description: KubeZero Kubeadm golden config
 type: application
-version: 1.20.0
+version: 1.20.1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:

charts/kubeadm/README.md.gotmpl

@@ -35,3 +35,7 @@ Installs the Istio control plane
 - https://godoc.org/k8s.io/kube-proxy/config/v1alpha1#KubeProxyConfiguration
 
 - https://github.com/awslabs/amazon-eks-ami
+
+### Etcd
+- https://itnext.io/breaking-down-and-fixing-etcd-cluster-d81e35b9260d
+

charts/kubeadm/scripts/minor.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "Minor uppgrade from 1.19!"

charts/kubeadm/scripts/patch.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "Patch upgrade within 1.20"

charts/kubeadm/templates/ClusterConfiguration.yaml

@@ -2,40 +2,61 @@ apiVersion: kubeadm.k8s.io/v1beta2
 kind: ClusterConfiguration
 metadata:
   name: kubezero-clusterconfiguration
-kubernetesVersion: {{ .Values.clusterVersion }}
+kubernetesVersion: {{ .Chart.Version }}
 clusterName: {{ .Values.clusterName }}
-controlPlaneEndpoint: {{ .Values.apiEndpoint }}
+controlPlaneEndpoint: {{ .Values.api.endpoint }}
 networking:
   podSubnet: 10.244.0.0/16
 etcd:
   local:
     extraArgs:
+      #name: {{ .Values.etcd.nodeName }}
+      ### DNS discovery
+      #discovery-srv: {{ .Values.domain }}
+      #discovery-srv-name: {{ .Values.clusterName }}
+      #initial-cluster:
+      ### Regular
+      #{{- if .Values.etcd.initialCluster }}
+      #initial-cluster: {{ .Values.etcd.initialCluster }}
+      #{{- end }}
+      #initial-advertise-peer-urls: "https://{{ .Values.etcd.nodeName }}:2380"
+      #advertise-client-urls: "https://{{ .Values.etcd.nodeName }}:2379"
+      initial-cluster-token: etcd-{{ .Values.clusterName }}
       listen-metrics-urls: "http://{{ .Values.listenAddress }}:2381"
       logger: "zap"
       # log-level: "warn"
-      {{- with .Values.etcdExtraArgs }}
+      {{- with .Values.etcd.extraArgs }}
       {{- toYaml . | nindent 6 }}
       {{- end }}
+    # These will only be used to create the etcd certs but removed for Init/Join kudeadm calls allowing us to sneak in aliases for etcd nodes
+    serverCertSANs:
+    - "{{ .Values.etcd.nodeName }}"
+    - "{{ .Values.etcd.nodeName }}.{{ .Values.domain }}"
+    - "{{ .Values.domain }}"
+    peerCertSANs:
+    - "{{ .Values.etcd.nodeName }}"
+    - "{{ .Values.etcd.nodeName }}.{{ .Values.domain }}"
+    - "{{ .Values.domain }}"
 controllerManager:
   extraArgs:
     profiling: "false"
     bind-address: {{ .Values.listenAddress }}
     terminated-pod-gc-threshold: "300"
-    leader-elect: {{ .Values.clusterHighAvailable | quote }}
+    leader-elect: {{ .Values.highAvailable | quote }}
     logging-format: json
     feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
 scheduler:
   extraArgs:
     profiling: "false"
     bind-address: {{ .Values.listenAddress }}
-    leader-elect: {{ .Values.clusterHighAvailable | quote }}
+    leader-elect: {{ .Values.highAvailable | quote }}
     logging-format: json
     feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
 apiServer:
   certSANs:
-  - {{ regexSplit ":" .Values.apiEndpoint -1 | first }}
+  -  {{ regexSplit ":" .Values.api.endpoint -1 | first }}
   extraArgs:
-    etcd-servers: {{ .Values.allEtcdEndpoints }}
+    etcd-servers: {{ ternary .Values.api.allEtcdEndpoints "https://127.0.0.1:2379" .Values.highAvailable }}
     profiling: "false"
     audit-log-path: "/var/log/kubernetes/audit.log"
     audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml
@@ -50,11 +71,11 @@ apiServer:
     {{- end }}
     feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
     enable-admission-plugins: NodeRestriction,EventRateLimit
-    {{- if .Values.clusterHighAvailable }}
+    {{- if .Values.highAvailable }}
     goaway-chance: ".001"
     {{- end }}
     logging-format: json
-    {{- with .Values.apiExtraArgs }}
+    {{- with .Values.api.extraArgs }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
   extraVolumes:

charts/kubeadm/templates/InitConfiguration.yaml

@@ -3,10 +3,11 @@ kind: InitConfiguration
 metadata:
   name: kubezero-initconfiguration
 localAPIEndpoint:
-  bindPort: {{ regexSplit ":" .Values.apiEndpoint -1 | last }}
+  bindPort: {{ .Values.api.listenPort }}
 nodeRegistration:
   ignorePreflightErrors:
   - Swap
   - DirAvailable--var-lib-etcd
+  - KubeletVersion
   kubeletExtraArgs:
     node-labels: {{ .Values.nodeLabels | quote }}

charts/kubeadm/templates/JoinConfiguration.yaml

@@ -5,12 +5,13 @@ discovery:
     kubeConfigPath: /root/.kube/config
 controlPlane:
   localAPIEndpoint:
-    advertiseAddress: IP_ADDRESS
+    advertiseAddress: {{ .Values.serviceIp }}
-    bindPort: {{ regexSplit ":" .Values.apiEndpoint -1 | last }}
+    bindPort: {{ .Values.api.listenPort }}
 nodeRegistration:
   ignorePreflightErrors:
   - DirAvailable--var-lib-etcd
   - FileAvailable--etc-kubernetes-pki-ca.crt
   - Swap
+  - KubeletVersion
   kubeletExtraArgs:
     node-labels: {{ .Values.nodeLabels | quote }}

charts/kubeadm/templates/admin-kubectl.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Config
 clusters:
 - cluster:
-    server: https://{{ .Values.apiEndpoint }}
+    server: https://{{ .Values.api.endpoint }}
   name: {{ .Values.clusterName }}
 contexts:
 - context:

charts/kubeadm/templates/patches/coredns0.yaml

@@ -1,5 +1,5 @@
 spec:
-  replicas: {{ ternary 3 1 .Values.clusterHighAvailable }}
+  replicas: {{ ternary 3 1 .Values.highAvailable }}
   template:
     spec:
       containers:

charts/kubeadm/templates/patches/etcd0.yaml

@@ -5,3 +5,4 @@ spec:
       requests:
         cpu: 200m
         memory: 192Mi
+        ephemeral-storage: 1Gi

charts/kubeadm/templates/resources/02-aws-iam-authenticator-mappings.yaml

@@ -5,7 +5,7 @@ kind: IAMIdentityMapping
 metadata:
   name: kubezero-worker-nodes
 spec:
-  arn: {{ .Values.WorkerNodeRole }}
+  arn: {{ .Values.workerNodeRole }}
   username: system:node:{{ "{{" }}EC2PrivateDNSName{{ "}}" }}
   groups:
   # For now use masters, define properly with 1.20

charts/kubeadm/values.yaml

@@ -1,16 +1,26 @@
-clusterVersion: 1.19.0
-listenAddress: 0.0.0.0
 clusterName: pleasechangeme
-apiEndpoint: kube-api.changeme.org:6443
+domain: changeme.org
-etcdExtraArgs: {}
+
-apiExtraArgs: {}
+serviceIp: set_via_cmdline
-clusterHighAvailable: false
+
-allEtcdEndpoints: ""
+api:
+  endpoint: kube-api.changeme.org:6443
+  listenPort: 6443
+  allEtcdEndpoints: ""
+  extraArgs: {}
+
+etcd:
+  nodeName: set_via_cmdline
+  extraArgs: {}
+
+highAvailable: false
+listenAddress: 0.0.0.0
+
 # supported values aws,bare-metal
 platform: "aws"
 # Set to false for openrc, eg. on Gentoo or Alpine
 systemd: true
 protectKernelDefaults: true
 
-WorkerNodeRole: "arn:aws:iam::000000000000:role/KubernetesNode"
+workerNodeRole: "arn:aws:iam::000000000000:role/KubernetesNode"
-KubeAdminRole: "arn:aws:iam::000000000000:role/KubernetesNode"
+kubeAdminRole: "arn:aws:iam::000000000000:role/KubernetesNode"