Remove stable repo

Makefile

@@ -8,7 +8,7 @@ all: update
 
 
 clean:
-	rm -f kubezero*.tgz
+	rm -f kube*.tgz
 
 update:
 	./script/update_helm.sh

charts/kubeadm/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: kubeadm
+description: KubeZero Kubeadm golden config
+type: application
+version: 1.18.14
+home: https://kubezero.com
+icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
+keywords:
+  - kubezero
+  - kubeadm
+maintainers:
+  - name: Quarky9
+kubeVersion: ">= 1.16.0"

charts/kubeadm/README.md.gotmpl

@@ -0,0 +1,28 @@
+{{ template "chart.header" . }}
+{{ template "chart.deprecationWarning" . }}
+
+{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
+
+{{ template "chart.description" . }}
+
+Installs the Istio control plane 
+
+{{ template "chart.homepageLine" . }}
+
+{{ template "chart.maintainersSection" . }}
+
+{{ template "chart.sourcesSection" . }}
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}
+
+## Resources
+
+- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/
+- https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2
+- https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/kubelet/config/v1beta1/types.go
+- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/control-plane-flags/
+- https://godoc.org/k8s.io/kube-proxy/config/v1alpha1#KubeProxyConfiguration
+
+- https://github.com/awslabs/amazon-eks-ami

charts/kubeadm/templates/ClusterConfiguration.yaml

@@ -0,0 +1,60 @@
+apiVersion: kubeadm.k8s.io/v1beta2
+kind: ClusterConfiguration
+metadata:
+  name: kubezero-clusterconfiguration
+kubernetesVersion: {{ .Values.clusterVersion }}
+clusterName: {{ .Values.clusterName }}
+controlPlaneEndpoint: {{ .Values.apiEndpoint }}
+networking:
+  podSubnet: 10.244.0.0/16
+etcd:
+  local:
+    extraArgs:
+      listen-metrics-urls: "http://0.0.0.0:2381"
+      {{- with .Values.etcdExtraArgs }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+controllerManager:
+  extraArgs:
+    profiling: "false"
+    bind-address: 0.0.0.0
+    terminated-pod-gc-threshold: "300"
+    leader-elect: {{ .Values.clusterHighAvailable | quote }}
+    # Default anyways but make kube-bench happy
+    feature-gates: "RotateKubeletServerCertificate=true"
+scheduler:
+  extraArgs:
+    profiling: "false"
+    bind-address: 0.0.0.0
+    leader-elect: {{ .Values.clusterHighAvailable | quote }}
+apiServer:
+  certSANs:
+  - {{ regexSplit ":" .Values.apiEndpoint -1 | first }}
+  extraArgs:
+    etcd-servers: {{ .Values.allEtcdEndpoints }}
+    profiling: "false"
+    feature-gates: "CSIMigration=true,CSIMigrationAWS=true,CSIMigrationAWSComplete=true"
+    audit-log-path: "/var/log/kubernetes/audit.log"
+    audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml
+    audit-log-maxage: "7"
+    audit-log-maxsize: "100"
+    audit-log-maxbackup: "3"
+    tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
+    admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml
+    enable-admission-plugins: NodeRestriction,EventRateLimit
+    {{- if .Values.clusterHighAvailable }}
+    goaway-chance: ".001"
+    {{- end }}
+    {{- with .Values.apiExtraArgs }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  extraVolumes:
+  - name: kubezero-apiserver
+    hostPath: /etc/kubernetes/apiserver
+    mountPath: /etc/kubernetes/apiserver
+    readOnly: true
+    pathType: DirectoryOrCreate
+  - name: audit-log
+    hostPath: /var/log/kubernetes
+    mountPath: /var/log/kubernetes
+    pathType: DirectoryOrCreate

charts/kubeadm/templates/InitConfiguration.yaml

@@ -0,0 +1,12 @@
+apiVersion: kubeadm.k8s.io/v1beta2
+kind: InitConfiguration
+metadata:
+  name: kubezero-initconfiguration
+localAPIEndpoint:
+  bindPort: {{ regexSplit ":" .Values.apiEndpoint -1 | last }}
+nodeRegistration:
+  ignorePreflightErrors:
+  - Swap
+  - DirAvailable--var-lib-etcd
+  kubeletExtraArgs:
+    node-labels: {{ .Values.nodeLabels | quote }}

charts/kubeadm/templates/JoinConfiguration.yaml

@@ -0,0 +1,18 @@
+apiVersion: kubeadm.k8s.io/v1beta2
+kind: JoinConfiguration
+metadata:
+  name: kubezero-joinconfiguration
+discovery:
+  bootstrapToken:
+    apiServerEndpoint: {{ .Values.apiEndpoint }}
+    token: {{ .Values.joinToken }}
+    caCertHashes:
+    - "{{ .Values.caCertHash }}"
+nodeRegistration:
+  ignorePreflightErrors:
+  - DirAvailable--var-lib-etcd
+  - Swap
+controlPlane:
+  localAPIEndpoint:
+    advertiseAddress: {{ .Values.ipAddress }}
+    bindPort: {{ regexSplit ":" .Values.apiEndpoint -1 | last }}

charts/kubeadm/templates/KubeProxyConfiguration.yaml

@@ -0,0 +1,6 @@
+apiVersion: kubeproxy.config.k8s.io/v1alpha1
+kind: KubeProxyConfiguration
+metadata:
+  name: kubezero-kubeproxyconfiguration
+metricsBindAddress: "0.0.0.0:10249"
+mode: ""

charts/kubeadm/templates/KubeletConfiguration.yaml

@@ -0,0 +1,19 @@
+apiVersion: kubelet.config.k8s.io/v1beta1
+kind: KubeletConfiguration
+metadata:
+  name: kubezero-kubeletconfiguration
+failSwapOn: false
+hairpinMode: hairpin-veth
+resolvConf: /run/systemd/resolve/resolv.conf
+protectKernelDefaults: true
+eventRecordQPS: 0
+# Breaks kubelet at boot time
+# tlsCertFile: /var/lib/kubelet/pki/kubelet.crt
+# tlsPrivateKeyFile: /var/lib/kubelet/pki/kubelet.key
+tlsCipherSuites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256]
+featureGates:
+  # Default anyways but make kube-bench happy
+  RotateKubeletServerCertificate: true
+  CSIMigration: true
+  CSIMigrationAWS: true
+  CSIMigrationAWSComplete: true

charts/kubeadm/templates/apiserver/admission-configuration.yaml

@@ -0,0 +1,7 @@
+apiVersion: apiserver.config.k8s.io/v1
+kind: AdmissionConfiguration
+metadata:
+  name: kubezero-admissionconfiguration
+plugins:
+- name: EventRateLimit
+  path: /etc/kubernetes/apiserver/event-config.yaml

charts/kubeadm/templates/apiserver/audit-policy.yaml

@@ -0,0 +1,7 @@
+# Don't Log anything, but audit policy enabled
+apiVersion: audit.k8s.io/v1
+kind: Policy
+metadata:
+  name: kubezero-auditpolicy
+rules:
+- level: None

charts/kubeadm/templates/apiserver/event-config.yaml

@@ -0,0 +1,13 @@
+apiVersion: eventratelimit.admission.k8s.io/v1alpha1
+kind: Configuration
+metadata:
+  name: kubezero-eventratelimits
+limits:
+- type: Namespace
+  qps: 50
+  burst: 100
+  cacheSize: 20
+- type: User
+  qps: 10
+  burst: 50
+  cacheSize: 20

charts/kubeadm/values.yaml

@@ -0,0 +1,11 @@
+clusterVersion: 1.18.0
+clusterName: pleasechangeme
+apiEndpoint: kube-api.changeme.org:6443
+etcdExtraArgs: {}
+  # Enable for > 1.18
+  # unsafe-no-fsync: "true"
+apiExtraArgs: {}
+clusterHighAvailable: false
+allEtcdEndpoints: ""
+joinToken: ""
+caCertHash: ""

scripts/publish.sh

@@ -11,7 +11,6 @@ rm -rf $SRCROOT/output && git clone -b gh-pages ssh://git@git.zero-downtime.net:
 # Reset all
 # rm -rf $SRCROOT/output/*tgz $SRCROOT/output/index.yaml
 
-helm repo add stable https://kubernetes-charts.storage.googleapis.com
 helm repo add argoproj https://argoproj.github.io/argo-helm
 helm repo add jetstack https://charts.jetstack.io
 helm repo add uswitch https://uswitch.github.io/kiam-helm-charts/charts/