diff --git a/Makefile b/Makefile index 1d98b707..aebd4c59 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,7 @@ all: update clean: - rm -f kubezero*.tgz + rm -f kube*.tgz update: ./script/update_helm.sh diff --git a/charts/kubeadm/Chart.yaml b/charts/kubeadm/Chart.yaml new file mode 100644 index 00000000..99424f1e --- /dev/null +++ b/charts/kubeadm/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v2 +name: kubeadm +description: KubeZero Kubeadm golden config +type: application +version: 1.18.14 +home: https://kubezero.com +icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png +keywords: + - kubezero + - kubeadm +maintainers: + - name: Quarky9 +kubeVersion: ">= 1.16.0" diff --git a/charts/kubeadm/README.md b/charts/kubeadm/README.md new file mode 100644 index 00000000..e69de29b diff --git a/charts/kubeadm/README.md.gotmpl b/charts/kubeadm/README.md.gotmpl new file mode 100644 index 00000000..d29076a4 --- /dev/null +++ b/charts/kubeadm/README.md.gotmpl @@ -0,0 +1,28 @@ +{{ template "chart.header" . }} +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} + +{{ template "chart.description" . }} + +Installs the Istio control plane + +{{ template "chart.homepageLine" . }} + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +## Resources + +- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/ +- https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2 +- https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/kubelet/config/v1beta1/types.go +- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/control-plane-flags/ +- https://godoc.org/k8s.io/kube-proxy/config/v1alpha1#KubeProxyConfiguration + +- https://github.com/awslabs/amazon-eks-ami diff --git a/charts/kubeadm/templates/ClusterConfiguration.yaml b/charts/kubeadm/templates/ClusterConfiguration.yaml new file mode 100644 index 00000000..522186a6 --- /dev/null +++ b/charts/kubeadm/templates/ClusterConfiguration.yaml @@ -0,0 +1,60 @@ +apiVersion: kubeadm.k8s.io/v1beta2 +kind: ClusterConfiguration +metadata: + name: kubezero-clusterconfiguration +kubernetesVersion: {{ .Values.clusterVersion }} +clusterName: {{ .Values.clusterName }} +controlPlaneEndpoint: {{ .Values.apiEndpoint }} +networking: + podSubnet: 10.244.0.0/16 +etcd: + local: + extraArgs: + listen-metrics-urls: "http://0.0.0.0:2381" + {{- with .Values.etcdExtraArgs }} + {{- toYaml . | nindent 6 }} + {{- end }} +controllerManager: + extraArgs: + profiling: "false" + bind-address: 0.0.0.0 + terminated-pod-gc-threshold: "300" + leader-elect: {{ .Values.clusterHighAvailable | quote }} + # Default anyways but make kube-bench happy + feature-gates: "RotateKubeletServerCertificate=true" +scheduler: + extraArgs: + profiling: "false" + bind-address: 0.0.0.0 + leader-elect: {{ .Values.clusterHighAvailable | quote }} +apiServer: + certSANs: + - {{ regexSplit ":" .Values.apiEndpoint -1 | first }} + extraArgs: + etcd-servers: {{ .Values.allEtcdEndpoints }} + profiling: "false" + feature-gates: "CSIMigration=true,CSIMigrationAWS=true,CSIMigrationAWSComplete=true" + audit-log-path: "/var/log/kubernetes/audit.log" + audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml + audit-log-maxage: "7" + audit-log-maxsize: "100" + audit-log-maxbackup: "3" + tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" + admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml + enable-admission-plugins: NodeRestriction,EventRateLimit + {{- if .Values.clusterHighAvailable }} + goaway-chance: ".001" + {{- end }} + {{- with .Values.apiExtraArgs }} + {{- toYaml . | nindent 4 }} + {{- end }} + extraVolumes: + - name: kubezero-apiserver + hostPath: /etc/kubernetes/apiserver + mountPath: /etc/kubernetes/apiserver + readOnly: true + pathType: DirectoryOrCreate + - name: audit-log + hostPath: /var/log/kubernetes + mountPath: /var/log/kubernetes + pathType: DirectoryOrCreate diff --git a/charts/kubeadm/templates/InitConfiguration.yaml b/charts/kubeadm/templates/InitConfiguration.yaml new file mode 100644 index 00000000..1b9deb3e --- /dev/null +++ b/charts/kubeadm/templates/InitConfiguration.yaml @@ -0,0 +1,12 @@ +apiVersion: kubeadm.k8s.io/v1beta2 +kind: InitConfiguration +metadata: + name: kubezero-initconfiguration +localAPIEndpoint: + bindPort: {{ regexSplit ":" .Values.apiEndpoint -1 | last }} +nodeRegistration: + ignorePreflightErrors: + - Swap + - DirAvailable--var-lib-etcd + kubeletExtraArgs: + node-labels: {{ .Values.nodeLabels | quote }} diff --git a/charts/kubeadm/templates/JoinConfiguration.yaml b/charts/kubeadm/templates/JoinConfiguration.yaml new file mode 100644 index 00000000..6ad03ccd --- /dev/null +++ b/charts/kubeadm/templates/JoinConfiguration.yaml @@ -0,0 +1,18 @@ +apiVersion: kubeadm.k8s.io/v1beta2 +kind: JoinConfiguration +metadata: + name: kubezero-joinconfiguration +discovery: + bootstrapToken: + apiServerEndpoint: {{ .Values.apiEndpoint }} + token: {{ .Values.joinToken }} + caCertHashes: + - "{{ .Values.caCertHash }}" +nodeRegistration: + ignorePreflightErrors: + - DirAvailable--var-lib-etcd + - Swap +controlPlane: + localAPIEndpoint: + advertiseAddress: {{ .Values.ipAddress }} + bindPort: {{ regexSplit ":" .Values.apiEndpoint -1 | last }} diff --git a/charts/kubeadm/templates/KubeProxyConfiguration.yaml b/charts/kubeadm/templates/KubeProxyConfiguration.yaml new file mode 100644 index 00000000..6ca59450 --- /dev/null +++ b/charts/kubeadm/templates/KubeProxyConfiguration.yaml @@ -0,0 +1,6 @@ +apiVersion: kubeproxy.config.k8s.io/v1alpha1 +kind: KubeProxyConfiguration +metadata: + name: kubezero-kubeproxyconfiguration +metricsBindAddress: "0.0.0.0:10249" +mode: "" diff --git a/charts/kubeadm/templates/KubeletConfiguration.yaml b/charts/kubeadm/templates/KubeletConfiguration.yaml new file mode 100644 index 00000000..35682116 --- /dev/null +++ b/charts/kubeadm/templates/KubeletConfiguration.yaml @@ -0,0 +1,19 @@ +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +metadata: + name: kubezero-kubeletconfiguration +failSwapOn: false +hairpinMode: hairpin-veth +resolvConf: /run/systemd/resolve/resolv.conf +protectKernelDefaults: true +eventRecordQPS: 0 +# Breaks kubelet at boot time +# tlsCertFile: /var/lib/kubelet/pki/kubelet.crt +# tlsPrivateKeyFile: /var/lib/kubelet/pki/kubelet.key +tlsCipherSuites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256] +featureGates: + # Default anyways but make kube-bench happy + RotateKubeletServerCertificate: true + CSIMigration: true + CSIMigrationAWS: true + CSIMigrationAWSComplete: true diff --git a/charts/kubeadm/templates/apiserver/admission-configuration.yaml b/charts/kubeadm/templates/apiserver/admission-configuration.yaml new file mode 100644 index 00000000..76d79d07 --- /dev/null +++ b/charts/kubeadm/templates/apiserver/admission-configuration.yaml @@ -0,0 +1,7 @@ +apiVersion: apiserver.config.k8s.io/v1 +kind: AdmissionConfiguration +metadata: + name: kubezero-admissionconfiguration +plugins: +- name: EventRateLimit + path: /etc/kubernetes/apiserver/event-config.yaml diff --git a/charts/kubeadm/templates/apiserver/audit-policy.yaml b/charts/kubeadm/templates/apiserver/audit-policy.yaml new file mode 100644 index 00000000..40da4ea4 --- /dev/null +++ b/charts/kubeadm/templates/apiserver/audit-policy.yaml @@ -0,0 +1,7 @@ +# Don't Log anything, but audit policy enabled +apiVersion: audit.k8s.io/v1 +kind: Policy +metadata: + name: kubezero-auditpolicy +rules: +- level: None diff --git a/charts/kubeadm/templates/apiserver/event-config.yaml b/charts/kubeadm/templates/apiserver/event-config.yaml new file mode 100644 index 00000000..4e1166aa --- /dev/null +++ b/charts/kubeadm/templates/apiserver/event-config.yaml @@ -0,0 +1,13 @@ +apiVersion: eventratelimit.admission.k8s.io/v1alpha1 +kind: Configuration +metadata: + name: kubezero-eventratelimits +limits: +- type: Namespace + qps: 50 + burst: 100 + cacheSize: 20 +- type: User + qps: 10 + burst: 50 + cacheSize: 20 diff --git a/charts/kubeadm/values.yaml b/charts/kubeadm/values.yaml new file mode 100644 index 00000000..b4d61489 --- /dev/null +++ b/charts/kubeadm/values.yaml @@ -0,0 +1,11 @@ +clusterVersion: 1.18.0 +clusterName: pleasechangeme +apiEndpoint: kube-api.changeme.org:6443 +etcdExtraArgs: {} + # Enable for > 1.18 + # unsafe-no-fsync: "true" +apiExtraArgs: {} +clusterHighAvailable: false +allEtcdEndpoints: "" +joinToken: "" +caCertHash: "" diff --git a/scripts/publish.sh b/scripts/publish.sh index 347e2484..aed91671 100755 --- a/scripts/publish.sh +++ b/scripts/publish.sh @@ -11,7 +11,6 @@ rm -rf $SRCROOT/output && git clone -b gh-pages ssh://git@git.zero-downtime.net: # Reset all # rm -rf $SRCROOT/output/*tgz $SRCROOT/output/index.yaml -helm repo add stable https://kubernetes-charts.storage.googleapis.com helm repo add argoproj https://argoproj.github.io/argo-helm helm repo add jetstack https://charts.jetstack.io helm repo add uswitch https://uswitch.github.io/kiam-helm-charts/charts/