diff --git a/charts/kubeadm/Chart.yaml b/charts/kubeadm/Chart.yaml index dd5eeb11..1918978e 100644 --- a/charts/kubeadm/Chart.yaml +++ b/charts/kubeadm/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubeadm description: KubeZero Kubeadm golden config type: application -version: 1.20.1 +version: 1.20.8 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubeadm/templates/ClusterConfiguration.yaml b/charts/kubeadm/templates/ClusterConfiguration.yaml index 43820e97..9d424bc2 100644 --- a/charts/kubeadm/templates/ClusterConfiguration.yaml +++ b/charts/kubeadm/templates/ClusterConfiguration.yaml @@ -10,17 +10,10 @@ networking: etcd: local: extraArgs: - #name: {{ .Values.etcd.nodeName }} ### DNS discovery #discovery-srv: {{ .Values.domain }} #discovery-srv-name: {{ .Values.clusterName }} #initial-cluster: - ### Regular - #{{- if .Values.etcd.initialCluster }} - #initial-cluster: {{ .Values.etcd.initialCluster }} - #{{- end }} - #initial-advertise-peer-urls: "https://{{ .Values.etcd.nodeName }}:2380" - #advertise-client-urls: "https://{{ .Values.etcd.nodeName }}:2379" initial-cluster-token: etcd-{{ .Values.clusterName }} listen-metrics-urls: "http://{{ .Values.listenAddress }}:2381" logger: "zap" @@ -42,21 +35,21 @@ controllerManager: profiling: "false" bind-address: {{ .Values.listenAddress }} terminated-pod-gc-threshold: "300" - leader-elect: {{ .Values.highAvailable | quote }} + # leader-elect: {{ .Values.highAvailable | quote }} logging-format: json feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }} scheduler: extraArgs: profiling: "false" bind-address: {{ .Values.listenAddress }} - leader-elect: {{ .Values.highAvailable | quote }} + # leader-elect: {{ .Values.highAvailable | quote }} logging-format: json feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }} apiServer: certSANs: - {{ regexSplit ":" .Values.api.endpoint -1 | first }} extraArgs: - etcd-servers: {{ ternary .Values.api.allEtcdEndpoints "https://127.0.0.1:2379" .Values.highAvailable }} + etcd-servers: {{ .Values.api.allEtcdEndpoints }} profiling: "false" audit-log-path: "/var/log/kubernetes/audit.log" audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml @@ -67,13 +60,18 @@ apiServer: tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml {{- if eq .Values.platform "aws" }} + service-account-issuer: "{{ .Values.serviceAccountIssuer }}" + service-account-jwks-uri: "{{ .Values.serviceAccountIssuer }}/openid/v1/jwks" + api-audiences: "istio-ca,sts.amazonaws.com" authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml + {{- else }} + api-audiences: "istio-ca" {{- end }} feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }} enable-admission-plugins: NodeRestriction,EventRateLimit - {{- if .Values.highAvailable }} - goaway-chance: ".001" - {{- end }} + # {{- if .Values.highAvailable }} + # goaway-chance: ".001" + # {{- end }} logging-format: json {{- with .Values.api.extraArgs }} {{- toYaml . | nindent 4 }} diff --git a/charts/kubeadm/templates/InitConfiguration.yaml b/charts/kubeadm/templates/InitConfiguration.yaml index 466ba001..969e9bfb 100644 --- a/charts/kubeadm/templates/InitConfiguration.yaml +++ b/charts/kubeadm/templates/InitConfiguration.yaml @@ -11,3 +11,6 @@ nodeRegistration: - KubeletVersion kubeletExtraArgs: node-labels: {{ .Values.nodeLabels | quote }} + {{- with .Values.providerID }} + provider-id: {{ . }} + {{- end }} diff --git a/charts/kubeadm/templates/JoinConfiguration.yaml b/charts/kubeadm/templates/JoinConfiguration.yaml index 017f4978..72953b88 100644 --- a/charts/kubeadm/templates/JoinConfiguration.yaml +++ b/charts/kubeadm/templates/JoinConfiguration.yaml @@ -15,3 +15,6 @@ nodeRegistration: - KubeletVersion kubeletExtraArgs: node-labels: {{ .Values.nodeLabels | quote }} + {{- with .Values.providerID }} + provider-id: {{ . }} + {{- end }} diff --git a/charts/kubeadm/templates/resources/10-runtimeClass.yaml b/charts/kubeadm/templates/resources/10-runtimeClass.yaml index ed979d2c..54610a43 100644 --- a/charts/kubeadm/templates/resources/10-runtimeClass.yaml +++ b/charts/kubeadm/templates/resources/10-runtimeClass.yaml @@ -1,3 +1,4 @@ +{{- if .Values.disabledfor120 }} apiVersion: node.k8s.io/v1 kind: RuntimeClass metadata: @@ -6,3 +7,4 @@ handler: runc overhead: podFixed: memory: 16Mi +{{- end }} diff --git a/charts/kubeadm/templates/resources/20-oicd-public-rbac.yaml b/charts/kubeadm/templates/resources/20-oicd-public-rbac.yaml new file mode 100644 index 00000000..927881bd --- /dev/null +++ b/charts/kubeadm/templates/resources/20-oicd-public-rbac.yaml @@ -0,0 +1,13 @@ +{{- if eq .Values.platform "aws" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: oidc-public +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:service-account-issuer-discovery +subjects: + - kind: Group + name: system:unauthenticated +{{- end }}