fix: JWT aud for istio, cleanup
This commit is contained in:
parent
127db98358
commit
f43a780464
@ -2,7 +2,7 @@ apiVersion: v2
|
|||||||
name: kubeadm
|
name: kubeadm
|
||||||
description: KubeZero Kubeadm golden config
|
description: KubeZero Kubeadm golden config
|
||||||
type: application
|
type: application
|
||||||
version: 1.20.1
|
version: 1.20.8
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
|
|||||||
@ -10,17 +10,10 @@ networking:
|
|||||||
etcd:
|
etcd:
|
||||||
local:
|
local:
|
||||||
extraArgs:
|
extraArgs:
|
||||||
#name: {{ .Values.etcd.nodeName }}
|
|
||||||
### DNS discovery
|
### DNS discovery
|
||||||
#discovery-srv: {{ .Values.domain }}
|
#discovery-srv: {{ .Values.domain }}
|
||||||
#discovery-srv-name: {{ .Values.clusterName }}
|
#discovery-srv-name: {{ .Values.clusterName }}
|
||||||
#initial-cluster:
|
#initial-cluster:
|
||||||
### Regular
|
|
||||||
#{{- if .Values.etcd.initialCluster }}
|
|
||||||
#initial-cluster: {{ .Values.etcd.initialCluster }}
|
|
||||||
#{{- end }}
|
|
||||||
#initial-advertise-peer-urls: "https://{{ .Values.etcd.nodeName }}:2380"
|
|
||||||
#advertise-client-urls: "https://{{ .Values.etcd.nodeName }}:2379"
|
|
||||||
initial-cluster-token: etcd-{{ .Values.clusterName }}
|
initial-cluster-token: etcd-{{ .Values.clusterName }}
|
||||||
listen-metrics-urls: "http://{{ .Values.listenAddress }}:2381"
|
listen-metrics-urls: "http://{{ .Values.listenAddress }}:2381"
|
||||||
logger: "zap"
|
logger: "zap"
|
||||||
@ -42,21 +35,21 @@ controllerManager:
|
|||||||
profiling: "false"
|
profiling: "false"
|
||||||
bind-address: {{ .Values.listenAddress }}
|
bind-address: {{ .Values.listenAddress }}
|
||||||
terminated-pod-gc-threshold: "300"
|
terminated-pod-gc-threshold: "300"
|
||||||
leader-elect: {{ .Values.highAvailable | quote }}
|
# leader-elect: {{ .Values.highAvailable | quote }}
|
||||||
logging-format: json
|
logging-format: json
|
||||||
feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
|
feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
|
||||||
scheduler:
|
scheduler:
|
||||||
extraArgs:
|
extraArgs:
|
||||||
profiling: "false"
|
profiling: "false"
|
||||||
bind-address: {{ .Values.listenAddress }}
|
bind-address: {{ .Values.listenAddress }}
|
||||||
leader-elect: {{ .Values.highAvailable | quote }}
|
# leader-elect: {{ .Values.highAvailable | quote }}
|
||||||
logging-format: json
|
logging-format: json
|
||||||
feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
|
feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
|
||||||
apiServer:
|
apiServer:
|
||||||
certSANs:
|
certSANs:
|
||||||
- {{ regexSplit ":" .Values.api.endpoint -1 | first }}
|
- {{ regexSplit ":" .Values.api.endpoint -1 | first }}
|
||||||
extraArgs:
|
extraArgs:
|
||||||
etcd-servers: {{ ternary .Values.api.allEtcdEndpoints "https://127.0.0.1:2379" .Values.highAvailable }}
|
etcd-servers: {{ .Values.api.allEtcdEndpoints }}
|
||||||
profiling: "false"
|
profiling: "false"
|
||||||
audit-log-path: "/var/log/kubernetes/audit.log"
|
audit-log-path: "/var/log/kubernetes/audit.log"
|
||||||
audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml
|
audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml
|
||||||
@ -67,13 +60,18 @@ apiServer:
|
|||||||
tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
|
tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
|
||||||
admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml
|
admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml
|
||||||
{{- if eq .Values.platform "aws" }}
|
{{- if eq .Values.platform "aws" }}
|
||||||
|
service-account-issuer: "{{ .Values.serviceAccountIssuer }}"
|
||||||
|
service-account-jwks-uri: "{{ .Values.serviceAccountIssuer }}/openid/v1/jwks"
|
||||||
|
api-audiences: "istio-ca,sts.amazonaws.com"
|
||||||
authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml
|
authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml
|
||||||
|
{{- else }}
|
||||||
|
api-audiences: "istio-ca"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
|
feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
|
||||||
enable-admission-plugins: NodeRestriction,EventRateLimit
|
enable-admission-plugins: NodeRestriction,EventRateLimit
|
||||||
{{- if .Values.highAvailable }}
|
# {{- if .Values.highAvailable }}
|
||||||
goaway-chance: ".001"
|
# goaway-chance: ".001"
|
||||||
{{- end }}
|
# {{- end }}
|
||||||
logging-format: json
|
logging-format: json
|
||||||
{{- with .Values.api.extraArgs }}
|
{{- with .Values.api.extraArgs }}
|
||||||
{{- toYaml . | nindent 4 }}
|
{{- toYaml . | nindent 4 }}
|
||||||
|
|||||||
@ -11,3 +11,6 @@ nodeRegistration:
|
|||||||
- KubeletVersion
|
- KubeletVersion
|
||||||
kubeletExtraArgs:
|
kubeletExtraArgs:
|
||||||
node-labels: {{ .Values.nodeLabels | quote }}
|
node-labels: {{ .Values.nodeLabels | quote }}
|
||||||
|
{{- with .Values.providerID }}
|
||||||
|
provider-id: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
|||||||
@ -15,3 +15,6 @@ nodeRegistration:
|
|||||||
- KubeletVersion
|
- KubeletVersion
|
||||||
kubeletExtraArgs:
|
kubeletExtraArgs:
|
||||||
node-labels: {{ .Values.nodeLabels | quote }}
|
node-labels: {{ .Values.nodeLabels | quote }}
|
||||||
|
{{- with .Values.providerID }}
|
||||||
|
provider-id: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
|||||||
@ -1,3 +1,4 @@
|
|||||||
|
{{- if .Values.disabledfor120 }}
|
||||||
apiVersion: node.k8s.io/v1
|
apiVersion: node.k8s.io/v1
|
||||||
kind: RuntimeClass
|
kind: RuntimeClass
|
||||||
metadata:
|
metadata:
|
||||||
@ -6,3 +7,4 @@ handler: runc
|
|||||||
overhead:
|
overhead:
|
||||||
podFixed:
|
podFixed:
|
||||||
memory: 16Mi
|
memory: 16Mi
|
||||||
|
{{- end }}
|
||||||
|
|||||||
13
charts/kubeadm/templates/resources/20-oicd-public-rbac.yaml
Normal file
13
charts/kubeadm/templates/resources/20-oicd-public-rbac.yaml
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
{{- if eq .Values.platform "aws" }}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: oidc-public
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: system:service-account-issuer-discovery
|
||||||
|
subjects:
|
||||||
|
- kind: Group
|
||||||
|
name: system:unauthenticated
|
||||||
|
{{- end }}
|
||||||
Loading…
Reference in New Issue
Block a user