fix: JWT aud for istio, cleanup

charts/kubeadm/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubeadm
 description: KubeZero Kubeadm golden config
 type: application
-version: 1.20.1
+version: 1.20.8
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:

charts/kubeadm/templates/ClusterConfiguration.yaml

@@ -10,17 +10,10 @@ networking:
 etcd:
   local:
     extraArgs:
-      #name: {{ .Values.etcd.nodeName }}
       ### DNS discovery
       #discovery-srv: {{ .Values.domain }}
       #discovery-srv-name: {{ .Values.clusterName }}
       #initial-cluster:
-      ### Regular
-      #{{- if .Values.etcd.initialCluster }}
-      #initial-cluster: {{ .Values.etcd.initialCluster }}
-      #{{- end }}
-      #initial-advertise-peer-urls: "https://{{ .Values.etcd.nodeName }}:2380"
-      #advertise-client-urls: "https://{{ .Values.etcd.nodeName }}:2379"
       initial-cluster-token: etcd-{{ .Values.clusterName }}
       listen-metrics-urls: "http://{{ .Values.listenAddress }}:2381"
       logger: "zap"
@@ -42,21 +35,21 @@ controllerManager:
     profiling: "false"
     bind-address: {{ .Values.listenAddress }}
     terminated-pod-gc-threshold: "300"
-    leader-elect: {{ .Values.highAvailable | quote }}
+    # leader-elect: {{ .Values.highAvailable | quote }}
     logging-format: json
     feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
 scheduler:
   extraArgs:
     profiling: "false"
     bind-address: {{ .Values.listenAddress }}
-    leader-elect: {{ .Values.highAvailable | quote }}
+    # leader-elect: {{ .Values.highAvailable | quote }}
     logging-format: json
     feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
 apiServer:
   certSANs:
   -  {{ regexSplit ":" .Values.api.endpoint -1 | first }}
   extraArgs:
-    etcd-servers: {{ ternary .Values.api.allEtcdEndpoints "https://127.0.0.1:2379" .Values.highAvailable }}
+    etcd-servers: {{ .Values.api.allEtcdEndpoints }}
     profiling: "false"
     audit-log-path: "/var/log/kubernetes/audit.log"
     audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml
@@ -67,13 +60,18 @@ apiServer:
     tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
     admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml
     {{- if eq .Values.platform "aws" }}
+    service-account-issuer: "{{ .Values.serviceAccountIssuer }}"
+    service-account-jwks-uri: "{{ .Values.serviceAccountIssuer }}/openid/v1/jwks"
+    api-audiences: "istio-ca,sts.amazonaws.com"
     authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml
+    {{- else }}
+    api-audiences: "istio-ca"
     {{- end }}
     feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
     enable-admission-plugins: NodeRestriction,EventRateLimit
-    {{- if .Values.highAvailable }}
-    goaway-chance: ".001"
-    {{- end }}
+    # {{- if .Values.highAvailable }}
+    # goaway-chance: ".001"
+    # {{- end }}
     logging-format: json
     {{- with .Values.api.extraArgs }}
     {{- toYaml . | nindent 4 }}

charts/kubeadm/templates/InitConfiguration.yaml

@@ -11,3 +11,6 @@ nodeRegistration:
   - KubeletVersion
   kubeletExtraArgs:
     node-labels: {{ .Values.nodeLabels | quote }}
+    {{- with .Values.providerID }}
+    provider-id: {{ . }}
+    {{- end }}

charts/kubeadm/templates/JoinConfiguration.yaml

@@ -15,3 +15,6 @@ nodeRegistration:
   - KubeletVersion
   kubeletExtraArgs:
     node-labels: {{ .Values.nodeLabels | quote }}
+    {{- with .Values.providerID }}
+    provider-id: {{ . }}
+    {{- end }}

charts/kubeadm/templates/resources/10-runtimeClass.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.disabledfor120 }}
 apiVersion: node.k8s.io/v1
 kind: RuntimeClass
 metadata:
@@ -6,3 +7,4 @@ handler: runc
 overhead:
   podFixed:
     memory: 16Mi
+{{- end }}

charts/kubeadm/templates/resources/20-oicd-public-rbac.yaml

@@ -0,0 +1,13 @@
+{{- if eq .Values.platform "aws" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: oidc-public
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:service-account-issuer-discovery
+subjects:
+  - kind: Group
+    name: system:unauthenticated
+{{- end }}