apiVersion: kubeadm.k8s.io/v1beta4
kind: ClusterConfiguration
kubernetesVersion: {{ .Chart.Version }}
clusterName: {{ .Values.global.clusterName }}
#featureGates:
#  NonGracefulFailover: true
controlPlaneEndpoint: {{ .Values.api.endpoint }}
networking:
  podSubnet: 10.244.0.0/16
etcd:
  local:
    # imageTag: 3.5.12-0
    extraArgs:
      - name: advertise-client-urls
        value: https://{{ .Values.etcd.nodeName }}:2379
      - name: initial-advertise-peer-urls
        value: https://{{ .Values.etcd.nodeName }}:2380
      - name: initial-cluster
        value: {{ include "kubeadm.etcd.initialCluster" .Values.etcd | quote }}
      - name: initial-cluster-state
        value: {{ .Values.etcd.state }}
      - name: initial-cluster-token
        value: etcd-{{ .Values.global.clusterName }}
      - name: name
        value: {{ .Values.etcd.nodeName }}
      - name: listen-peer-urls
        value: https://{{ .Values.listenAddress }}:2380
      - name: listen-client-urls
        value: https://{{ .Values.listenAddress }}:2379
      - name: listen-metrics-urls
        value: http://0.0.0.0:2381
      - name: logger
        value: zap
      - name: log-level
        value: warn
      ### DNS discovery
      #- name: discovery-srv
      #  value: {{ .Values.domain }}
      #- name: discovery-srv-name
      #  value: {{ .Values.global.clusterName }}
      {{- with .Values.etcd.extraArgs }}
      {{- toYaml . | nindent 6 }}
      {{- end }}
    serverCertSANs:
    - "{{ .Values.etcd.nodeName }}"
    - "{{ .Values.etcd.nodeName }}.{{ .Values.domain }}"
    - "{{ .Values.domain }}"
    peerCertSANs:
    - "{{ .Values.etcd.nodeName }}"
    - "{{ .Values.etcd.nodeName }}.{{ .Values.domain }}"
    - "{{ .Values.domain }}"
controllerManager:
  extraArgs:
    - name: profiling
      value: "false"
    - name: terminated-pod-gc-threshold
      value: "300"
    - name: leader-elect
      value: {{ .Values.global.highAvailable | quote }}
    - name: logging-format
      value: json
    - name: feature-gates
      value: {{ include "kubeadm.featuregates" ( dict "return" "csv" ) | trimSuffix "," | quote }}
scheduler:
  extraArgs:
    - name: feature-gates
      value: {{ include "kubeadm.featuregates" ( dict "return" "csv" ) | trimSuffix "," | quote }}
    - name: leader-elect
      value: {{ .Values.global.highAvailable | quote }}
    - name: logging-format
      value: json
    - name: profiling
      value: "false"
apiServer:
  certSANs:
  -  {{ regexSplit ":" .Values.api.endpoint -1 | first }}
  extraArgs:
    - name: profiling
      value: "false"
    - name: etcd-servers
      value: {{ .Values.api.etcdServers }}
    - name: audit-log-path
      value: /var/log/kubernetes/audit.log
    - name: audit-policy-file
      value: /etc/kubernetes/apiserver/audit-policy.yaml
    - name: audit-log-maxage
      value: "7"
    - name: audit-log-maxsize
      value: "100"
    - name: audit-log-maxbackup
      value: "1"
    - name: audit-log-compress
      value: "true"
    {{- if .Values.api.falco.enabled }}
    - name: audit-webhook-config-file
      value: /etc/kubernetes/apiserver/audit-webhook.yaml
    {{- end }}
    - name: tls-cipher-suites
      value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
    - name: admission-control-config-file
      value: /etc/kubernetes/apiserver/admission-configuration.yaml
    - name: api-audiences
      value: {{ .Values.api.apiAudiences }}
    {{- if .Values.api.serviceAccountIssuer }}
    - name: service-account-issuer
      value: "{{ .Values.api.serviceAccountIssuer }}"
    - name: service-account-jwks-uri
      value: "{{ .Values.api.serviceAccountIssuer }}/openid/v1/jwks"
    {{- end }}
    {{- if .Values.api.awsIamAuth }}
    - name: authentication-token-webhook-config-file
      value: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml
    - name: authentication-token-webhook-cache-ttl
      value: 3600s
    - name: authentication-token-webhook-version
      value: v1
    {{- end }}
    - name: feature-gates
      value: {{ include "kubeadm.featuregates" ( dict "return" "csv" ) | trimSuffix "," | quote }}
    - name: authorization-config
      value: /etc/kubernetes/apiserver/authz-config.yaml
    - name: enable-admission-plugins
      value: DenyServiceExternalIPs,NodeRestriction,EventRateLimit,ExtendedResourceToleration
    {{- if .Values.global.highAvailable }}
    - name: goaway-chance
      value: ".001"
    {{- end }}
    - name: logging-format
      value: json
    {{- with .Values.api.extraArgs }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
  extraVolumes:
  - name: kubezero-apiserver
    hostPath: /etc/kubernetes/apiserver
    mountPath: /etc/kubernetes/apiserver
    readOnly: true
    pathType: DirectoryOrCreate
  - name: audit-log
    hostPath: /var/log/kubernetes
    mountPath: /var/log/kubernetes
    pathType: DirectoryOrCreate