apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
kubernetesVersion: {{ .Chart.Version }}
clusterName: {{ .Values.global.clusterName }}
#featureGates:
#  NonGracefulFailover: true
controlPlaneEndpoint: {{ .Values.api.endpoint }}
networking:
  podSubnet: 10.244.0.0/16
etcd:
  local:
    imageTag: 3.5.4-0
    extraArgs:
      ### DNS discovery
      #discovery-srv: {{ .Values.domain }}
      #discovery-srv-name: {{ .Values.global.clusterName }}
      advertise-client-urls: https://{{ .Values.etcd.nodeName }}:2379
      initial-advertise-peer-urls: https://{{ .Values.etcd.nodeName }}:2380
      initial-cluster: {{ include "kubeadm.etcd.initialCluster" .Values.etcd | quote }}
      initial-cluster-state: {{ .Values.etcd.state }}
      initial-cluster-token: etcd-{{ .Values.global.clusterName }}
      name: {{ .Values.etcd.nodeName }}
      listen-peer-urls: https://{{ .Values.listenAddress }}:2380
      listen-client-urls: https://{{ .Values.listenAddress }}:2379
      listen-metrics-urls: http://0.0.0.0:2381
      logger: zap
      # log-level: "warn"
      {{- with .Values.etcd.extraArgs }}
      {{- toYaml . | nindent 6 }}
      {{- end }}
    serverCertSANs:
    - "{{ .Values.etcd.nodeName }}"
    - "{{ .Values.etcd.nodeName }}.{{ .Values.domain }}"
    - "{{ .Values.domain }}"
    peerCertSANs:
    - "{{ .Values.etcd.nodeName }}"
    - "{{ .Values.etcd.nodeName }}.{{ .Values.domain }}"
    - "{{ .Values.domain }}"
controllerManager:
  extraArgs:
    profiling: "false"
    terminated-pod-gc-threshold: "300"
    leader-elect: {{ .Values.global.highAvailable | quote }}
    logging-format: json
    feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" ) | trimSuffix "," | quote }}
scheduler:
  extraArgs:
    profiling: "false"
    leader-elect: {{ .Values.global.highAvailable | quote }}
    logging-format: json
    feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" ) | trimSuffix "," | quote }}
apiServer:
  certSANs:
  -  {{ regexSplit ":" .Values.api.endpoint -1 | first }}
  extraArgs:
    etcd-servers: {{ .Values.api.etcdServers }}
    profiling: "false"
    audit-log-path: "/var/log/kubernetes/audit.log"
    audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml
    audit-log-maxage: "7"
    audit-log-maxsize: "100"
    audit-log-maxbackup: "3"
    audit-log-compress: "true"
    tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
    admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml
    api-audiences: {{ .Values.api.apiAudiences }}
    {{- if .Values.api.serviceAccountIssuer }}
    service-account-issuer: "{{ .Values.api.serviceAccountIssuer }}"
    service-account-jwks-uri: "{{ .Values.api.serviceAccountIssuer }}/openid/v1/jwks"
    {{- end }}
    {{- if .Values.api.awsIamAuth.enabled }}
    authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml
    {{- end }}
    feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" ) | trimSuffix "," | quote }}
    enable-admission-plugins: DenyServiceExternalIPs,NodeRestriction,EventRateLimit,ExtendedResourceToleration
    # {{- if .Values.global.highAvailable }}
    # goaway-chance: ".001"
    # {{- end }}
    logging-format: json
    {{- with .Values.api.extraArgs }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
  extraVolumes:
  - name: kubezero-apiserver
    hostPath: /etc/kubernetes/apiserver
    mountPath: /etc/kubernetes/apiserver
    readOnly: true
    pathType: DirectoryOrCreate
  - name: audit-log
    hostPath: /var/log/kubernetes
    mountPath: /var/log/kubernetes
    pathType: DirectoryOrCreate