From 61add69904e61e5cb24dac44ed5a504a645f90c9 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Tue, 29 Jun 2021 17:39:44 +0200 Subject: [PATCH] fix: JWT aud for istio, cleanup --- charts/kubeadm/Chart.yaml | 2 +- .../templates/ClusterConfiguration.yaml | 24 +++++++++---------- .../kubeadm/templates/InitConfiguration.yaml | 3 +++ .../kubeadm/templates/JoinConfiguration.yaml | 3 +++ .../templates/resources/10-runtimeClass.yaml | 2 ++ .../resources/20-oicd-public-rbac.yaml | 13 ++++++++++ 6 files changed, 33 insertions(+), 14 deletions(-) create mode 100644 charts/kubeadm/templates/resources/20-oicd-public-rbac.yaml diff --git a/charts/kubeadm/Chart.yaml b/charts/kubeadm/Chart.yaml index dd5eeb1..1918978 100644 --- a/charts/kubeadm/Chart.yaml +++ b/charts/kubeadm/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubeadm description: KubeZero Kubeadm golden config type: application -version: 1.20.1 +version: 1.20.8 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubeadm/templates/ClusterConfiguration.yaml b/charts/kubeadm/templates/ClusterConfiguration.yaml index 43820e9..9d424bc 100644 --- a/charts/kubeadm/templates/ClusterConfiguration.yaml +++ b/charts/kubeadm/templates/ClusterConfiguration.yaml @@ -10,17 +10,10 @@ networking: etcd: local: extraArgs: - #name: {{ .Values.etcd.nodeName }} ### DNS discovery #discovery-srv: {{ .Values.domain }} #discovery-srv-name: {{ .Values.clusterName }} #initial-cluster: - ### Regular - #{{- if .Values.etcd.initialCluster }} - #initial-cluster: {{ .Values.etcd.initialCluster }} - #{{- end }} - #initial-advertise-peer-urls: "https://{{ .Values.etcd.nodeName }}:2380" - #advertise-client-urls: "https://{{ .Values.etcd.nodeName }}:2379" initial-cluster-token: etcd-{{ .Values.clusterName }} listen-metrics-urls: "http://{{ .Values.listenAddress }}:2381" logger: "zap" @@ -42,21 +35,21 @@ controllerManager: profiling: "false" bind-address: {{ .Values.listenAddress }} terminated-pod-gc-threshold: "300" - leader-elect: {{ .Values.highAvailable | quote }} + # leader-elect: {{ .Values.highAvailable | quote }} logging-format: json feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }} scheduler: extraArgs: profiling: "false" bind-address: {{ .Values.listenAddress }} - leader-elect: {{ .Values.highAvailable | quote }} + # leader-elect: {{ .Values.highAvailable | quote }} logging-format: json feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }} apiServer: certSANs: - {{ regexSplit ":" .Values.api.endpoint -1 | first }} extraArgs: - etcd-servers: {{ ternary .Values.api.allEtcdEndpoints "https://127.0.0.1:2379" .Values.highAvailable }} + etcd-servers: {{ .Values.api.allEtcdEndpoints }} profiling: "false" audit-log-path: "/var/log/kubernetes/audit.log" audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml @@ -67,13 +60,18 @@ apiServer: tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml {{- if eq .Values.platform "aws" }} + service-account-issuer: "{{ .Values.serviceAccountIssuer }}" + service-account-jwks-uri: "{{ .Values.serviceAccountIssuer }}/openid/v1/jwks" + api-audiences: "istio-ca,sts.amazonaws.com" authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml + {{- else }} + api-audiences: "istio-ca" {{- end }} feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }} enable-admission-plugins: NodeRestriction,EventRateLimit - {{- if .Values.highAvailable }} - goaway-chance: ".001" - {{- end }} + # {{- if .Values.highAvailable }} + # goaway-chance: ".001" + # {{- end }} logging-format: json {{- with .Values.api.extraArgs }} {{- toYaml . | nindent 4 }} diff --git a/charts/kubeadm/templates/InitConfiguration.yaml b/charts/kubeadm/templates/InitConfiguration.yaml index 466ba00..969e9bf 100644 --- a/charts/kubeadm/templates/InitConfiguration.yaml +++ b/charts/kubeadm/templates/InitConfiguration.yaml @@ -11,3 +11,6 @@ nodeRegistration: - KubeletVersion kubeletExtraArgs: node-labels: {{ .Values.nodeLabels | quote }} + {{- with .Values.providerID }} + provider-id: {{ . }} + {{- end }} diff --git a/charts/kubeadm/templates/JoinConfiguration.yaml b/charts/kubeadm/templates/JoinConfiguration.yaml index 017f497..72953b8 100644 --- a/charts/kubeadm/templates/JoinConfiguration.yaml +++ b/charts/kubeadm/templates/JoinConfiguration.yaml @@ -15,3 +15,6 @@ nodeRegistration: - KubeletVersion kubeletExtraArgs: node-labels: {{ .Values.nodeLabels | quote }} + {{- with .Values.providerID }} + provider-id: {{ . }} + {{- end }} diff --git a/charts/kubeadm/templates/resources/10-runtimeClass.yaml b/charts/kubeadm/templates/resources/10-runtimeClass.yaml index ed979d2..54610a4 100644 --- a/charts/kubeadm/templates/resources/10-runtimeClass.yaml +++ b/charts/kubeadm/templates/resources/10-runtimeClass.yaml @@ -1,3 +1,4 @@ +{{- if .Values.disabledfor120 }} apiVersion: node.k8s.io/v1 kind: RuntimeClass metadata: @@ -6,3 +7,4 @@ handler: runc overhead: podFixed: memory: 16Mi +{{- end }} diff --git a/charts/kubeadm/templates/resources/20-oicd-public-rbac.yaml b/charts/kubeadm/templates/resources/20-oicd-public-rbac.yaml new file mode 100644 index 0000000..927881b --- /dev/null +++ b/charts/kubeadm/templates/resources/20-oicd-public-rbac.yaml @@ -0,0 +1,13 @@ +{{- if eq .Values.platform "aws" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: oidc-public +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:service-account-issuer-discovery +subjects: + - kind: Group + name: system:unauthenticated +{{- end }}