From 9b823dc082269d0510c2768c77718521c0d072bb Mon Sep 17 00:00:00 2001
From: Stefan Reimer <stefan@zero-downtime.net>
Date: Mon, 22 Feb 2021 14:41:32 +0100
Subject: [PATCH] Make kubeadm config work on bare-metal, minor tuning

---
 charts/kubeadm/Chart.yaml                            |  2 +-
 charts/kubeadm/templates/ClusterConfiguration.yaml   | 12 ++++++++----
 charts/kubeadm/templates/KubeProxyConfiguration.yaml |  2 +-
 charts/kubeadm/templates/KubeletConfiguration.yaml   |  9 ++++++++-
 charts/kubeadm/templates/admin-kubectl.yaml          |  2 ++
 .../templates/aws-iam-authenticator/crds.yaml        |  2 ++
 .../templates/aws-iam-authenticator/deployment.yaml  |  2 ++
 .../templates/aws-iam-authenticator/mappings.yaml    |  2 ++
 charts/kubeadm/values.yaml                           |  6 ++++++
 9 files changed, 32 insertions(+), 7 deletions(-)

diff --git a/charts/kubeadm/Chart.yaml b/charts/kubeadm/Chart.yaml
index 524cfba..c73bea0 100644
--- a/charts/kubeadm/Chart.yaml
+++ b/charts/kubeadm/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubeadm
 description: KubeZero Kubeadm golden config
 type: application
-version: 1.19.7
+version: 1.19.8
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
diff --git a/charts/kubeadm/templates/ClusterConfiguration.yaml b/charts/kubeadm/templates/ClusterConfiguration.yaml
index a5d736a..e605021 100644
--- a/charts/kubeadm/templates/ClusterConfiguration.yaml
+++ b/charts/kubeadm/templates/ClusterConfiguration.yaml
@@ -10,7 +10,7 @@ networking:
 etcd:
   local:
     extraArgs:
-      listen-metrics-urls: "http://0.0.0.0:2381"
+      listen-metrics-urls: "http://{{ .Values.listenAddress }}:2381"
       unsafe-no-fsync: "true"
       logger: "zap"
       {{- with .Values.etcdExtraArgs }}
@@ -19,14 +19,14 @@ etcd:
 controllerManager:
   extraArgs:
     profiling: "false"
-    bind-address: 0.0.0.0
+    bind-address: {{ .Values.listenAddress }}
     terminated-pod-gc-threshold: "300"
     leader-elect: {{ .Values.clusterHighAvailable | quote }}
     logging-format: json
 scheduler:
   extraArgs:
     profiling: "false"
-    bind-address: 0.0.0.0
+    bind-address: {{ .Values.listenAddress }}
     leader-elect: {{ .Values.clusterHighAvailable | quote }}
     logging-format: json
 apiServer:
@@ -35,7 +35,6 @@ apiServer:
   extraArgs:
     etcd-servers: {{ .Values.allEtcdEndpoints }}
     profiling: "false"
-    feature-gates: "CSIMigrationAWS=true,CSIMigrationAWSComplete=true,DefaultPodTopologySpread=true"
     audit-log-path: "/var/log/kubernetes/audit.log"
     audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml
     audit-log-maxage: "7"
@@ -43,7 +42,12 @@ apiServer:
     audit-log-maxbackup: "3"
     tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
     admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml
+    {{- if eq .Values.platform "aws" }}
     authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml
+    feature-gates: "CSIMigrationAWS=true,CSIMigrationAWSComplete=true,DefaultPodTopologySpread=true"
+    {{- else }}
+    feature-gates: "DefaultPodTopologySpread=true"
+    {{- end }}
     enable-admission-plugins: NodeRestriction,EventRateLimit
     {{- if .Values.clusterHighAvailable }}
     goaway-chance: ".001"
diff --git a/charts/kubeadm/templates/KubeProxyConfiguration.yaml b/charts/kubeadm/templates/KubeProxyConfiguration.yaml
index 6ca5945..8d30d72 100644
--- a/charts/kubeadm/templates/KubeProxyConfiguration.yaml
+++ b/charts/kubeadm/templates/KubeProxyConfiguration.yaml
@@ -2,5 +2,5 @@ apiVersion: kubeproxy.config.k8s.io/v1alpha1
 kind: KubeProxyConfiguration
 metadata:
   name: kubezero-kubeproxyconfiguration
-metricsBindAddress: "0.0.0.0:10249"
+metricsBindAddress: "{{ .Values.listenAddress }}:10249"
 mode: ""
diff --git a/charts/kubeadm/templates/KubeletConfiguration.yaml b/charts/kubeadm/templates/KubeletConfiguration.yaml
index 9577961..c582d01 100644
--- a/charts/kubeadm/templates/KubeletConfiguration.yaml
+++ b/charts/kubeadm/templates/KubeletConfiguration.yaml
@@ -7,13 +7,20 @@ cgroupDriver: cgroupfs
 logging:
   format: json
 hairpinMode: hairpin-veth
+{{- if .Values.systemd }}
 resolvConf: /run/systemd/resolve/resolv.conf
-protectKernelDefaults: true
+{{- end }}
+protectKernelDefaults: {{ .Values.protectKernelDefaults }}
 eventRecordQPS: 0
 # Breaks kubelet at boot time
 # tlsCertFile: /var/lib/kubelet/pki/kubelet.crt
 # tlsPrivateKeyFile: /var/lib/kubelet/pki/kubelet.key
 tlsCipherSuites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256]
+{{- if eq .Values.platform "aws" }}
 featureGates:
   CSIMigrationAWS: true
   CSIMigrationAWSComplete: true
+{{- end }}
+kubeReserved:
+  cpu=50m
+  memory=128m
diff --git a/charts/kubeadm/templates/admin-kubectl.yaml b/charts/kubeadm/templates/admin-kubectl.yaml
index 4460518..bdbf724 100644
--- a/charts/kubeadm/templates/admin-kubectl.yaml
+++ b/charts/kubeadm/templates/admin-kubectl.yaml
@@ -1,3 +1,4 @@
+{{- if eq .Values.platform "aws" }}
 apiVersion: v1
 kind: Config
 clusters:
@@ -23,3 +24,4 @@ users:
         - "{{ .Values.clusterName }}"
         - "-r"
         - "{{ .Values.kubeAdminRole }}"
+{{- end }}
diff --git a/charts/kubeadm/templates/aws-iam-authenticator/crds.yaml b/charts/kubeadm/templates/aws-iam-authenticator/crds.yaml
index 7ff85f7..c1977a8 100644
--- a/charts/kubeadm/templates/aws-iam-authenticator/crds.yaml
+++ b/charts/kubeadm/templates/aws-iam-authenticator/crds.yaml
@@ -1,3 +1,4 @@
+{{- if eq .Values.platform "aws" }}
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
@@ -30,3 +31,4 @@ spec:
               type: array
               items:
                 type: string
+{{- end }}
diff --git a/charts/kubeadm/templates/aws-iam-authenticator/deployment.yaml b/charts/kubeadm/templates/aws-iam-authenticator/deployment.yaml
index 102e215..fe40f3c 100644
--- a/charts/kubeadm/templates/aws-iam-authenticator/deployment.yaml
+++ b/charts/kubeadm/templates/aws-iam-authenticator/deployment.yaml
@@ -1,3 +1,4 @@
+{{- if eq .Values.platform "aws" }}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -151,3 +152,4 @@ spec:
       - name: state
         hostPath:
           path: /var/aws-iam-authenticator/
+{{- end }}
diff --git a/charts/kubeadm/templates/aws-iam-authenticator/mappings.yaml b/charts/kubeadm/templates/aws-iam-authenticator/mappings.yaml
index 0785bc1..41df122 100644
--- a/charts/kubeadm/templates/aws-iam-authenticator/mappings.yaml
+++ b/charts/kubeadm/templates/aws-iam-authenticator/mappings.yaml
@@ -1,3 +1,4 @@
+{{- if eq .Values.platform "aws" }}
 # Controller role which is more or less cluster-admin once enrolled
 apiVersion: iamauthenticator.k8s.aws/v1alpha1
 kind: IAMIdentityMapping
@@ -32,3 +33,4 @@ spec:
   username: kubernetes-admin
   groups:
   - system:masters
+{{- end }}
diff --git a/charts/kubeadm/values.yaml b/charts/kubeadm/values.yaml
index b3bd790..fb27499 100644
--- a/charts/kubeadm/values.yaml
+++ b/charts/kubeadm/values.yaml
@@ -1,7 +1,13 @@
 clusterVersion: 1.19.0
+listenAddress: 0.0.0.0
 clusterName: pleasechangeme
 apiEndpoint: kube-api.changeme.org:6443
 etcdExtraArgs: {}
 apiExtraArgs: {}
 clusterHighAvailable: false
 allEtcdEndpoints: ""
+# supported values aws,bare-metal
+platform: "aws"
+# Set to false for openrc, eg. on Gentoo or Alpine
+systemd: true
+protectKernelDefaults: true