Merge branch 'topic/kubernetes-ng'

3 files changed, 58 insertions, 34 deletions

diff --git a/roles/kubernetes/kubeadm/master/templates/encryption-config.j2 b/roles/kubernetes/kubeadm/master/templates/encryption-config.j2
new file mode 100644
index 00000000..345c9bf9
--- /dev/null
+++ b/roles/kubernetes/kubeadm/master/templates/encryption-config.j2
@@ -0,0 +1,13 @@
+kind: EncryptionConfiguration
+apiVersion: apiserver.config.k8s.io/v1
+resources:
+  - resources:
+    - secrets
+    providers:
+    - secretbox:
+        keys:
+{% for key in kubernetes_secrets.encryption_config_keys %}
+        - name: key{{ loop.index }}
+          secret: {{ key }}
+{% endfor %}
+    - identity: {}
diff --git a/roles/kubernetes/kubeadm/master/templates/kubeadm-cluster.config.j2 b/roles/kubernetes/kubeadm/master/templates/kubeadm-cluster.config.j2
deleted file mode 100644
index 07c4dddd..00000000
--- a/roles/kubernetes/kubeadm/master/templates/kubeadm-cluster.config.j2
+++ /dev/null
@@ -1,34 +0,0 @@
-{# https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta1 #}
-apiVersion: kubeadm.k8s.io/v1beta1
-kind: ClusterConfiguration
-kubernetesVersion: v{{ kubernetes.version }}
-clusterName: {{ kubernetes.cluster_name }}
-certificatesDir: /etc/kubernetes/pki
-{% if kubernetes.api_advertise_ip %}
-controlPlaneEndpoint: "{{ kubernetes.api_advertise_ip }}:6443"
-{% endif %}
-imageRepository: k8s.gcr.io
-networking:
-  dnsDomain: cluster.local
-  podSubnet: {{ kubernetes.pod_ip_range }}
-  serviceSubnet: {{ kubernetes.service_ip_range }}
-etcd:
-  local:
-    dataDir: /var/lib/etcd
-apiServer:
-{% if kubernetes.api_extra_sans | length > 0 %}
-  certSANs:
-{%   for san in kubernetes.api_extra_sans %}
-  - {{ san }}
-{%   endfor %}
-{% endif %}
-  extraArgs:
-{% if kubernetes.api_advertise_ip %}
-    advertise-address: {{ kubernetes.api_advertise_ip }}
-{% endif %}
-    authorization-mode: Node,RBAC
-  timeoutForControlPlane: 4m0s
-controllerManager: {}
-scheduler: {}
-dns:
-  type: CoreDNS
diff --git a/roles/kubernetes/kubeadm/master/templates/kubeadm.config.j2 b/roles/kubernetes/kubeadm/master/templates/kubeadm.config.j2
new file mode 100644
index 00000000..f48a34f3
--- /dev/null
+++ b/roles/kubernetes/kubeadm/master/templates/kubeadm.config.j2
@@ -0,0 +1,45 @@
+{# https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2 #}
+{#  #}
+apiVersion: kubeadm.k8s.io/v1beta2
+kind: InitConfiguration
+{# TODO: this is ugly but we want to create our own token so we can #}
+{# better control it's lifetime #}
+bootstrapTokens:
+- ttl: "1s"
+localAPIEndpoint:
+  bindPort: 6442
+{% if kubernetes_overlay_node_ip is defined %}
+  advertiseAddress: {{ kubernetes_overlay_node_ip }}
+{% endif %}
+---
+apiVersion: kubeadm.k8s.io/v1beta2
+kind: ClusterConfiguration
+kubernetesVersion: {{ kubernetes_version }}
+clusterName: {{ kubernetes.cluster_name }}
+imageRepository: k8s.gcr.io
+controlPlaneEndpoint: 127.0.0.1:6443
+networking:
+  dnsDomain: {{ kubernetes.dns_domain | default('cluster.local') }}
+  podSubnet: {{ kubernetes.pod_ip_range }}
+  serviceSubnet: {{ kubernetes.service_ip_range }}
+apiServer:
+  # extraArgs:
+  #   encryption-provider-config: /etc/kubernetes/encryption/config
+  # extraVolumes:
+  # - name: encryption-config
+  #   hostPath: /etc/kubernetes/encryption
+  #   mountPath: /etc/kubernetes/encryption
+  #   readOnly: true
+  #   pathType: Directory
+{% if (kubernetes.api_extra_sans | default([]) | length) == 0 %}
+  certSANs: []
+{% else %}
+  certSANs:
+  {{ kubernetes.api_extra_sans | to_nice_yaml | indent(width=2) }}
+{% endif %}
+controllerManager:
+  extraArgs:
+    node-cidr-mask-size: "{{ kubernetes.pod_ip_range_size }}"
+scheduler: {}
+dns:
+  type: CoreDNS