From ddc8db7956cbf68afb1bb49401827e9b55ab139f Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sat, 11 Jan 2020 03:35:03 +0100 Subject: kubernetes: new/updated kubeadm master role (WIP) --- .../kubeadm/master/templates/encryption-config.j2 | 13 ++++++++ .../master/templates/kubeadm-cluster.config.j2 | 39 ++++++++++++++-------- 2 files changed, 39 insertions(+), 13 deletions(-) create mode 100644 roles/kubernetes/kubeadm/master/templates/encryption-config.j2 (limited to 'roles/kubernetes/kubeadm/master/templates') diff --git a/roles/kubernetes/kubeadm/master/templates/encryption-config.j2 b/roles/kubernetes/kubeadm/master/templates/encryption-config.j2 new file mode 100644 index 00000000..a69ae84b --- /dev/null +++ b/roles/kubernetes/kubeadm/master/templates/encryption-config.j2 @@ -0,0 +1,13 @@ +kind: EncryptionConfiguration +apiVersion: apiserver.config.k8s.io/v1 +resources: + - resources: + - secrets + providers: + - secretbox: + keys: +{% for key in kubernetes.encryption_config_keys %} + - name: key{{ loop.index }} + secret: {{ key }} +{% endfor %} + - identity: {} diff --git a/roles/kubernetes/kubeadm/master/templates/kubeadm-cluster.config.j2 b/roles/kubernetes/kubeadm/master/templates/kubeadm-cluster.config.j2 index 5ec18614..78e9d7a7 100644 --- a/roles/kubernetes/kubeadm/master/templates/kubeadm-cluster.config.j2 +++ b/roles/kubernetes/kubeadm/master/templates/kubeadm-cluster.config.j2 @@ -1,34 +1,47 @@ {# https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta1 #} +{# #} +apiVersion: kubeadm.k8s.io/v1beta1 +kind: InitConfiguration +{# TODO: this is ugly but we want to create our own token so we can #} +{# better control it's lifetime #} +bootstrapTokens: +- ttl: "1s" +--- apiVersion: kubeadm.k8s.io/v1beta1 kind: ClusterConfiguration -kubernetesVersion: v{{ kubernetes_version }} +kubernetesVersion: {{ kubernetes_version }} clusterName: {{ kubernetes.cluster_name }} -certificatesDir: /etc/kubernetes/pki +imageRepository: k8s.gcr.io {% if kubernetes.api_advertise_ip %} controlPlaneEndpoint: "{{ kubernetes.api_advertise_ip }}:6443" {% endif %} -imageRepository: k8s.gcr.io networking: dnsDomain: cluster.local podSubnet: {{ kubernetes.pod_ip_range }} serviceSubnet: {{ kubernetes.service_ip_range }} -etcd: - local: - dataDir: /var/lib/etcd apiServer: -{% if kubernetes.api_extra_sans | length > 0 %} + extraArgs: +{% if kubernetes.api_advertise_ip %} + advertise-address: {{ kubernetes.api_advertise_ip }} +{% endif %} + encryption-provider-config: /etc/kubernetes/encryption/config + extraVolumes: + - name: encryption-config + hostPath: /etc/kubernetes/encryption + mountPath: /etc/kubernetes/encryption + readOnly: true + pathType: Directory +{% if (kubernetes.api_extra_sans | length) == 0 %} + certSANs: [] +{% else %} certSANs: {% for san in kubernetes.api_extra_sans %} - {{ san }} {% endfor %} {% endif %} +controllerManager: extraArgs: -{% if kubernetes.api_advertise_ip %} - advertise-address: {{ kubernetes.api_advertise_ip }} -{% endif %} - authorization-mode: Node,RBAC - timeoutForControlPlane: 4m0s -controllerManager: {} + node-cidr-mask-size: "{{ kubernetes_network_node_cidr_size }}" scheduler: {} dns: type: CoreDNS -- cgit v1.2.3