feat(t8s-cluster/management-cluster): automatically roll cluster if c…

…erts are going to expire (#722)
teutonet · Feb 22, 2024 · 6fd3ab1 · 6fd3ab1
1 parent faaa9bb
commit 6fd3ab1
Show file tree

Hide file tree

Showing 4 changed files with 78 additions and 76 deletions.
diff --git a/...kubeadmnControlPlaneTemplate/_helpers.tpl → .../kubeadmControlPlaneTemplate/_helpers.tpl b/...kubeadmnControlPlaneTemplate/_helpers.tpl → .../kubeadmControlPlaneTemplate/_helpers.tpl
diff --git a/...nt-cluster/clusterClass/kubeadmControlPlaneTemplate/_kubeadmControlPlaneTemplateSpec.yaml b/...nt-cluster/clusterClass/kubeadmControlPlaneTemplate/_kubeadmControlPlaneTemplateSpec.yaml
@@ -0,0 +1,77 @@
+{{/*
+KubeadmControlPlaneTemplate is immutable. We need to create new versions during upgrades.
+Here we are generating a hash suffix.
+This function needs the whole `$` context to be able to use `.Files.Get`
+*/}}
+{{- define "t8s-cluster.clusterClass.kubeadmControlPlaneTemplate.spec" -}}
+rolloutBefore:
+  certificatesExpiryDays: 60
+kubeadmConfigSpec:
+  clusterConfiguration:
+    apiServer:
+      extraArgs:
+        admission-control-config-file: &admissionControlConfigFilePath /etc/kubernetes/admission-control-config.yaml
+        cloud-provider: external
+        enable-admission-plugins: AlwaysPullImages,EventRateLimit,NodeRestriction
+        profiling: 'false'
+        tls-cipher-suites: {{ include "t8s-cluster.clusterClass.tlsCipherSuites" (dict) }}
+        event-ttl: 4h
+      extraVolumes:
+        - hostPath: *admissionControlConfigFilePath
+          mountPath: *admissionControlConfigFilePath
+          name: admission-control-config
+          readOnly: true
+        - hostPath: &eventRateLimitConfigFilePath /etc/kubernetes/event-rate-limit-config.yaml
+          mountPath: *eventRateLimitConfigFilePath
+          name: event-rate-limit-config
+          readOnly: true
+    controllerManager:
+      extraArgs:
+        authorization-always-allow-paths: /healthz,/readyz,/livez,/metrics
+        bind-address: 0.0.0.0
+        cloud-provider: external
+        profiling: 'false'
+        terminated-pod-gc-threshold: '100'
+    etcd:
+      local:
+        extraArgs:
+          listen-metrics-urls: http://0.0.0.0:2381
+    scheduler:
+      extraArgs:
+        authorization-always-allow-paths: /healthz,/readyz,/livez,/metrics
+        bind-address: 0.0.0.0
+        profiling: 'false'
+  files: {{- include "t8s-cluster.patches.kubelet.patches" (dict "context" $) | nindent 4 }}
+    - content: |- {{- .Files.Get "files/admission-control-config.yaml" | nindent 8 }}
+      path: *admissionControlConfigFilePath
+    - content: |- {{- .Files.Get "files/event-rate-limit-config.yaml" | nindent 8 }}
+      path: *eventRateLimitConfigFilePath
+    - content: |- {{- .Files.Get "files/kube-proxy.patch.sh" | nindent 8 }}
+      path: /etc/kube-proxy-patch.sh
+      permissions: "0700"
+    - content: |- {{- .Files.Get "files/kube-proxy.config.yaml" | nindent 8 }}
+      path: /etc/kube-proxy-config.yaml
+    {{- if .Values.containerRegistryMirror.mirrorEndpoint }}
+      {{- include "t8s-cluster.clusterClass.containerdConfig.containerRegistryMirrorConfigs" (dict "context" $) | nindent 4 }}
+    {{- end }}
+    - content: |- {{- include "t8s-cluster.clusterClass.containerdConfig.plugins" (dict "context" $ "gpu" false) | nindent 8 }}
+      path: /etc/containerd/conf.d/plugins.toml
+    {{- if .Values.global.injectedCertificateAuthorities }}
+    - content: |- {{- .Values.global.injectedCertificateAuthorities | nindent 8 }}
+      path: /usr/local/share/ca-certificates/injected-ca-certs.crt
+    {{- end }}
+  initConfiguration:
+    nodeRegistration:
+      kubeletExtraArgs: {{- include "t8s-cluster.clusterClass.kubeletExtraArgs" (dict) | nindent 8 }}
+      name: '{{ `{{ local_hostname }}` }}'
+    patches:
+      directory: {{ include "t8s-cluster.patches.directory" (dict) }}
+  joinConfiguration:
+    nodeRegistration:
+      kubeletExtraArgs: {{- include "t8s-cluster.clusterClass.kubeletExtraArgs" (dict) | nindent 8 }}
+      name: '{{ `{{ local_hostname }}` }}'
+    patches:
+      directory: {{ include "t8s-cluster.patches.directory" (dict) }}
+  preKubeadmCommands: {{- include "t8s-cluster.clusterClass.preKubeadmCommands" (dict "context" $) | nindent 4 }}
+  postKubeadmCommands: {{- include "t8s-cluster.clusterClass.postKubeadmCommands" (dict) | nindent 4 }}
+{{- end -}}
diff --git a/...Template/kubeadmControlPlaneTemplate.yaml → ...Template/kubeadmControlPlaneTemplate.yaml b/...Template/kubeadmControlPlaneTemplate.yaml → ...Template/kubeadmControlPlaneTemplate.yaml
@@ -6,5 +6,4 @@ metadata:
   labels: {{- include "common.labels.standard" $ | nindent 4 }}
 spec:
   template:
-    spec:
-      kubeadmConfigSpec: {{/* the full context is needed for .Files.Get */}}{{- include "t8s-cluster.clusterClass.kubeadmControlPlaneTemplate.spec" . | nindent 8 }}
+    spec: {{/* the full context is needed for .Files.Get */}}{{- include "t8s-cluster.clusterClass.kubeadmControlPlaneTemplate.spec" . | nindent 6 }}
diff --git a/...t-cluster/clusterClass/kubeadmnControlPlaneTemplate/_kubeadmControlPlaneTemplateSpec.yaml b/...t-cluster/clusterClass/kubeadmnControlPlaneTemplate/_kubeadmControlPlaneTemplateSpec.yaml