deploy/cluster/templates/kubeadmconfigtemplate.yaml

   1 ---
   2 apiVersion: bootstrap.cluster.x-k8s.io/v1alpha4
   3 kind: KubeadmConfigTemplate
   4 metadata:
   5   name: {{ .Values.clusterName }}-workers
   6 spec:
   7   template:
   8     spec:
   9       joinConfiguration:
  10         nodeRegistration:
  11           kubeletExtraArgs:
  12             node-labels: metal3.io/uuid={{ "{{" }} ds.meta_data.uuid {{ "}}" }}
  13             cpu-manager-policy: static
  14             topology-manager-policy: best-effort
  15             kube-reserved: cpu=100m,memory=256Mi
  16           name: '{{ "{{" }} ds.meta_data.name {{ "}}" }}'
  17       preKubeadmCommands:
  18 {{- if .Values.networks }}
  19       # Without touching up /etc/hosts, kubeadm may pick the wrong
  20       # (i.e. provisioning network) address for the node IP
  21       - sed -i "1i $(ip -4 addr show dev {{ .Values.networks.baremetal.interface }} | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | head -1) $(hostname)" /etc/hosts
  22 {{- end }}
  23       - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
  24       - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
  25       - curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
  26       - add-apt-repository "deb https://apt.kubernetes.io/ kubernetes-xenial main"
  27       - apt-get update -y
  28       - apt-get install -y ca-certificates
  29       - /usr/local/bin/install-container-runtime.sh
  30       - apt-get install -y kubelet={{ .Values.kubeVersion }} kubeadm={{ .Values.kubeVersion }} kubectl={{ .Values.kubeVersion }}
  31       - systemctl enable --now kubelet
  32       postKubeadmCommands:
  33       - /usr/local/bin/harden_os.sh
  34       # This must be done after kubeadm as the cabpk provider relies
  35       # on files in /var/run, which won't persist after a reboot
  36       - /usr/local/bin/set_kernel_cmdline.sh
  37       files:
  38 {{ include "cluster.containerRuntime" .Values | indent 6 }}
  39       - path: /etc/systemd/system/containerd.service.d/override.conf
  40         content: |
  41 {{ $.Files.Get "resources/override.conf" | indent 10 }}
  42       - path: /usr/local/bin/harden_os.sh
  43         permissions: '0777'
  44         content: |
  45 {{ $.Files.Get "resources/harden_os.sh" | indent 10 }}
  46       - path: /usr/local/bin/set_kernel_cmdline.sh
  47         permissions: '0777'
  48         content: |
  49 {{ $.Files.Get "resources/set_kernel_cmdline.sh" | indent 10 }}
  50 {{- if .Values.userData }}
  51       users:
  52       - name: {{ .Values.userData.name }}
  53         shell: /bin/bash
  54         lockPassword: False # Necessary to allow password login
  55         passwd: {{ .Values.userData.hashedPassword }}
  56         sshAuthorizedKeys:
  57         - {{ .Values.userData.sshAuthorizedKey }}
  58         sudo: "ALL=(ALL) NOPASSWD:ALL"
  59         groups: sudo # Necessary to allow SSH logins (see /etc/ssh/sshd_config)
  60       - name: root
  61         sshAuthorizedKeys:
  62         - {{ .Values.userData.sshAuthorizedKey }}
  63 {{- end }}