deploy/clusters/templates/kubeadmcontrolplane.yaml

   1 {{- range $clusterName, $cluster := .Values.clusters }}
   2 ---
   3 apiVersion: controlplane.cluster.x-k8s.io/v1alpha4
   4 kind: KubeadmControlPlane
   5 metadata:
   6   name: {{ $clusterName }}
   7 spec:
   8   kubeadmConfigSpec:
   9     initConfiguration:
  10       nodeRegistration:
  11         kubeletExtraArgs:
  12           node-labels: metal3.io/uuid={{ "{{" }} ds.meta_data.uuid {{ "}}" }}
  13           cpu-manager-policy: static
  14           topology-manager-policy: best-effort
  15           kube-reserved: cpu=200m,memory=512Mi
  16         name: '{{ "{{" }} ds.meta_data.name {{ "}}" }}'
  17     joinConfiguration:
  18       controlPlane: {}
  19       nodeRegistration:
  20         kubeletExtraArgs:
  21           node-labels: metal3.io/uuid={{ "{{" }} ds.meta_data.uuid {{ "}}" }}
  22         name: '{{ "{{" }} ds.meta_data.name {{ "}}" }}'
  23     preKubeadmCommands:
  24 {{- if $cluster.networks }}
  25     # Without touching up /etc/hosts, kubeadm may pick the wrong
  26     # (i.e. provisioning network) address for the node IP
  27     - sed -i "1i $(ip -4 addr show dev {{ $cluster.networks.baremetal.interface }} | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | head -1) $(hostname)" /etc/hosts
  28 {{- end }}
  29     - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
  30     - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
  31     - curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
  32     - add-apt-repository "deb https://apt.kubernetes.io/ kubernetes-xenial main"
  33     - apt update -y
  34     - apt-get install -y ca-certificates
  35 {{- if $cluster.keepalived }}
  36     - apt-get install -y keepalived
  37     - systemctl enable --now keepalived
  38 {{- end }}
  39     - /usr/local/bin/install-container-runtime.sh
  40     - apt-get install -y kubelet={{ $cluster.kubeVersion }} kubeadm={{ $cluster.kubeVersion }} kubectl={{ $cluster.kubeVersion }}
  41     - systemctl enable --now kubelet
  42     postKubeadmCommands:
  43     - mkdir -p /home/ubuntu/.kube
  44     - cp /etc/kubernetes/admin.conf /home/ubuntu/.kube/config
  45     - chown ubuntu:ubuntu /home/ubuntu/.kube/config
  46     - mkdir -p /root/.kube
  47     - cp /etc/kubernetes/admin.conf /root/.kube/config
  48     - /usr/local/bin/harden_os.sh
  49     # Normally any bootstrap resources needed would be applied with a
  50     # ClusterResourceSet.  However instead of apply, replace must be
  51     # used to harden K8s.
  52     - /usr/local/bin/harden_k8s.sh
  53     # This must be done after kubeadm as the cabpk provider relies on
  54     # files in /var/run, which won't persist after a reboot
  55     - /usr/local/bin/set_kernel_cmdline.sh
  56     files:
  57 {{ include "clusters.keepalived" $cluster | indent 4 }}
  58 {{ include "clusters.containerRuntime" $cluster | indent 4 }}
  59     - path: /etc/systemd/system/containerd.service.d/override.conf
  60       content: |
  61 {{ $.Files.Get "resources/override.conf" | indent 8 }}
  62     - path: /usr/local/bin/harden_os.sh
  63       permissions: '0777'
  64       content: |
  65 {{ $.Files.Get "resources/harden_os.sh" | indent 8 }}
  66     - path: /usr/local/bin/harden_k8s.sh
  67       permissions: '0777'
  68       content: |
  69 {{ $.Files.Get "resources/harden_k8s.sh" | indent 8 }}
  70     - path: /usr/local/bin/set_kernel_cmdline.sh
  71       permissions: '0777'
  72       content: |
  73 {{ $.Files.Get "resources/set_kernel_cmdline.sh" | indent 8 }}
  74     users:
  75     - name: {{ $cluster.userData.name }}
  76       shell: /bin/bash
  77       lockPassword: False # Necessary to allow password login
  78       passwd: {{ $cluster.userData.hashedPassword }}
  79       sshAuthorizedKeys:
  80       - {{ $cluster.userData.sshAuthorizedKey }}
  81       sudo: "ALL=(ALL) NOPASSWD:ALL"
  82       groups: sudo # Necessary to allow SSH logins (see /etc/ssh/sshd_config)
  83     - name: root
  84       sshAuthorizedKeys:
  85       - {{ $cluster.userData.sshAuthorizedKey }}
  86   machineTemplate:
  87     infrastructureRef:
  88       apiVersion: infrastructure.cluster.x-k8s.io/v1alpha5
  89       kind: Metal3MachineTemplate
  90       name: {{ $clusterName }}-controlplane
  91     nodeDrainTimeout: 0s
  92   replicas: {{ $cluster.numControlPlaneMachines }}
  93   rolloutStrategy:
  94     rollingUpdate:
  95       maxSurge: 1
  96     type: RollingUpdate
  97   version: {{ $cluster.k8sVersion }}
  98 {{- end }}