1 {{- range $clusterName, $cluster := .Values.clusters }}
3 apiVersion: controlplane.cluster.x-k8s.io/v1alpha4
4 kind: KubeadmControlPlane
6 name: {{ $clusterName }}
12 enable-admission-plugins: NodeRestriction,PodSecurityPolicy
16 node-labels: metal3.io/uuid={{ "{{" }} ds.meta_data.uuid {{ "}}" }}
17 cpu-manager-policy: static
18 topology-manager-policy: best-effort
19 kube-reserved: cpu=200m,memory=512Mi
20 name: '{{ "{{" }} ds.meta_data.name {{ "}}" }}'
25 node-labels: metal3.io/uuid={{ "{{" }} ds.meta_data.uuid {{ "}}" }}
26 name: '{{ "{{" }} ds.meta_data.name {{ "}}" }}'
28 {{- if $cluster.networks }}
29 # Without touching up /etc/hosts, kubeadm may pick the wrong
30 # (i.e. provisioning network) address for the node IP
31 - sed -i "1i $(ip -4 addr show dev {{ $cluster.networks.baremetal.interface }} | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | head -1) $(hostname)" /etc/hosts
33 - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
34 - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
35 - curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
36 - add-apt-repository "deb https://apt.kubernetes.io/ kubernetes-xenial main"
38 - apt-get install -y ca-certificates
39 {{- if $cluster.keepalived }}
40 - apt-get install -y keepalived
41 - systemctl enable --now keepalived
43 - /usr/local/bin/install-container-runtime.sh
44 - apt-get install -y kubelet={{ $cluster.kubeVersion }} kubeadm={{ $cluster.kubeVersion }} kubectl={{ $cluster.kubeVersion }}
45 - systemctl enable --now kubelet
47 - mkdir -p /home/ubuntu/.kube
48 - cp /etc/kubernetes/admin.conf /home/ubuntu/.kube/config
49 - chown ubuntu:ubuntu /home/ubuntu/.kube/config
50 - mkdir -p /root/.kube
51 - cp /etc/kubernetes/admin.conf /root/.kube/config
52 - /usr/local/bin/harden_os.sh
53 # Normally any bootstrap resources needed would be applied with a
54 # ClusterResourceSet. However instead of apply, replace must be
56 - /usr/local/bin/harden_k8s.sh
57 # This must be done after kubeadm as the cabpk provider relies on
58 # files in /var/run, which won't persist after a reboot
59 - /usr/local/bin/set_kernel_cmdline.sh
61 {{ include "clusters.keepalived" $cluster | indent 4 }}
62 {{ include "clusters.containerRuntime" $cluster | indent 4 }}
63 - path: /etc/systemd/system/containerd.service.d/override.conf
65 {{ $.Files.Get "resources/override.conf" | indent 8 }}
66 - path: /usr/local/bin/harden_os.sh
69 {{ $.Files.Get "resources/harden_os.sh" | indent 8 }}
70 - path: /usr/local/bin/harden_k8s.sh
73 {{ $.Files.Get "resources/harden_k8s.sh" | indent 8 }}
74 - path: /usr/local/bin/set_kernel_cmdline.sh
77 {{ $.Files.Get "resources/set_kernel_cmdline.sh" | indent 8 }}
79 - name: {{ $cluster.userData.name }}
81 lockPassword: False # Necessary to allow password login
82 passwd: {{ $cluster.userData.hashedPassword }}
84 - {{ $cluster.userData.sshAuthorizedKey }}
85 sudo: "ALL=(ALL) NOPASSWD:ALL"
86 groups: sudo # Necessary to allow SSH logins (see /etc/ssh/sshd_config)
89 - {{ $cluster.userData.sshAuthorizedKey }}
92 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha5
93 kind: Metal3MachineTemplate
94 name: {{ $clusterName }}-controlplane
96 replicas: {{ $cluster.numControlPlaneMachines }}
101 version: {{ $cluster.k8sVersion }}