Merge pull request #531 from treydock/kubeadm-v1beta3

Support Kubernetes 1.22 and kubeadm v1beta3 configurations

manifests/config/kubeadm.pp

@@ -63,6 +63,7 @@
   Integer $conntrack_min = $kubernetes::conntrack_min,
   String $conntrack_tcp_wait_timeout = $kubernetes::conntrack_tcp_wait_timeout,
   String $conntrack_tcp_stablished_timeout = $kubernetes::conntrack_tcp_stablished_timeout,
+  Hash[String[1], Boolean] $feature_gates = $kubernetes::feature_gates,
 ) {
   if !($proxy_mode in ['', 'userspace', 'iptables', 'ipvs', 'kernelspace']) {
     fail('Invalid kube-proxy mode! Must be one of "", userspace, iptables, ipvs, kernelspace.')
@@ -167,10 +168,11 @@
   $kubelet_extra_config_alpha1_yaml = regsubst(to_yaml($kubelet_extra_config_alpha1), '^---\n', '')
 
   $config_version = $kubernetes_version ? {
-    /1\.1(0|1)/          => 'v1alpha1',
-    /1\.12/              => 'v1alpha3',
-    /1\.1(3|4|5\.[012])/ => 'v1beta1',
-    default              => 'v1beta2',
+    /1\.1(0|1)/              => 'v1alpha1',
+    /1\.12/                  => 'v1alpha3',
+    /1\.1(3|4|5\.[012])/     => 'v1beta1',
+    /1\.(16|17|18|19|20|21)/ => 'v1beta2',
+    default                  => 'v1beta3',
   }
 
   file { $config_file:

manifests/config/worker.pp

@@ -19,14 +19,16 @@
   Optional[Array] $ignore_preflight_errors = undef,
   Boolean $skip_ca_verification            = false,
   String $cgroup_driver                    = $kubernetes::cgroup_driver,
+  Optional[Array] $skip_phases_join        = $kubernetes::skip_phases_join,
 ) {
   # to_yaml emits a complete YAML document, so we must remove the leading '---'
   $kubelet_extra_config_yaml = regsubst(to_yaml($kubelet_extra_config), '^---\n', '')
 
   $template = $kubernetes_version ? {
-    /1\.12/              => 'v1alpha3',
-    /1\.1(3|4|5\.[012])/ => 'v1beta1',
-    default              => 'v1beta2',
+    /1\.12/                  => 'v1alpha3',
+    /1\.1(3|4|5\.[012])/     => 'v1beta1',
+    /1\.(16|17|18|19|20|21)/ => 'v1beta2',
+    default                  => 'v1beta3',
   }
 
   file { '/etc/kubernetes':

manifests/init.pp

@@ -522,6 +522,17 @@
 # Allow kubeadm init skip some phases
 # Default: none phases skipped
 #
+# [*skip_phases_join*]
+# Allow kubeadm join to skip some phases
+# Only works with Kubernetes 1.22+
+# Default: no phases skipped
+#
+# [*feature_gates*]
+# Feature gate hash to be added to kubeadm configuration
+# Example:
+#   {'RootlessControlPlane' => true}
+# Default: undefined, no feature gates
+#
 # Authors
 # -------
 #
@@ -671,13 +682,15 @@
   Stdlib::IP::Address $metrics_bind_address                      = '127.0.0.1',
   Optional[String] $join_discovery_file                          = undef,
   Optional[String] $skip_phases                                  = undef,
+  Optional[Array] $skip_phases_join                              = undef,
   Integer $conntrack_max_per_core                                = 32768,
   Integer $conntrack_min                                         = 131072,
   String $conntrack_tcp_wait_timeout                             = '1h0m0s',
   String $conntrack_tcp_stablished_timeout                       = '24h0m0s',
   String $tmp_directory                                          = '/var/tmp/puppetlabs-kubernetes',
   Integer $wait_for_default_sa_tries                             = 5,
   Integer $wait_for_default_sa_try_sleep                         = 6,
+  Hash[String[1], Boolean] $feature_gates                        = {},
 ) {
   if !$facts['os']['family'] in ['Debian', 'RedHat'] {
     notify { "The OS family ${facts['os']['family']} is not supported by this module": }

spec/acceptance/kubernetes_spec.rb

@@ -13,8 +13,8 @@
         pp = <<-MANIFEST
         if $facts['os']['family'] == 'redhat'{
           class {'kubernetes':
-                  kubernetes_version => '1.20.6',
-                  kubernetes_package_version => '1.20.6',
+                  kubernetes_version => '1.22.0',
+                  kubernetes_package_version => '1.22.0',
                   controller_address => "$::ipaddress:6443",
                   container_runtime => 'docker',
                   manage_docker => false,

templates/v1beta3/config_kubeadm.yaml.erb

@@ -0,0 +1,154 @@
+apiVersion: kubeadm.k8s.io/v1beta3
+bootstrapTokens:
+- groups:
+  - system:bootstrappers:kubeadm:default-node-token
+  token: <%= @token %>
+  ttl: <%= @ttl_duration %>
+  usages:
+  - signing
+  - authentication
+kind: InitConfiguration
+localAPIEndpoint:
+  advertiseAddress: <%= @kube_api_advertise_address %>
+  bindPort: <%= @kube_api_bind_port %>
+nodeRegistration:
+  name: <%= @node_name %>
+  <%- if @container_runtime == "cri_containerd" -%>
+  criSocket: unix:///run/containerd/containerd.sock
+  <%- end -%>
+  taints:
+  - effect: NoSchedule
+    key: node-role.kubernetes.io/master
+  kubeletExtraArgs:
+    cgroup-driver: <%= @cgroup_driver %>
+    <%- if @cloud_provider -%>
+    cloud-provider: <%= @cloud_provider %>
+    <%- end -%>
+    <%- if @cloud_config -%>
+    cloud-config: <%= @cloud_config %>
+    <%- end -%>
+    <%- @kubelet_extra_arguments.each do |arg| -%>
+    <%= arg %>
+    <%- end -%>
+<% if @skip_phases -%>
+skipPhases:
+<% @skip_phases.split(',').each do |skip_phase| -%>
+- <%= skip_phase %>
+<% end -%>
+<% end -%>
+---
+apiServer:
+  timeoutForControlPlane: 4m0s
+<%- if @apiserver_cert_extra_sans -%>
+  certSANs:
+  <%- @apiserver_cert_extra_sans.each do |san| -%>
+  - <%= san %>
+  <%- end -%>
+<%- end -%>
+<%- if @apiserver_merged_extra_arguments -%>
+  extraArgs:
+  <%- @apiserver_merged_extra_arguments.each do |arg| -%>
+    <%= arg %>
+  <%- end -%>
+<%- end -%>
+<%- if @apiserver_merged_extra_volumes -%>
+  extraVolumes:
+  <%- @apiserver_merged_extra_volumes.each do |name, config| -%>
+  - name: <%= name %>
+    hostPath: <%= config['hostPath'] %>
+    mountPath: <%= config['mountPath'] %>
+    readOnly: <%= config['readOnly'] %>
+    pathType: <%= config['pathType'] %>
+  <%- end -%>
+<%- end -%>
+apiVersion: kubeadm.k8s.io/v1beta3
+certificatesDir: /etc/kubernetes/pki
+<%- if @kubernetes_cluster_name != "kubernetes"  -%>
+clusterName: <%= @kubernetes_cluster_name %>
+<%- end -%>
+controlPlaneEndpoint: "<%= @controller_address %>"
+controllerManager:
+<%- if @controllermanager_merged_extra_arguments -%>
+  extraArgs:
+  <%- @controllermanager_merged_extra_arguments.each do |arg| -%>
+    <%= arg %>
+  <%- end -%>
+<%- end -%>
+<%- if @controllermanager_merged_extra_volumes -%>
+  extraVolumes:
+  <%- @controllermanager_merged_extra_volumes.each do |name, config| -%>
+  - name: <%= name %>
+    hostPath: <%= config['hostPath'] %>
+    mountPath: <%= config['mountPath'] %>
+    readOnly: <%= config['readOnly'] %>
+    pathType: <%= config['pathType'] %>
+  <%- end -%>
+<%- end -%>
+scheduler:
+<%- if @scheduler_merged_extra_arguments -%>
+  extraArgs:
+  <%- @scheduler_merged_extra_arguments.each do |arg| -%>
+    <%= arg %>
+  <%- end -%>
+<%- end -%>
+etcd:
+    external:
+        caFile: /etc/kubernetes/pki/etcd/ca.crt
+        certFile: /etc/kubernetes/pki/etcd/client.crt
+        endpoints:
+<% @etcd_peers.each do |peer| -%>
+          - https://<%= peer %>:2379
+<% end -%>
+        keyFile: /etc/kubernetes/pki/etcd/client.key
+imageRepository:  <%= @image_repository %>
+<% unless @feature_gates.empty? -%>
+featureGates:
+<% @feature_gates.each_pair do |key,value| -%>
+  <%= key %>: <%= value %>
+<% end -%>
+<% end -%>
+kind: ClusterConfiguration
+kubernetesVersion: v<%= @kubernetes_version %>
+networking:
+  dnsDomain: <%= @dns_domain %>
+  podSubnet: <%= @cni_pod_cidr %>
+  serviceSubnet: <%= @service_cidr %>
+<%- if @kubeadm_extra_config  -%>
+<%= @kubeadm_extra_config_yaml %>
+<%- end -%>
+---
+apiVersion: kubeproxy.config.k8s.io/v1alpha1
+bindAddress: 0.0.0.0
+clientConnection:
+  acceptContentTypes: ""
+  burst: 10
+  contentType: application/vnd.kubernetes.protobuf
+  kubeconfig: /var/lib/kube-proxy/kubeconfig.conf
+  qps: 5
+clusterCIDR: <%= @cni_pod_cidr %>
+configSyncPeriod: 15m0s
+conntrack:
+  maxPerCore: <%= @conntrack_max_per_core %>
+  min: <%= @conntrack_min %>
+  tcpCloseWaitTimeout: <%= @conntrack_tcp_wait_timeout %>
+  tcpEstablishedTimeout: <%= @conntrack_tcp_stablished_timeout %>
+enableProfiling: false
+healthzBindAddress: 0.0.0.0:10256
+hostnameOverride: ""
+iptables:
+  masqueradeAll: false
+  masqueradeBit: 14
+  minSyncPeriod: 0s
+  syncPeriod: 30s
+ipvs:
+  excludeCIDRs: null
+  minSyncPeriod: 0s
+  scheduler: ""
+  syncPeriod: 30s
+kind: KubeProxyConfiguration
+metricsBindAddress: <%= @metrics_bind_address %>:10249
+mode: "<%= @proxy_mode %>"
+nodePortAddresses: null
+oomScoreAdj: -999
+portRange: ""
+udpIdleTimeout: 250ms

templates/v1beta3/config_worker.yaml.erb

@@ -0,0 +1,40 @@
+apiVersion: kubeadm.k8s.io/v1beta3
+caCertPath: /etc/kubernetes/pki/ca.crt
+kind: JoinConfiguration
+<%- if @kubernetes_cluster_name != "kubernetes"  -%>
+clusterName: <%= @kubernetes_cluster_name %>
+<%- end -%>
+discovery:
+  timeout: 5m0s
+  bootstrapToken:
+    token: <%= @discovery_token %>
+    apiServerEndpoint: '<%= @controller_address %>'
+    unsafeSkipCAVerification: false
+    caCertHashes:
+    - 'sha256:<%= @discovery_token_hash %>'
+nodeRegistration:
+  name: <%= @node_name %>
+  <%- if @container_runtime == "cri_containerd" -%>
+  criSocket: unix:///run/containerd/containerd.sock
+  taints: null
+  <%- end -%>
+  kubeletExtraArgs:
+    cgroup-driver: <%= @cgroup_driver %>
+    <%- if @cloud_provider -%>
+    cloud-provider: <%= @cloud_provider %>
+    <%- if @cloud_config -%>
+    cloud-config: <%= @cloud_config %>
+    <%- end -%>
+    <%- end -%>
+    <%- @kubelet_extra_arguments.each do |arg| -%>
+    <%= arg %>
+    <%- end %>
+<% if @feature_gates -%>
+featureGates: <%= @feature_gates %>
+<% end -%>
+<% if @skip_phases_join -%>
+skipPhases:
+<% @skip_phases_join.each do |skip_phase| -%>
+- <%= skip_phase %>
+<% end -%>
+<% end -%>