feat: baseline template for kubeadm

jokuniew · jokuniew · commit 6f55933c030e · 2025-04-22T13:18:36.000Z
diff --git a/default-cluster-templates/baseline-kubeadm.json b/default-cluster-templates/baseline-kubeadm.json
@@ -0,0 +1,98 @@
+{
+    "name": "baseline-kubeadm",
+    "version": "v2.0.1",
+    "kubernetesVersion": "v1.30.10",
+    "description": "Baseline Cluster Template with Kubeadm Control Plane",
+    "controlplaneprovidertype": "kubeadm",
+    "infraprovidertype": "intel",
+    "clusterconfiguration": {
+      "kind": "KubeadmControlPlaneTemplate",
+      "apiVersion": "controlplane.cluster.x-k8s.io/v1beta1",
+      "metadata": {
+        "labels": {
+          "cpumanager": "true"
+        }
+      },
+      "spec": {
+        "template": {
+          "spec": {
+            "files": [
+              {
+                "path": "/usr/local/bin/append-containerd-config.sh",
+                "content": "cat <<EOF >> /etc/containerd/config.toml\n\n[plugins.\\\"io.containerd.internal.v1.opt\\\"]\n  path = \\\"/var/lib/rancher/rke2/agent/containerd\\\"\n\n[plugins.\\\"io.containerd.grpc.v1.cri\\\"]\n  stream_server_address = \\\"127.0.0.1\\\"\n  stream_server_port = \\\"10010\\\"\n  enable_selinux = false\n  enable_unprivileged_ports = true\n  enable_unprivileged_icmp = true\n  sandbox_image = \\\"index.docker.io/rancher/mirrored-pause:3.6\\\"\n  disable_apparmor = true\n\n[plugins.\\\"io.containerd.grpc.v1.cri\\\".containerd]\n  snapshotter = \\\"overlayfs\\\"\n  disable_snapshot_annotations = true\n\n[plugins.\\\"io.containerd.grpc.v1.cri\\\".containerd.runtimes.runc]\n  runtime_type = \\\"io.containerd.runc.v2\\\"\n\n[plugins.\\\"io.containerd.grpc.v1.cri\\\".containerd.runtimes.runc.options]\n  SystemdCgroup = true\n\n[plugins.\\\"io.containerd.grpc.v1.cri\\\".registry]\n  config_path = \\\"/var/lib/rancher/rke2/agent/etc/containerd/certs.d\\\"\n\n[plugins.\\\"io.containerd.grpc.v1.cri\\\".containerd.runtimes.kata-qemu]\n  runtime_type = \\\"io.containerd.kata-qemu.v2\\\"\n  runtime_path = \\\"/opt/kata/bin/containerd-shim-kata-v2\\\"\n  privileged_without_host_devices = true\n  pod_annotations = [\\\"io.katacontainers.*\\\"]\n\n[plugins.\\\"io.containerd.grpc.v1.cri\\\".containerd.runtimes.kata-qemu.options]\n  ConfigPath = \\\"/opt/kata/share/defaults/kata-containers/configuration-qemu.toml\\\"\n\nEOF"
+              }
+            ],
+            "clusterConfiguration": {
+              "apiServer": {
+                "extraArgs": {
+                  "feature-gates": "PortForwardWebsockets=true",
+                  "tls-cipher-suites":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
+                }
+              },
+              "controllerManager":{
+                "extraArgs": {}
+              },
+              "etcd":{
+                "local": {
+                  "extraArgs": {
+                    "cipher-suites": "[TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384]"
+                  } 
+                }
+              },
+              "scheduler":{
+                "extraArgs": {}
+              }
+            },
+            "joinConfiguration": {
+              "nodeRegistration": {
+                "kubeletExtraArgs": {
+                  "topology-manager-policy": "best-effort",
+                  "cpu-manager-policy": "static", 
+                  "reserved-cpus": "1",
+                  "max-pods": "250",
+                  "tls-cipher-suites": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
+                }
+              }
+            },
+            "preKubeadmCommands": [
+              "/usr/local/bin/append-containerd-config.sh",
+              "mkdir -p /etc/systemd/system/rke2-server.service.d",
+              "echo '[Service]\nEnvironmentFile=/etc/environment' > /etc/systemd/system/rke2-server.service.d/override.conf"
+            ],
+  
+            "privateRegistriesConfig": {
+              "mirrors": {
+                "rs-proxy.rs-proxy.svc.cluster.local:8443": {
+                  "endpoint": [
+                    "https://localhost.internal:9443"
+                  ]
+                }
+              }
+            },
+            "nodeDrainTimeout": "2m",
+            "rolloutStrategy": {
+              "type": "RollingUpdate",
+              "rollingUpdate": {
+                "maxSurge": 1
+              }
+            }
+          }
+        }
+      }
+    },
+    "clusterNetwork": {
+      "pods": {
+        "cidrBlocks": [
+          "10.42.0.0/16"
+        ]
+      },
+      "services": {
+        "cidrBlocks": [
+          "10.43.0.0/16"
+        ]
+      }
+    },
+    "cluster-labels": {
+      "default-extension": "baseline"
+    }
+  }
diff --git a/default-cluster-templates/kubeadm.config.toml b/default-cluster-templates/kubeadm.config.toml
@@ -0,0 +1,47 @@
+# This is the configuration file added to the default templates in the spec.files.content field.
+# To update the cluster template, make sure you have the following tools installed in your environment:
+#  - grep (https://www.gnu.org/software/grep/)
+#  - jo   (https://github.com/jpmens/jo)
+#  - jq   (https://jqlang.org/)
+#  - sed  (https://www.gnu.org/software/sed/)
+# The string in the template can be created from this file using the following command:
+#   jo content="$(grep -v '^#' kubeadm.config.toml)"|sed 's/\\"/\\\\\\\"/g'|jq .content
+# The result can then be pasted into the template files as the "content".
+# The "sed" command performs triple backslashing of quotes, which seems to be required.
+cat <<EOF >> /etc/containerd/config.toml
+
+[plugins."io.containerd.internal.v1.opt"]
+  path = "/var/lib/rancher/rke2/agent/containerd"
+
+[plugins."io.containerd.grpc.v1.cri"]
+  stream_server_address = "127.0.0.1"
+  stream_server_port = "10010"
+  enable_selinux = false
+  enable_unprivileged_ports = true
+  enable_unprivileged_icmp = true
+  sandbox_image = "index.docker.io/rancher/mirrored-pause:3.6"
+  disable_apparmor = true
+
+[plugins."io.containerd.grpc.v1.cri".containerd]
+  snapshotter = "overlayfs"
+  disable_snapshot_annotations = true
+
+[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
+  runtime_type = "io.containerd.runc.v2"
+
+[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
+  SystemdCgroup = true
+
+[plugins."io.containerd.grpc.v1.cri".registry]
+  config_path = "/var/lib/rancher/rke2/agent/etc/containerd/certs.d"
+
+[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata-qemu]
+  runtime_type = "io.containerd.kata-qemu.v2"
+  runtime_path = "/opt/kata/bin/containerd-shim-kata-v2"
+  privileged_without_host_devices = true
+  pod_annotations = ["io.katacontainers.*"]
+
+[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata-qemu.options]
+  ConfigPath = "/opt/kata/share/defaults/kata-containers/configuration-qemu.toml"
+
+EOF
