Merge pull request #1263 from 24sama/master

add an option to control k8s certs auto-renew script
kubesphere · May 6, 2022 · 8c7bb1d · 8c7bb1d
2 parents 80cd689 + 9c74581
commit 8c7bb1d
Show file tree

Hide file tree

Showing 8 changed files with 22 additions and 7 deletions.
diff --git a/apis/kubekey/v1alpha2/kubernetes_types.go b/apis/kubekey/v1alpha2/kubernetes_types.go
@@ -29,6 +29,7 @@ type Kubernetes struct {
 	NodeCidrMaskSize       int      `yaml:"nodeCidrMaskSize" json:"nodeCidrMaskSize,omitempty"`
 	ApiserverCertExtraSans []string `yaml:"apiserverCertExtraSans" json:"apiserverCertExtraSans,omitempty"`
 	ProxyMode              string   `yaml:"proxyMode" json:"proxyMode,omitempty"`
+	AutoRenewCerts         *bool    `yaml:"autoRenewCerts" json:"autoRenewCerts,omitempty"`
 	// +optional
 	Nodelocaldns             *bool                `yaml:"nodelocaldns" json:"nodelocaldns,omitempty"`
 	ContainerManager         string               `yaml:"containerManager" json:"containerManager,omitempty"`
@@ -78,3 +79,10 @@ func (k *Kubernetes) EnableNodeFeatureDiscovery() bool {
 	}
 	return *k.NodeFeatureDiscovery.Enabled
 }
+
+func (k *Kubernetes) EnableAutoRenewCerts() bool {
+	if k.AutoRenewCerts == nil {
+		return false
+	}
+	return *k.AutoRenewCerts
+}
diff --git a/docs/config-example.md b/docs/config-example.md
@@ -23,14 +23,16 @@ spec:
     address: ""      # The IP address of your load balancer.
     port: 6443
   system:
-    ntpServers: #  The ntp servers of chrony, set the node name in `hosts` as ntp servers if no public ntp servers access.
+    ntpServers: #  The ntp servers of chrony.
       - time1.cloud.tencent.com
       - ntp.aliyun.com
+      - node1 # Set the node name in `hosts` as ntp server if no public ntp servers access.
     timezone: "Asia/Shanghai"
   kubernetes:
     version: v1.21.5
     imageRepo: kubesphere
     clusterName: cluster.local
+    autoRenewCerts: true # Whether to install a script which can automatically renew the Kubernetes control plane certificates. [Default: false]
     masqueradeAll: false  # masqueradeAll tells kube-proxy to SNAT everything if using the pure iptables proxy mode. [Default: false].
     maxPods: 110  # maxPods is the number of Pods that can run on this Kubelet. [Default: 110]
     nodeCidrMaskSize: 24  # The internal network node size allocation. This is the size allocated to each node on your network. [Default: 24]

diff --git a/pkg/certs/module.go b/pkg/certs/module.go
@@ -127,6 +127,11 @@ func (r *RenewCertsModule) Init() {
 
 type AutoRenewCertsModule struct {
 	common.KubeModule
+	Skip bool
+}
+
+func (a *AutoRenewCertsModule) IsSkip() bool {
+	return a.Skip
 }
 
 func (a *AutoRenewCertsModule) Init() {

diff --git a/pkg/config/templates/cluster.go b/pkg/config/templates/cluster.go
@@ -53,6 +53,7 @@ spec:
   kubernetes:
     version: {{ .Options.KubeVersion }}
     clusterName: cluster.local
+    autoRenewCerts: true
   etcd:
     type: kubekey
   network:

diff --git a/pkg/pipelines/add_nodes.go b/pkg/pipelines/add_nodes.go
@@ -65,7 +65,7 @@ func NewAddNodesPipeline(runtime *common.KubeRuntime) error {
 		&loadbalancer.HaproxyModule{Skip: !runtime.Cluster.ControlPlaneEndpoint.IsInternalLBEnabled()},
 		&kubernetes.ConfigureKubernetesModule{},
 		&filesystem.ChownModule{},
-		&certs.AutoRenewCertsModule{},
+		&certs.AutoRenewCertsModule{Skip: !runtime.Cluster.Kubernetes.EnableAutoRenewCerts()},
 	}
 
 	p := pipeline.Pipeline{
@@ -118,7 +118,7 @@ func NewK3sAddNodesPipeline(runtime *common.KubeRuntime) error {
 		&loadbalancer.K3sHaproxyModule{Skip: !runtime.Cluster.ControlPlaneEndpoint.IsInternalLBEnabled()},
 		&kubernetes.ConfigureKubernetesModule{},
 		&filesystem.ChownModule{},
-		&certs.AutoRenewCertsModule{},
+		&certs.AutoRenewCertsModule{Skip: !runtime.Cluster.Kubernetes.EnableAutoRenewCerts()},
 	}
 
 	p := pipeline.Pipeline{

diff --git a/pkg/pipelines/create_cluster.go b/pkg/pipelines/create_cluster.go
@@ -85,7 +85,7 @@ func NewCreateClusterPipeline(runtime *common.KubeRuntime) error {
 		&network.DeployNetworkPluginModule{},
 		&kubernetes.ConfigureKubernetesModule{},
 		&filesystem.ChownModule{},
-		&certs.AutoRenewCertsModule{},
+		&certs.AutoRenewCertsModule{Skip: !runtime.Cluster.Kubernetes.EnableAutoRenewCerts()},
 		&kubernetes.SaveKubeConfigModule{},
 		&plugins.DeployPluginsModule{},
 		&addons.AddonsModule{},
@@ -176,6 +176,7 @@ func NewK3sCreateClusterPipeline(runtime *common.KubeRuntime) error {
 		&network.DeployNetworkPluginModule{},
 		&kubernetes.ConfigureKubernetesModule{},
 		&filesystem.ChownModule{},
+		&certs.AutoRenewCertsModule{Skip: !runtime.Cluster.Kubernetes.EnableAutoRenewCerts()},
 		&k3s.SaveKubeConfigModule{},
 		&addons.AddonsModule{},
 		&storage.DeployLocalVolumeModule{Skip: skipLocalStorage},

diff --git a/pkg/pipelines/upgrade_cluster.go b/pkg/pipelines/upgrade_cluster.go
@@ -53,7 +53,7 @@ func NewUpgradeClusterPipeline(runtime *common.KubeRuntime) error {
 		&kubernetes.SetUpgradePlanModule{Step: kubernetes.ToV122},
 		&kubernetes.ProgressiveUpgradeModule{Step: kubernetes.ToV122},
 		&filesystem.ChownModule{},
-		&certs.AutoRenewCertsModule{},
+		&certs.AutoRenewCertsModule{Skip: !runtime.Cluster.Kubernetes.EnableAutoRenewCerts()},
 	}
 
 	p := pipeline.Pipeline{

diff --git a/pkg/version/kubesphere/templates/installer.go b/pkg/version/kubesphere/templates/installer.go
@@ -305,12 +305,10 @@ spec:
   selector:
     matchLabels:
       app: ks-install
-      version: {{ .Tag }}
   template:
     metadata:
       labels:
         app: ks-install
-        version: {{ .Tag }}
     spec:
       serviceAccountName: ks-installer
       containers: