Switch to kubelet config file and enable server TLS bootstrap

This is what official bootstrap script uses also. This moves most of the flags to the config files, add adds one new parameter `serverTLSBootstrap`, which is not availables as a flag.
eksctl-io · Dec 18, 2018 · 0ee6a4e · 0ee6a4e
1 parent 89459d3
commit 0ee6a4e
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 10 deletions.
diff --git a/pkg/nodebootstrap/assets/10-eksclt.al2.conf b/pkg/nodebootstrap/assets/10-eksclt.al2.conf
@@ -10,23 +10,16 @@ EnvironmentFile=/etc/eksctl/kubelet.local.env
 
 ExecStart=
 ExecStart=/usr/bin/kubelet \
-  --address=0.0.0.0 \
   --node-ip=${NODE_IP} \
   --cluster-dns=${CLUSTER_DNS} \
   --max-pods=${MAX_PODS} \
-  --authentication-token-webhook \
-  --authorization-mode=Webhook \
   --allow-privileged=true \
   --pod-infra-container-image=602401143452.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/eks/pause-amd64:3.1 \
   --cloud-provider=aws \
-  --cluster-domain=cluster.local \
   --cni-bin-dir=/opt/cni/bin \
   --cni-conf-dir=/etc/cni/net.d \
   --container-runtime=docker \
   --network-plugin=cni \
-  --cgroup-driver=cgroupfs \
   --register-node=true \
   --kubeconfig=/etc/eksctl/kubeconfig.yaml \
-  --feature-gates=RotateKubeletServerCertificate=true \
-  --anonymous-auth=false \
-  --client-ca-file=/etc/eksctl/ca.crt
+  --config=/etc/eksctl/kubelet-config.json
diff --git a/pkg/nodebootstrap/assets/kubelet-config.json b/pkg/nodebootstrap/assets/kubelet-config.json
@@ -0,0 +1,30 @@
+{
+  "kind": "KubeletConfiguration",
+  "apiVersion": "kubelet.config.k8s.io/v1beta1",
+  "address": "0.0.0.0",
+  "authentication": {
+    "anonymous": {
+      "enabled": false
+    },
+    "webhook": {
+      "cacheTTL": "2m0s",
+      "enabled": true
+    },
+    "x509": {
+      "clientCAFile": "/etc/eksctl/ca.crt"
+    }
+  },
+  "authorization": {
+    "mode": "Webhook",
+    "webhook": {
+      "cacheAuthorizedTTL": "5m0s",
+      "cacheUnauthorizedTTL": "30s"
+    }
+  },
+  "clusterDomain": "cluster.local",
+  "cgroupDriver": "cgroupfs",
+  "featureGates": {
+    "RotateKubeletServerCertificate": true
+  },
+  "serverTLSBootstrap": true
+}
diff --git a/pkg/nodebootstrap/userdata_al2.go b/pkg/nodebootstrap/userdata_al2.go
@@ -23,8 +23,9 @@ func makeAmazonLinux2Config(spec *api.ClusterConfig, nodeGroupID int) (configFil
 			"metadata.env": {content: strings.Join(makeMetadata(spec), "\n")},
 			"kubelet.env":  {content: strings.Join(makeKubeletParams(spec, nodeGroupID), "\n")},
 			// TODO: https://github.com/weaveworks/eksctl/issues/161
-			"ca.crt":          {content: string(spec.CertificateAuthorityData)},
-			"kubeconfig.yaml": {content: string(clientConfigData)},
+			"kubelet-config.json": {isAsset: true},
+			"ca.crt":              {content: string(spec.CertificateAuthorityData)},
+			"kubeconfig.yaml":     {content: string(clientConfigData)},
 		},
 	}