updated eviction policy and master merge template fixes

config/crd/bases/infrastructure.cluster.x-k8s.io_nutanixmachines.yaml

@@ -32,10 +32,6 @@ spec:
       jsonPath: .spec.providerID
       name: ProviderID
       type: string
-    - description: Corresponding workload cluster node
-      jsonPath: .status.nodeRef.name
-      name: NodeRef
-      type: string
     name: v1alpha4
     schema:
       openAPIV3Schema:
@@ -309,8 +305,9 @@ spec:
                 description: Will be set in case of failure of Machine instance
                 type: string
               nodeRef:
-                description: NodeRef is a reference to the corresponding workload
-                  cluster Node if it exists.
+                description: 'NodeRef is a reference to the corresponding workload
+                  cluster Node if it exists. Deprecated: Do not use. Will be removed
+                  in a future release.'
                 properties:
                   apiVersion:
                     description: API version of the referent.
@@ -370,10 +367,6 @@ spec:
       jsonPath: .spec.providerID
       name: ProviderID
       type: string
-    - description: Corresponding workload cluster node
-      jsonPath: .status.nodeRef.name
-      name: NodeRef
-      type: string
     name: v1beta1
     schema:
       openAPIV3Schema:
@@ -669,8 +662,9 @@ spec:
                 description: Will be set in case of failure of Machine instance
                 type: string
               nodeRef:
-                description: NodeRef is a reference to the corresponding workload
-                  cluster Node if it exists.
+                description: 'NodeRef is a reference to the corresponding workload
+                  cluster Node if it exists. Deprecated: Do not use. Will be removed
+                  in a future release.'
                 properties:
                   apiVersion:
                     description: API version of the referent.

templates/base/ccm-patch.yaml

@@ -2,7 +2,6 @@ apiVersion: controlplane.cluster.x-k8s.io/v1beta1
 kind: KubeadmControlPlane
 metadata:
   name: "${CLUSTER_NAME}-kcp"
-  namespace: "${NAMESPACE}"
 spec:
   kubeadmConfigSpec:
     clusterConfiguration:
@@ -25,7 +24,6 @@ apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
 kind: KubeadmConfigTemplate
 metadata:
   name: "${CLUSTER_NAME}-kcfg-0"
-  namespace: "${NAMESPACE}"
 spec:
   template:
     spec:
@@ -40,4 +38,3 @@ metadata:
   labels:
     ccm: "nutanix"
   name: "${CLUSTER_NAME}"
-  namespace: "${NAMESPACE}"

templates/cluster-template-clusterclass.yaml

@@ -212,7 +212,8 @@ spec:
         initConfiguration:
           nodeRegistration:
             kubeletExtraArgs:
-              eviction-hard: nodefs.available<0%,nodefs.inodesFree<0%,imagefs.available<0%
+              eviction-hard: nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<15%,memory.available<100Mi,imagefs.inodesFree<10%
+              tls-cipher-suites: ${TLS_CIPHER_SUITES=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256}
         postKubeadmCommands:
         - echo export KUBECONFIG=/etc/kubernetes/admin.conf >> /root/.bashrc
         - echo "after kubeadm call" > /var/log/postkubeadm.log

templates/cluster-template-csi.yaml

@@ -223,6 +223,7 @@ data:
 kind: ConfigMap
 metadata:
   name: nutanix-ccm
+  namespace: ${NAMESPACE}
 ---
 apiVersion: v1
 data:
@@ -1557,6 +1558,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: nutanix-ccm-secret
+  namespace: ${NAMESPACE}
 stringData:
   nutanix-ccm-secret.yaml: "apiVersion: v1\nkind: Secret\nmetadata:\n  name: nutanix-creds\n
     \ namespace: kube-system\nstringData:\n  credentials: |\n    [\n      {\n        \"type\":
@@ -1569,6 +1571,7 @@ apiVersion: addons.cluster.x-k8s.io/v1beta1
 kind: ClusterResourceSet
 metadata:
   name: nutanix-ccm-crs
+  namespace: ${NAMESPACE}
 spec:
   clusterSelector:
     matchLabels:
@@ -1846,7 +1849,7 @@ spec:
   prismCentral:
     additionalTrustBundle:
       kind: ConfigMap
-      name: user-ca-bundle
+      name: ${CLUSTER_NAME}-pc-trusted-ca-bundle
     address: ${NUTANIX_ENDPOINT}
     credentialRef:
       kind: Secret

templates/cluster-template.yaml

@@ -223,6 +223,7 @@ data:
 kind: ConfigMap
 metadata:
   name: nutanix-ccm
+  namespace: ${NAMESPACE}
 ---
 apiVersion: v1
 kind: Secret
@@ -238,6 +239,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: nutanix-ccm-secret
+  namespace: ${NAMESPACE}
 stringData:
   nutanix-ccm-secret.yaml: "apiVersion: v1\nkind: Secret\nmetadata:\n  name: nutanix-creds\n
     \ namespace: kube-system\nstringData:\n  credentials: |\n    [\n      {\n        \"type\":
@@ -250,6 +252,7 @@ apiVersion: addons.cluster.x-k8s.io/v1beta1
 kind: ClusterResourceSet
 metadata:
   name: nutanix-ccm-crs
+  namespace: ${NAMESPACE}
 spec:
   clusterSelector:
     matchLabels:
@@ -513,7 +516,7 @@ spec:
   prismCentral:
     additionalTrustBundle:
       kind: ConfigMap
-      name: user-ca-bundle
+      name: ${CLUSTER_NAME}-pc-trusted-ca-bundle
     address: ${NUTANIX_ENDPOINT}
     credentialRef:
       kind: Secret

templates/clusterclass/kcpt.yaml

@@ -85,7 +85,8 @@ spec:
               # We have to pin the cgroupDriver to cgroupfs as kubeadm >=1.21 defaults to systemd
               # kind will implement systemd support in: https://github.com/kubernetes-sigs/kind/issues/1726
               #cgroup-driver: cgroupfs
-              eviction-hard: nodefs.available<0%,nodefs.inodesFree<0%,imagefs.available<0%
+              eviction-hard: nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<15%,memory.available<100Mi,imagefs.inodesFree<10%
+              tls-cipher-suites: "${TLS_CIPHER_SUITES=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256}"
         users:
           - name: capiuser
             lockPassword: false