apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
  labels:
    cluster.x-k8s.io/cluster-name: {{.clusterName}}
  name: {{.clusterName}}
  namespace: {{.eksaSystemNamespace}}
spec:
  clusterNetwork:
    pods:
      cidrBlocks: {{.podCidrs}}
    services:
      cidrBlocks: {{.serviceCidrs}}
  controlPlaneEndpoint:
    host: {{.controlPlaneEndpointHost}}
    port: {{.controlPlaneEndpointPort}}
  controlPlaneRef:
    apiVersion: controlplane.cluster.x-k8s.io/v1beta1
    kind: KubeadmControlPlane
    name: {{.clusterName}}
  infrastructureRef:
    apiVersion: infrastructure.cluster.x-k8s.io/v1beta3
    kind: CloudStackCluster
    name: {{.clusterName}}
{{- if .externalEtcd }}
  managedExternalEtcdRef:
    apiVersion: etcdcluster.cluster.x-k8s.io/v1beta1
    kind: EtcdadmCluster
    name: {{.clusterName}}-etcd
{{- end }}
---
apiVersion: infrastructure.cluster.x-k8s.io/v1beta3
kind: CloudStackCluster
metadata:
  name: {{.clusterName}}
  namespace: {{.eksaSystemNamespace}}
spec:
  controlPlaneEndpoint:
    host: {{.controlPlaneEndpointHost}}
    port: {{.controlPlaneEndpointPort}}
  failureDomains:{{ range $az := .cloudstackAvailabilityZones }}
  - name: {{ $az.Name }}
    zone:
      id: {{ $az.Zone.Id }}
      name: {{ $az.Zone.Name }}
      network:
        id: {{ $az.Zone.Network.Id }}
        name: {{ $az.Zone.Network.Name }}
    domain: {{ $az.Domain }}
    account: {{ $az.Account }}
    acsEndpoint:
      name: {{ $az.CredentialsRef }}
      namespace: eksa-system
{{- end }}
---
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane
metadata:
  name: {{.clusterName}}
  namespace: {{.eksaSystemNamespace}}
spec:
  machineTemplate:
    infrastructureRef:
      apiVersion: infrastructure.cluster.x-k8s.io/v1beta3
      kind: CloudStackMachineTemplate
      name: {{.controlPlaneTemplateName}}
  kubeadmConfigSpec:
    clusterConfiguration:
      imageRepository: {{.kubernetesRepository}}
      etcd:
{{- if .externalEtcd }}
        external:
          endpoints: []
          caFile: "/etc/kubernetes/pki/etcd/ca.crt"
          certFile: "/etc/kubernetes/pki/apiserver-etcd-client.crt"
          keyFile: "/etc/kubernetes/pki/apiserver-etcd-client.key"
{{- else }}
        local:
          imageRepository: {{.etcdRepository}}
          imageTag: {{.etcdImageTag}}
{{- if .etcdExtraArgs }}
          extraArgs:
{{ .etcdExtraArgs.ToYaml | indent 12 }}
{{- end }}
{{- end }}
      dns:
        imageRepository: {{.corednsRepository}}
        imageTag: {{.corednsVersion}}
      apiServer:
        extraArgs:
          cloud-provider: external
          audit-policy-file: /etc/kubernetes/audit-policy.yaml
          audit-log-path: /var/log/kubernetes/api-audit.log
          audit-log-maxage: "30"
          audit-log-maxbackup: "10"
          audit-log-maxsize: "512"
          profiling: "false"
{{- if .apiserverExtraArgs }}
{{ .apiserverExtraArgs.ToYaml | indent 10 }}
{{- end }}
        extraVolumes:
        - hostPath: /etc/kubernetes/audit-policy.yaml
          mountPath: /etc/kubernetes/audit-policy.yaml
          name: audit-policy
          pathType: File
          readOnly: true
        - hostPath: /var/log/kubernetes
          mountPath: /var/log/kubernetes
          name: audit-log-dir
          pathType: DirectoryOrCreate
          readOnly: false
{{- if .awsIamAuth}}
        - hostPath: /var/lib/kubeadm/aws-iam-authenticator/
          mountPath: /etc/kubernetes/aws-iam-authenticator/
          name: authconfig
          readOnly: false
        - hostPath: /var/lib/kubeadm/aws-iam-authenticator/pki/
          mountPath: /var/aws-iam-authenticator/
          name: awsiamcert
          readOnly: false
{{- end}}
      controllerManager:
        extraArgs:
          cloud-provider: external
          profiling: "false"
{{- if .controllermanagerExtraArgs }}
{{ .controllermanagerExtraArgs.ToYaml | indent 10 }}
{{- end }}
      scheduler:
        extraArgs:
          profiling: "false"
{{- if .schedulerExtraArgs }}
{{ .schedulerExtraArgs.ToYaml | indent 10 }}
{{- end }}
    files:
{{- if .cloudstackKubeVip}}
    - content: |
        apiVersion: v1
        kind: Pod
        metadata:
          creationTimestamp: null
          name: kube-vip
          namespace: kube-system
        spec:
          containers:
          - args:
            - manager
            env:
            - name: vip_arp
              value: "true"
            - name: port
              value: "6443"
            - name: vip_cidr
              value: "32"
            - name: cp_enable
              value: "true"
            - name: cp_namespace
              value: kube-system
            - name: vip_ddns
              value: "false"
            - name: vip_leaderelection
              value: "true"
            - name: vip_leaseduration
              value: "15"
            - name: vip_renewdeadline
              value: "10"
            - name: vip_retryperiod
              value: "2"
            - name: address
              value: {{.controlPlaneEndpointHost}}
            image: {{.kubeVipImage}}
            imagePullPolicy: IfNotPresent
            name: kube-vip
            resources: {}
            securityContext:
              capabilities:
                add:
                - NET_ADMIN
                - NET_RAW
            volumeMounts:
            - mountPath: /etc/kubernetes/admin.conf
              name: kubeconfig
          hostNetwork: true
          volumes:
          - hostPath:
              path: /etc/kubernetes/admin.conf
            name: kubeconfig
        status: {}
      owner: root:root
      path: /etc/kubernetes/manifests/kube-vip.yaml
{{- end}}
    - content: |
{{ .auditPolicy | indent 8 }}
      owner: root:root
      path: /etc/kubernetes/audit-policy.yaml
{{- if .proxyConfig }}
    - content: |
        [Service]
        Environment="HTTP_PROXY={{.httpProxy}}"
        Environment="HTTPS_PROXY={{.httpsProxy}}"
        Environment="NO_PROXY={{ stringsJoin .noProxy "," }}"
      owner: root:root
      path: /etc/systemd/system/containerd.service.d/http-proxy.conf
{{- end }}
{{- if .registryCACert }}
    - content: |
{{ .registryCACert | indent 8 }}
      owner: root:root
      path: "/etc/containerd/certs.d/{{ .mirrorBase }}/ca.crt"
{{- end }}
{{- if .registryMirrorMap }}
    - content: |
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
          {{- range $orig, $mirror := .registryMirrorMap }}
          [plugins."io.containerd.grpc.v1.cri".registry.mirrors."{{ $orig }}"]
            endpoint = ["https://{{ $mirror }}"]
          {{- end }}
          {{- if or .registryCACert .insecureSkip }}
          [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ .mirrorBase }}".tls]
          {{- if .registryCACert }}
            ca_file = "/etc/containerd/certs.d/{{ .mirrorBase }}/ca.crt"
          {{- end }}
          {{- if .insecureSkip }}
            insecure_skip_verify = {{.insecureSkip}}
          {{- end }}
          {{- end }}
      owner: root:root
      path: "/etc/containerd/config_append.toml"
{{- end }}
{{- if .awsIamAuth}}
    - content: |
        # clusters refers to the remote service.
        clusters:
          - name: aws-iam-authenticator
            cluster:
              certificate-authority: /var/aws-iam-authenticator/cert.pem
              server: https://localhost:21362/authenticate
        # users refers to the API Server's webhook configuration
        # (we don't need to authenticate the API server).
        users:
          - name: apiserver
        # kubeconfig files require a context. Provide one for the API Server.
        current-context: webhook
        contexts:
        - name: webhook
          context:
            cluster: aws-iam-authenticator
            user: apiserver
      permissions: "0640"
      owner: root:root
      path: /var/lib/kubeadm/aws-iam-authenticator/kubeconfig.yaml
    - contentFrom:
        secret:
          name: {{.clusterName}}-aws-iam-authenticator-ca
          key: cert.pem
      permissions: "0640"
      owner: root:root
      path: /var/lib/kubeadm/aws-iam-authenticator/pki/cert.pem
    - contentFrom:
        secret:
          name: {{.clusterName}}-aws-iam-authenticator-ca
          key: key.pem
      permissions: "0640"
      owner: root:root
      path: /var/lib/kubeadm/aws-iam-authenticator/pki/key.pem
{{- end}}
    initConfiguration:
      nodeRegistration:
        criSocket: /var/run/containerd/containerd.sock
        kubeletExtraArgs:
          provider-id: cloudstack:///'{{`{{ ds.meta_data.instance_id }}`}}'
          read-only-port: "0"
          anonymous-auth: "false"
{{- if .kubeletExtraArgs }}
{{ .kubeletExtraArgs.ToYaml | indent 10 }}
{{- end }}
        name: "{{`{{ ds.meta_data.hostname }}`}}"
{{- if .controlPlaneTaints }}
        taints:
{{- range .controlPlaneTaints}}
        - key: {{ .Key }}
          value: {{ .Value }}
          effect: {{ .Effect }}
{{- if .TimeAdded }}
          timeAdded: {{ .TimeAdded }}
{{- end }}
{{- end }}
{{- end }}
    joinConfiguration:
      nodeRegistration:
        criSocket: /var/run/containerd/containerd.sock
        kubeletExtraArgs:
          provider-id: cloudstack:///'{{`{{ ds.meta_data.instance_id }}`}}'
          read-only-port: "0"
          anonymous-auth: "false"
{{- if .kubeletExtraArgs }}
{{ .kubeletExtraArgs.ToYaml | indent 10 }}
{{- end }}
        name: "{{`{{ ds.meta_data.hostname }}`}}"
{{- if .controlPlaneTaints }}
        taints:
{{- range .controlPlaneTaints}}
        - key: {{ .Key }}
          value: {{ .Value }}
          effect: {{ .Effect }}
{{- if .TimeAdded }}
          timeAdded: {{ .TimeAdded }}
{{- end }}
{{- end }}
{{- end }}
    preKubeadmCommands:
    - swapoff -a
{{- if.registryMirrorMap }}
    - cat /etc/containerd/config_append.toml >> /etc/containerd/config.toml
{{- end }}
{{- if or .proxyConfig .registryMirrorMap }}
    - sudo systemctl daemon-reload
    - sudo systemctl restart containerd
{{- end }}
    - hostname "{{`{{ ds.meta_data.hostname }}`}}"
    - echo "::1         ipv6-localhost ipv6-loopback" >/etc/hosts
    - echo "127.0.0.1   localhost" >>/etc/hosts
    - echo "127.0.0.1   {{`{{ ds.meta_data.hostname }}`}}" >>/etc/hosts
    - echo "{{`{{ ds.meta_data.hostname }}`}}" >/etc/hostname
{{- range $dir, $target := .cloudstackControlPlaneSymlinks}}
    - >-
      if [ ! -L {{$dir}} ] ;
        then
          mv {{$dir}} {{$dir}}-$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 10) ;
          mkdir -p {{$target}} && ln -s {{$target}} {{$dir}} ;
        else echo "{{$dir}} already symlnk";
      fi
{{- end}}
{{- if .cloudstackControlPlaneDiskOfferingProvided }}
    diskSetup:
      filesystems:
        - device: {{ .cloudstackControlPlaneDiskOfferingDevice }}1
          overwrite: false
          extraOpts:
            - -E
            - lazy_itable_init=1,lazy_journal_init=1
          filesystem: {{ .cloudstackControlPlaneDiskOfferingFilesystem }}
          label: {{ .cloudstackControlPlaneDiskOfferingLabel }}
      partitions:
        - device: {{ .cloudstackControlPlaneDiskOfferingDevice }}
          layout: true
          overwrite: false
          tableType: gpt
    mounts:
      - - LABEL={{ .cloudstackControlPlaneDiskOfferingLabel }}
        - {{ .cloudstackControlPlaneDiskOfferingPath }}
{{- end }}
    useExperimentalRetryJoin: true
    users:
    - name: {{.controlPlaneSshUsername}}
      sshAuthorizedKeys:
      - '{{.cloudstackControlPlaneSshAuthorizedKey}}'
      sudo: ALL=(ALL) NOPASSWD:ALL
    format: {{.format}}
  replicas: {{.controlPlaneReplicas}}
  {{- if .upgradeRolloutStrategy }}
  rolloutStrategy:
    rollingUpdate:
      maxSurge: {{.maxSurge}}
  {{- end }}
  version: {{.kubernetesVersion}}
{{- if .externalEtcd }}
---
kind: EtcdadmCluster
apiVersion: etcdcluster.cluster.x-k8s.io/v1beta1
metadata:
  name: {{.clusterName}}-etcd
  namespace: {{.eksaSystemNamespace}}
spec:
  replicas: {{.externalEtcdReplicas}}
  etcdadmConfigSpec:
    etcdadmBuiltin: false
    format: {{.format}}
    cloudInitConfig:
      version: {{.externalEtcdVersion}}
      installDir: "/usr/bin"
    etcdadmInstallCommands:
      - echo this line exists so that etcdadmInstallCommands is not empty
      - echo etcdadmInstallCommands can be removed once etcdadm bootstrap and controller fix the bug
      - echo that preEtcdadmCommands not run unless etcdadmBuiltin is false
      - echo https://github.com/mrajashree/etcdadm-bootstrap-provider/issues/13
    preEtcdadmCommands:
    - swapoff -a
    - hostname "{{`{{ ds.meta_data.hostname }}`}}"
    - echo "::1         ipv6-localhost ipv6-loopback" >/etc/hosts
    - echo "127.0.0.1   localhost" >>/etc/hosts
    - echo "127.0.0.1   {{`{{ ds.meta_data.hostname }}`}}" >>/etc/hosts
    - echo "{{`{{ ds.meta_data.hostname }}`}}" >/etc/hostname
{{- if .cloudstackEtcdDiskOfferingProvided }}
    - >-
      echo "type=83" | sfdisk {{ .cloudstackEtcdDiskOfferingDevice }} &&
      mkfs -t {{ .cloudstackEtcdDiskOfferingFilesystem }} {{ .cloudstackEtcdDiskOfferingDevice }}1 &&
      mkdir -p {{ .cloudstackEtcdDiskOfferingPath }} &&
      echo {{ .cloudstackEtcdDiskOfferingDevice }}1 {{ .cloudstackEtcdDiskOfferingPath }} {{ .cloudstackEtcdDiskOfferingFilesystem }} defaults 0 2 >> /etc/fstab &&
      mount {{ .cloudstackEtcdDiskOfferingPath }}
{{- end }}
{{- range $dir, $target := .cloudstackEtcdSymlinks}}
    - >-
      if [ ! -L {{$dir}} ] ;
        then
          mv {{$dir}} {{$dir}}-$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 10) ;
          mkdir -p {{$target}} && ln -s {{$target}} {{$dir}} ;
        else
          echo "{{$dir}} already symlnk" ;
      fi
{{- end}}
{{- if .etcdCipherSuites }}
    cipherSuites: {{.etcdCipherSuites}}
{{- end }}
    users:
    - name: {{.etcdSshUsername}}
      sshAuthorizedKeys:
      - '{{.cloudstackEtcdSshAuthorizedKey}}'
      sudo: ALL=(ALL) NOPASSWD:ALL
{{- if .proxyConfig }}
    proxy:
      httpProxy: {{ .httpProxy }}
      httpsProxy: {{ .httpsProxy }}
      noProxy: {{ range .noProxy }}
        - {{ . }}
      {{- end }}
{{- end }}
{{- if .registryMirrorMap }}
    registryMirror:
      endpoint: {{ .publicMirror }}
      {{- if .registryCACert }}
      caCert: |
{{ .registryCACert | indent 8 }}
      {{- end }}
{{- end }}
  infrastructureTemplate:
    apiVersion: infrastructure.cluster.x-k8s.io/v1beta3
    kind: CloudStackMachineTemplate
    name: {{.etcdTemplateName}}
{{- end }}
---