apiVersion: cluster.x-k8s.io/v1beta1
kind: MachineDeployment
metadata:
  labels:
    cluster.x-k8s.io/cluster-name: {{.clusterName}}
    pool: {{.workerNodeGroupName}}
  name: {{.clusterName}}-{{.workerNodeGroupName}}
  namespace: {{.eksaSystemNamespace}}
{{- if .autoscalingConfig }}
  annotations:
    cluster.x-k8s.io/cluster-api-autoscaler-node-group-min-size: "{{ .autoscalingConfig.MinCount }}"
    cluster.x-k8s.io/cluster-api-autoscaler-node-group-max-size: "{{ .autoscalingConfig.MaxCount }}"
{{- end }}
spec:
  clusterName: {{.clusterName}}
  replicas: {{.workerReplicas}}
  selector:
    matchLabels: {}
  template:
    metadata:
      labels:
        cluster.x-k8s.io/cluster-name: {{.clusterName}}
        pool: {{.workerNodeGroupName}}
    spec:
      bootstrap:
        configRef:
          apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
          kind: KubeadmConfigTemplate
          name: {{.workloadkubeadmconfigTemplateName}}
      clusterName: {{.clusterName}}
      infrastructureRef:
        apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
        kind: TinkerbellMachineTemplate
        name: {{.workloadTemplateName}}
      version: {{.kubernetesVersion}}
{{- if .upgradeRolloutStrategy }}
  strategy:
    rollingUpdate:
      maxSurge: {{.maxSurge}}
      maxUnavailable: {{.maxUnavailable}}
{{- end }}
---
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: TinkerbellMachineTemplate
metadata:
  name: {{.workloadTemplateName}}
  namespace: {{.eksaSystemNamespace}}
spec:
  template:
    {{- if and .workertemplateOverride (ne .format "")}}
    spec:
      hardwareAffinity:
        required:
        - labelSelector:
            matchLabels: {{ range $key, $value := .hardwareSelector}}
              {{ $key }}: {{ $value}}
            {{- end }}
      templateOverride: |
{{.workertemplateOverride | indent 8}}
    {{- end}}
    {{- if (eq .workertemplateOverride "") }}
    spec: {}
    {{- end }}
---
apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
kind: KubeadmConfigTemplate
metadata:
  name: {{.workloadkubeadmconfigTemplateName}}
  namespace: {{.eksaSystemNamespace}}
spec:
  template:
    spec:
      joinConfiguration:
{{- if (eq .format "bottlerocket") }}
        pause:
          imageRepository: {{.pauseRepository}}
          imageTag: {{.pauseVersion}}
        bottlerocketBootstrap:
          imageRepository: {{.bottlerocketBootstrapRepository}}
          imageTag: {{.bottlerocketBootstrapVersion}}
{{- end }}
{{- if and .proxyConfig (eq .format "bottlerocket") }}
        proxy:
          httpsProxy: {{.httpsProxy}}
          noProxy: {{ range .noProxy }}
            - {{ . }}
          {{- end }}
{{- end }}
{{- if and .registryMirrorMap (eq .format "bottlerocket") }}
        registryMirror:
          endpoint: {{ .publicMirror }}
          {{- if .registryCACert }}
          caCert: |
{{ .registryCACert | indent 12 }}
          {{- end }}
{{- end }}
{{- if .bottlerocketSettings }}
{{ .bottlerocketSettings | indent 8 }}
{{- end }}
{{- if .certBundles }}
        certBundles:
        {{- range .certBundles }}
        - name: "{{ .Name }}"
          data: |
{{ .Data | indent 12 }}
          {{- end }}
{{- end}}
        nodeRegistration:
{{- if .workerNodeGroupTaints }}
          taints:
{{- range .workerNodeGroupTaints}}
            - key: {{ .Key }}
              value: {{ .Value }}
              effect: {{ .Effect }}
{{- if .TimeAdded }}
              timeAdded: {{ .TimeAdded }}
{{- end }}
{{- end }}
{{- end }}
          kubeletExtraArgs:
            provider-id: PROVIDER_ID
            read-only-port: "0"
            anonymous-auth: "false"
{{- if .kubeletExtraArgs }}
{{ .kubeletExtraArgs.ToYaml | indent 12 }}
{{- end }}
{{- if and (ne .format "bottlerocket") (or .proxyConfig .registryMirrorMap) }}
      files:
{{- end }}
{{- if and .proxyConfig (ne .format "bottlerocket") }}
        - content: |
            [Service]
            Environment="HTTP_PROXY={{.httpProxy}}"
            Environment="HTTPS_PROXY={{.httpsProxy}}"
            Environment="NO_PROXY={{ stringsJoin .noProxy "," }}"
          owner: root:root
          path: /etc/systemd/system/containerd.service.d/http-proxy.conf
{{- end }}
{{- if (ne .format "bottlerocket") }}
{{- if .registryCACert }}
        - content: |
{{ .registryCACert | indent 12 }}
          owner: root:root
          path: "/etc/containerd/certs.d/{{ .mirrorBase }}/ca.crt"
{{- end }}
{{- if .registryMirrorMap }}
        - content: |
            [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
              {{- range $orig, $mirror := .registryMirrorMap }}
              [plugins."io.containerd.grpc.v1.cri".registry.mirrors."{{ $orig }}"]
                endpoint = ["https://{{ $mirror }}"]
              {{- end }}
              {{- if or .registryCACert .insecureSkip }}
              [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ .mirrorBase }}".tls]
              {{- if .registryCACert }}
                ca_file = "/etc/containerd/certs.d/{{ .mirrorBase }}/ca.crt"
              {{- end }}
              {{- if .insecureSkip }}
                insecure_skip_verify = {{.insecureSkip}}
              {{- end }}
              {{- end }}
              {{- if .registryAuth }}
              [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ .mirrorBase }}".auth]
                username = "{{.registryUsername}}"
                password = "{{.registryPassword}}"
              {{- end }}
          owner: root:root
          path: "/etc/containerd/config_append.toml"
{{- end }}
{{- end }}
{{- if .ntpServers }}
      ntp:
        enabled: true
        servers: {{ range .ntpServers }}
        - {{ . }}
        {{- end }}
{{- end }}
{{- if and (or .proxyConfig .registryMirrorMap) (ne .format "bottlerocket") }}
      preKubeadmCommands:
{{- if .registryMirrorMap }}
      - cat /etc/containerd/config_append.toml >> /etc/containerd/config.toml
{{- end }}
      - sudo systemctl daemon-reload
      - sudo systemctl restart containerd
{{- end }}
      users:
      - name: {{.workerSshUsername}}
        sshAuthorizedKeys:
        - '{{.workerSshAuthorizedKey}}'
        sudo: ALL=(ALL) NOPASSWD:ALL
      format: {{.format}}