---
apiVersion: controlplane.cluster.x-k8s.io/v1alpha4
kind: KubeadmControlPlane
metadata:
  name: {{ .Values.clusterName }}
spec:
  kubeadmConfigSpec:
    clusterConfiguration:
      apiServer:
        extraArgs:
          enable-admission-plugins: NodeRestriction,PodSecurityPolicy
    initConfiguration:
      nodeRegistration:
        kubeletExtraArgs:
          {{- include "cluster.nodeIP" .Values.networkData | nindent 10 }}
          node-labels: metal3.io/uuid={{ "{{" }} ds.meta_data.uuid {{ "}}" }}
          cpu-manager-policy: static
          topology-manager-policy: best-effort
          kube-reserved: cpu=200m,memory=512Mi
        name: '{{ "{{" }} ds.meta_data.name {{ "}}" }}'
    joinConfiguration:
      controlPlane: {}
      nodeRegistration:
        kubeletExtraArgs:
          node-labels: metal3.io/uuid={{ "{{" }} ds.meta_data.uuid {{ "}}" }}
          cpu-manager-policy: static
          topology-manager-policy: best-effort
          kube-reserved: cpu=200m,memory=512Mi
        name: '{{ "{{" }} ds.meta_data.name {{ "}}" }}'
    preKubeadmCommands:
{{- if .Values.preKubeadmCommands }}
{{ toYaml .Values.preKubeadmCommands | indent 4 }}
{{- end }}
    - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
    - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
    - curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
    - add-apt-repository "deb https://apt.kubernetes.io/ kubernetes-xenial main"
    - apt-get update -y
    - apt-get install -y ca-certificates
{{- if .Values.keepalived }}
    - apt-get install -y keepalived
    - systemctl enable --now keepalived
{{- end }}
    - /usr/local/bin/install-container-runtime.sh
    - apt-get install -y kubelet={{ .Values.kubeVersion }} kubeadm={{ .Values.kubeVersion }} kubectl={{ .Values.kubeVersion }}
    - systemctl enable --now kubelet
    postKubeadmCommands:
    - mkdir -p /home/ubuntu/.kube
    - cp /etc/kubernetes/admin.conf /home/ubuntu/.kube/config
    - chown ubuntu:ubuntu /home/ubuntu/.kube/config
    - mkdir -p /root/.kube
    - cp /etc/kubernetes/admin.conf /root/.kube/config
    - /usr/local/bin/harden_os.sh
    # Normally any bootstrap resources needed would be applied with a
    # ClusterResourceSet.  However instead of apply, replace must be
    # used to harden K8s.
    - /usr/local/bin/harden_k8s.sh
{{- if eq (int .Values.numWorkerMachines) 0 }}
    # Allow scheduling Pods on the control plane when there are no
    # workers.
    - kubectl --kubeconfig=/etc/kubernetes/admin.conf taint nodes --all node-role.kubernetes.io/master-
{{- end }}
    # This must be done after kubeadm as the cabpk provider relies on
    # files in /var/run, which won't persist after a reboot
    - /usr/local/bin/set_kernel_cmdline.sh
    # Required for OpenEBS support
    - /usr/local/bin/enable_iscsi.sh
    files:
{{ include "cluster.keepalived" .Values | indent 4 }}
{{ include "cluster.containerRuntime" .Values | indent 4 }}
    - path: /etc/systemd/system/containerd.service.d/override.conf
      content: |
{{ $.Files.Get "resources/override.conf" | indent 8 }}
    - path: /usr/local/bin/harden_os.sh
      permissions: '0777'
      content: |
{{ $.Files.Get "resources/harden_os.sh" | indent 8 }}
    - path: /usr/local/bin/harden_k8s.sh
      permissions: '0777'
      content: |
{{ $.Files.Get "resources/harden_k8s.sh" | indent 8 }}
    - path: /usr/local/bin/set_kernel_cmdline.sh
      permissions: '0777'
      content: |
{{ $.Files.Get "resources/set_kernel_cmdline.sh" | indent 8 }}
    - path: /usr/local/bin/enable_iscsi.sh
      permissions: '0777'
      content: |
{{ $.Files.Get "resources/enable_iscsi.sh" | indent 8 }}
{{- if eq .Values.cni "calico" }}
    - path: /etc/NetworkManager/conf.d/calico.conf
      content: |
{{ $.Files.Get "resources/calico.conf" | indent 8 }}
{{- end }}
{{- if .Values.userData }}
    users:
    - name: {{ .Values.userData.name }}
      shell: /bin/bash
      lockPassword: False # Necessary to allow password login
      passwd: {{ .Values.userData.hashedPassword }}
      sshAuthorizedKeys:
      - {{ .Values.userData.sshAuthorizedKey }}
      sudo: "ALL=(ALL) NOPASSWD:ALL"
      groups: sudo # Necessary to allow SSH logins (see /etc/ssh/sshd_config)
    - name: root
      sshAuthorizedKeys:
      - {{ .Values.userData.sshAuthorizedKey }}
{{- end }}
  machineTemplate:
    infrastructureRef:
      apiVersion: infrastructure.cluster.x-k8s.io/v1alpha5
      kind: Metal3MachineTemplate
      name: {{ .Values.clusterName }}-controlplane
    nodeDrainTimeout: 0s
  replicas: {{ .Values.numControlPlaneMachines }}
  rolloutStrategy:
    rollingUpdate:
      maxSurge: 1
    type: RollingUpdate
  version: {{ .Values.k8sVersion }}