apiVersion: kubeadm.k8s.io/v1beta2
kind: InitConfiguration
{% if kubetoken is defined %}
bootstrapTokens:
- token: "{{ kubetoken.stdout }}"
  description: "kubeadm bootstrap token"
  ttl: "24h"
{% endif %}
nodeRegistration:
{% if  kubernetes_cri == "containerd" %}
  criSocket: "/run/containerd/containerd.sock"
{% elif kubernetes_cri == "cri-o" %}
  criSocket: "/var/run/crio/crio.sock"
{% elif  kubernetes_cri == "docker" %}
  criSocket: "/var/run/docker.sock"
{% endif %}
{% if false %}
  name: "ec2-10-100-0-1"
  taints:
  - key: "kubeadmNode"
    value: "master"
    effect: "NoSchedule"
{% endif %}
  kubeletExtraArgs:
{% if ansible_service_mgr == "systemd" %}
    cgroup-driver: "systemd"
{% endif %}
    container-runtime: "remote"
    runtime-request-timeout: "5m"
{% if kubernetes_cri == "containerd" %}
    container-runtime-endpoint: "unix:///run/containerd/containerd.sock"
{% elif kubernetes_cri == "cri-o" %}
    container-runtime-endpoint: "unix:///var/run/crio/crio.sock"
{% endif %}
    node-ip: {{ ansible_default_ipv4.address }}
#    read-only-port: "10255"
  ignorePreflightErrors:
  - SystemVerification
{% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %}
  - NumCPU
{% endif %}
{% if true == false %}
  - IsPrivilegedUser
{% endif %}
localAPIEndpoint:
  advertiseAddress: "{{ ansible_default_ipv4.address }}"
  bindPort: 6443
{% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
certificateKey: "{{ kubernetes_certificateKey.stdout }}"
{% endif %}
{% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %}
---
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: stable
{% if lbip_kubeapiserver is defined %}
controlPlaneEndpoint: "{{ lbip_kubeapiserver }}:6443"
{% else %}
controlPlaneEndpoint: "{{ ansible_default_ipv4.address }}:6443"
{% endif %}
apiServer:
  extraArgs:
    enable-admission-plugins: NodeRestriction,PodSecurityPolicy
    authorization-mode: "Node,RBAC"
    audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml"
    audit-log-path: "/var/log/apiserver/audit.log"
    audit-log-maxage: "30"
    audit-log-maxbackup: "10"
    audit-log-maxsize: "100"
{% if false %}
# Falco
    audit-webhook-config-file: "/etc/kubernetes/policies/audit-webhook-kubeconfig"
    audit-webhook-batch-max-wait: "5s"
{% endif %}
  extraVolumes:
  - name: "audit-log"
    hostPath: "/var/log/apiserver"
    mountPath: "/var/log/apiserver"
    readOnly: false
    pathType: DirectoryOrCreate
  - name: "audit-policies"
    hostPath: "/etc/kubernetes/policies/audit-policy.yaml"
    mountPath: "/etc/kubernetes/policies/audit-policy.yaml"
    readOnly: false
    pathType: File
{% if lb_kubemaster is defined %}
  certSANs:
  - "{{ lb_kubemaster }}"
{% endif %}
{% if kubernetes_network == "flannel" or kubernetes_network == "calico" %}
networking:
  podSubnet: "{{ kubernetes_pods_network }}"
{% endif %}
controllerManager:
  extraArgs:
    bind-address: 0.0.0.0
scheduler:
  extraArgs:
    bind-address: 0.0.0.0
etcd:
  local:
    extraArgs: 
        listen-metrics-urls: http://0.0.0.0:2381
{% endif %}
{% if not kubernetes_master|bool or kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
---
apiVersion: kubeadm.k8s.io/v1beta2
kind: JoinConfiguration
{% if kubernetes_master|bool %}
controlPlane:
  localAPIEndpoint:
    advertiseAddress: "{{ ansible_default_ipv4.address }}"
    bindPort: 6443
{% if groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
  certificateKey: "{{ kubernetes_certificateKey.stdout }}"
{% endif %}
{% endif %}
discovery:
  bootstrapToken:
    apiServerEndpoint: "{{ lb_kubemaster }}:6443"
{% if groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
    caCertHashes:
    - sha256:{{ cacerthash.stdout }} 
    token: "{{ kubetoken.stdout }}"
{% endif %}
nodeRegistration:
  kubeletExtraArgs:
    node-ip: {{ ansible_default_ipv4.address }}
#    read-only-port: "10255"
  ignorePreflightErrors:
  - SystemVerification
{% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %}
  - NumCPU
{% endif %}
{% endif %}
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
metricsBindAddress: "0.0.0.0:10249"
{% if kubernetes_kubeproxy_mode is defined %}
mode: {{ kubernetes_kubeproxy_mode }}
{% if kubernetes_kubeproxy_mode == "ipvs" %}
ipvs:
  strictARP: true
{% endif %}
{% endif %}
---
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
runtimeRequestTimeout: 5m
{% if ansible_service_mgr == "systemd" %}
cgroupDriver: systemd
{% endif %}

{% if false %}
readOnlyPort: 1
systemReserved:
  cpu=200m,memory=200M

containerRuntime: remote
{% if kubernetes_cri == "containerd" %}
containerRuntimeEndpoint: "unix:///run/containerd/containerd.sock"
{% elif kubernetes_cri == "cri-o" %}
containerRuntimeEndpoint: "unix:///var/run/crio/crio.sock"
{% endif %}
{% endif %}