apiVersion: kubeadm.k8s.io/v1beta3
kind: InitConfiguration
{% if kubetoken is defined %}
bootstrapTokens:
- token: "{{ kubetoken.stdout }}"
  description: "kubeadm bootstrap token"
  ttl: "24h"
{% endif %}
nodeRegistration:
{% if  kubernetes_cri == "containerd" %}
  criSocket: "/run/containerd/containerd.sock"
{% elif kubernetes_cri == "cri-o" %}
  criSocket: "/var/run/crio/crio.sock"
{% elif  kubernetes_cri == "docker" %}
  criSocket: "/var/run/docker.sock"
{% endif %}
  name: {{ ansible_hostname }}
{% if false %}
  imagePullPolicy: IfNotPresent
  taints:
  - key: "kubeadmNode"
    value: "master"
    effect: "NoSchedule"
{% endif %}
  kubeletExtraArgs:
{% if ansible_service_mgr == "systemd" %}
    cgroup-driver: "systemd"
{% endif %}
    container-runtime: "remote"
    runtime-request-timeout: "5m"
{% if kubernetes_cri == "containerd" %}
    container-runtime-endpoint: "unix:///run/containerd/containerd.sock"
{% elif kubernetes_cri == "cri-o" %}
    container-runtime-endpoint: "unix:///var/run/crio/crio.sock"
{% endif %}
    node-ip: {{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }}
    read-only-port: "10255"
  ignorePreflightErrors:
  - SystemVerification
{% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %}
  - NumCPU
{% endif %}
{% if true == false %}
  - IsPrivilegedUser
{% endif %}
localAPIEndpoint:
  advertiseAddress: "{{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }}"
  bindPort: 6443
{% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
certificateKey: "{{ kubernetes_certificateKey.stdout }}"
{% endif %}
{% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %}
---
apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
kubernetesVersion: stable
{% if lbip_kubeapiserver is defined %}
controlPlaneEndpoint: "{{ lbip_kubeapiserver }}:6443"
{% else %}
controlPlaneEndpoint: "{{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }}:6443"
{% endif %}
apiServer:
  extraArgs:
    enable-admission-plugins: NodeRestriction
    authorization-mode: "Node,RBAC"
    audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml"
    audit-log-path: "/var/log/apiserver/audit.log"
    audit-log-maxage: "30"
    audit-log-maxbackup: "10"
    audit-log-maxsize: "100"
{% if false %}
# Falco
    audit-webhook-config-file: "/etc/kubernetes/policies/audit-webhook-kubeconfig"
    audit-webhook-batch-max-wait: "5s"
{% endif %}
  extraVolumes:
  - name: "audit-log"
    hostPath: "/var/log/apiserver"
    mountPath: "/var/log/apiserver"
    readOnly: false
    pathType: DirectoryOrCreate
  - name: "audit-policies"
    hostPath: "/etc/kubernetes/policies/audit-policy.yaml"
    mountPath: "/etc/kubernetes/policies/audit-policy.yaml"
    readOnly: false
    pathType: File
{% if lb_kubemaster is defined %}
  certSANs:
  - "{{ lb_kubemaster }}"
{% endif %}
{% if kubernetes_network == "flannel" or kubernetes_network == "calico" %}
networking:
  podSubnet: "{{ kubernetes_pods_network }}"
{% endif %}
controllerManager:
  extraArgs:
    bind-address: 0.0.0.0
scheduler:
  extraArgs:
    bind-address: 0.0.0.0
etcd:
  local:
    dataDir: /var/lib/etcd
    extraArgs: 
        listen-metrics-urls: http://0.0.0.0:2381
{% endif %}
{% if not kubernetes_master|bool or kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
---
apiVersion: kubeadm.k8s.io/v1beta3
kind: JoinConfiguration
{% if kubernetes_master|bool %}
controlPlane:
  localAPIEndpoint:
    advertiseAddress: "{{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }}"
    bindPort: 6443
{% if groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
  certificateKey: "{{ kubernetes_certificateKey.stdout }}"
{% endif %}
{% endif %}
discovery:
  bootstrapToken:
    apiServerEndpoint: "{{ lb_kubemaster }}:6443"
{% if groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
    caCertHashes:
    - sha256:{{ cacerthash.stdout }} 
    token: "{{ kubetoken.stdout }}"
{% endif %}
nodeRegistration:
  kubeletExtraArgs:
    node-ip: {{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv4.address }}
#    read-only-port: "10255"
  ignorePreflightErrors:
  - SystemVerification
{% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %}
  - NumCPU
{% endif %}
{% endif %}
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
metricsBindAddress: "0.0.0.0:10249"
{% if kubernetes_kubeproxy_mode is defined %}
mode: {{ kubernetes_kubeproxy_mode }}
{% if kubernetes_kubeproxy_mode == "ipvs" %}
ipvs:
  strictARP: true
{% endif %}
{% endif %}
---
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
#authentication:
#  anonymous:
#    enabled: false
#  webhook:
#    cacheTTL: 2m0s
#    enabled: true
#  x509:
#    clientCAFile: /etc/kubernetes/pki/ca.crt
#authorization:
#  mode: Webhook
#  webhook:
#    cacheAuthorizedTTL: 5m0s
#    cacheUnauthorizedTTL: 30s
{% if ansible_service_mgr == "systemd" %}
cgroupDriver: systemd
{% endif %}
#cgroupsPerQOS: true
#clusterDNS:
#- 10.96.0.10
#clusterDomain: cluster.local
#configMapAndSecretChangeDetectionStrategy: Watch
#containerLogMaxFiles: 5
#containerLogMaxSize: 10Mi
#contentType: application/vnd.kubernetes.protobuf
#cpuCFSQuota: true
#cpuCFSQuotaPeriod: 100ms
#cpuManagerPolicy: none
#cpuManagerReconcilePeriod: 10s
#enableControllerAttachDetach: true
#enableDebuggingHandlers: true
#enforceNodeAllocatable:
#- pods
#eventBurst: 10
#eventRecordQPS: 5
#evictionHard:
#  imagefs.available: 15%
#  memory.available: 500Mi
#  nodefs.available: 10%
#  nodefs.inodesFree: 5%
#evictionPressureTransitionPeriod: 5m0s
#failSwapOn: true
#fileCheckFrequency: 20s
#hairpinMode: promiscuous-bridge
#healthzBindAddress: 127.0.0.1
#healthzPort: 10248
#httpCheckFrequency: 20s
#imageGCHighThresholdPercent: 85
#imageGCLowThresholdPercent: 80
#imageMinimumGCAge: 2m0s
#iptablesDropBit: 15
#iptablesMasqueradeBit: 14
#kubeAPIBurst: 10
#kubeAPIQPS: 5
#logging: {}
#makeIPTablesUtilChains: true
#maxOpenFiles: 1000000
#maxPods: 110
#memorySwap: {}
#nodeLeaseDurationSeconds: 40
#nodeStatusReportFrequency: 1m0s
#nodeStatusUpdateFrequency: 10s
#oomScoreAdj: -999
#podPidsLimit: -1
#port: 10250
#registryBurst: 10
#registryPullQPS: 5
#resolvConf: /etc/resolv.conf
#rotateCertificates: true
runtimeRequestTimeout: 5m
#serializeImagePulls: true
#shutdownGracePeriod: 0s
#shutdownGracePeriodCriticalPods: 0s
#staticPodPath: /etc/kubernetes/manifests
#streamingConnectionIdleTimeout: 4h0m0s
#syncFrequency: 1m0s
#topologyManagerPolicy: none
#volumeStatsAggPeriod: 1m0s

{% if false %}
readOnlyPort: 1
systemReserved:
  cpu=200m,memory=200M

containerRuntime: remote
{% if kubernetes_cri == "containerd" %}
containerRuntimeEndpoint: "unix:///run/containerd/containerd.sock"
{% elif kubernetes_cri == "cri-o" %}
containerRuntimeEndpoint: "unix:///var/run/crio/crio.sock"
{% endif %}
{% endif %}