apiVersion: v1
kind: Secret
metadata:
  labels:
    airshipit.org/ephemeral-user-data: "true"
    airshipit.org/deploy-k8s: "false"
  name: ephemeral-bmc-secret # replacement rules key off this name
type: Opaque
data:
  userData: null
stringData:
  # These substrings must be overriden via the `replacements` entrypoint and networking catalogue:
  # REPLACEMENT_CP_IP, REPLACEMENT_CP_PORT, REPLACEMENT_CERT_SANS, REPLACEMENT_POD_CIDR
  # TODO: add download sources to the versions catalogue
  userData: |
    #cloud-config
    # Expect that packages are already installed in base image
    package_update: false
    ssh_pwauth: True
    chpasswd:
      list: |
          root:REPLACEMENT_ISO_PASSWORD_ROOT
          deployer:REPLACEMENT_ISO_PASSWORD_DEPLOYER
      expire: False
    users:
      - default
      - name: deployer
        gecos: deployer
        ssh_pwauth: True
    runcmd:
    - mkdir -p /etc/containerd
    - containerd config default | sed -r -e '/\[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc\]$/a\          SystemdCgroup = true' | tee /etc/containerd/config.toml
    - systemctl daemon-reload
    - systemctl restart containerd
    - systemctl restart docker
    - /bin/bash -c 'kernel_libsubdir="$(ls /lib/modules | head -1)"; config_dir="/lib/modules/${kernel_libsubdir}/build"; mkdir -p "${config_dir}"; if [ -f /run/live/medium/config ] && [ ! -f "${config_dir}/.config" ]; then ln -s /run/live/medium/config "${config_dir}/.config"; fi;'
    - kubeadm init --config /tmp/kubeadm.yaml
    - mkdir -p /opt/metal3-dev-env/ironic/html/images
    write_files:
    - path: /etc/systemd/system/containerd.service.d/http-proxy.conf
      permissions: '0644'
      owner: root:root
      content: |
        [Service]
        Environment="HTTP_PROXY=REPLACEMENT_HTTP_PROXY"
        Environment="HTTPS_PROXY=REPLACEMENT_HTTPS_PROXY"
        Environment="NO_PROXY=REPLACEMENT_NO_PROXY"
    - content: |
        apiVersion: v1
        clusters:
        - cluster:
            certificate-authority-data: REPLACEMENT_CP_KUBECONFIG_CA_CERT
            server: https://REPLACEMENT_CP_IP:REPLACEMENT_CP_PORT
          name: kubernetes
        contexts:
        - context:
            cluster: kubernetes
            user: kubernetes-admin
          name: kubernetes-admin@kubernetes
        current-context: kubernetes-admin@kubernetes
        kind: Config
        preferences: {}
        users:
        - name: kubernetes-admin
          user:
            client-certificate-data: REPLACEMENT_CP_KUBECONFIG_ADMIN_CERT
            client-key-data: REPLACEMENT_CP_KUBECONFIG_ADMIN_KEY
      owner: root:root
      path: /etc/kubernetes/admin.conf
      permissions: "0640"
    - content: |
        REPLACEMENT_CP_CA_CERT
      encoding: base64
      owner: root:root
      path: /etc/kubernetes/pki/ca.crt
      permissions: "0640"
    - content: |
        REPLACEMENT_CP_CA_KEY
      encoding: base64
      owner: root:root
      path: /etc/kubernetes/pki/ca.key
      permissions: "0600"
    - content: |
        ---
        apiServer:
          certSANs: REPLACEMENT_CERT_SANS
        imageRepository: REPLACEMENT_IMAGE_REPOSITORY
        apiVersion: kubeadm.k8s.io/v1beta2
        controllerManager: {}
        dns:
          type: ""
        etcd: {}
        kind: ClusterConfiguration
        networking:
          podSubnet: REPLACEMENT_POD_CIDR
        scheduler: {}
        ---
        apiVersion: kubeadm.k8s.io/v1beta2
        kind: InitConfiguration
        localAPIEndpoint:
          advertiseAddress: REPLACEMENT_CP_IP
          bindPort: REPLACEMENT_CP_PORT
        nodeRegistration:
          ignorePreflightErrors:
          - NumCPU
          - SystemVerification
          taints: []
          kubeletExtraArgs:
            cgroup-driver: "systemd"
            container-runtime: remote
          criSocket: "unix:///run/containerd/containerd.sock"
      owner: root:root
      path: /tmp/kubeadm.yaml
      permissions: "0640"
    bootcmd:
    - NEED_MB=16384 # MB of storage needed for ironic images & bindmounts
    - FREE_MB=$(df -m --output=avail /var/lib | tail -n 1)
    - mkdir /mnt/ephemeral
      # if there's enough memory-backed storage, mount an available disk
    - if [ ${FREE_MB} -ge ${NEED_MB} ]; then
    -   mkdir -p /var/lib/images
    -   truncate -s ${NEED_MB}M /var/lib/images/ephemeral.img
    -   mkfs.ext4 /var/lib/images/ephemeral.img
    -   mount /var/lib/images/ephemeral.img /mnt/ephemeral
      # Use vda if provided by a hypervisor
    - elif [ -e /dev/vda ]; then
    -   mkfs.ext4 /dev/vda
    -   mount /dev/vda /mnt/ephemeral
      # Fall back to sda
    - elif [ -e /dev/sda ]; then
    -   mkfs.ext4 -F /dev/sda
    -   mount /dev/sda /mnt/ephemeral
    - else
    -   echo "Not enough RAM to host images, and no available disks found"
    -   exit 1
    - fi
    - mkdir -p /opt/metal3-dev-env/ironic/html/images
    - mkdir -p /mnt/ephemeral/opt/metal3-dev-env/ironic/html/images
    - mount --bind /mnt/ephemeral/opt/metal3-dev-env/ironic/html/images /opt/metal3-dev-env/ironic/html/images
    - mkdir -p /var/lib/containerd /mnt/ephemeral/var/lib/containerd
    - mount --bind /mnt/ephemeral/var/lib/containerd /var/lib/containerd
    - mkdir -p /var/lib/docker /mnt/ephemeral/var/lib/docker
    - mount --bind /mnt/ephemeral/var/lib/docker /var/lib/docker
    - mkdir -p /var/lib/docker-engine /mnt/ephemeral/var/lib/docker-engine
    - mount --bind /mnt/ephemeral/var/lib/docker-engine /var/lib/docker-engine
    - mkdir -p /mnt/ephemeral/var/lib/kubelet/ /var/lib/kubelet/
    - mount --bind /mnt/ephemeral/var/lib/kubelet/ /var/lib/kubelet/