#cloud-config
write_files:
  - path: /etc/systemd/system/enable-kubelet.service
    owner: "root:root"
    permissions: "0644"
    content: |
      [Unit]
      Description=Enable Kubelet

      [Service]
      Type=oneshot
      EnvironmentFile=/etc/sysconfig/heat-params
      ExecStart=/etc/sysconfig/enable-kubelet-minion.sh

      [Install]
      WantedBy=multi-user.target

  - path: /etc/sysconfig/enable-kubelet-minion.sh
    owner: "root:root"
    permissions: "0755"
    content: |
      #!/bin/sh

      if [ -z "${KUBE_NODE_IP}" ]; then
        KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
      fi

      if [ -n "${INSECURE_REGISTRY_URL}" ]; then
          INSECURE_REGISTRY_ARGS="--pod-infra-container-image=${INSECURE_REGISTRY_URL}/google_containers/pause\:3.0"
      else
          INSECURE_REGISTRY_ARGS=""
      fi

      TLS_CERT_FILE=${KUBE_CERTS_PATH}/worker.pem
      TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/worker-key.pem
      KUBE_PROTOCOL="https"
      KUBE_CONFIG="/etc/kubernetes/config/worker-kubeconfig.yaml"
      if [ "$TLS_DISABLED" == "True" ]; then
        TLS_CERT_FILE=
        TLS_PRIVATE_KEY_FILE=
        KUBE_PROTOCOL="http"
        KUBE_CONFIG=
      fi
      KUBE_MASTER_URI="$KUBE_PROTOCOL://$KUBE_MASTER_IP:$KUBE_API_PORT"

      HOSTNAME_OVERRIDE=$(hostname --short | sed 's/\.novalocal//')

      uuid_file="/var/run/kubelet-pod.uuid"
      CONF_FILE=/etc/systemd/system/kubelet.service
      cat > $CONF_FILE <<EOF
      [Service]
      EnvironmentFile=/etc/environment
      Environment=KUBELET_VERSION=${KUBE_VERSION}
      Environment=KUBELET_ACI=${HYPERKUBE_IMAGE_REPO}
      Environment="RKT_OPTS=--uuid-file-save=${uuid_file} \
        --volume dns,kind=host,source=/etc/resolv.conf \
        --mount volume=dns,target=/etc/resolv.conf \
        --volume rkt,kind=host,source=/opt/bin/host-rkt \
        --mount volume=rkt,target=/usr/bin/rkt \
        --volume var-lib-rkt,kind=host,source=/var/lib/rkt \
        --mount volume=var-lib-rkt,target=/var/lib/rkt \
        --volume stage,kind=host,source=/tmp \
        --mount volume=stage,target=/tmp \
        --volume var-log,kind=host,source=/var/log \
        --mount volume=var-log,target=/var/log"
      ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests
      ExecStartPre=/usr/bin/mkdir -p /opt/cni/bin
      ExecStartPre=/usr/bin/mkdir -p /var/log/containers
      ExecStartPre=-/usr/bin/rkt rm --uuid-file=${uuid_file}
      ExecStart=/usr/lib/coreos/kubelet-wrapper \
        --api-servers=${KUBE_MASTER_URI} \
        --cni-conf-dir=/etc/kubernetes/cni/net.d \
        --network-plugin=cni \
        --hostname-override=${HOSTNAME_OVERRIDE} \
        --container-runtime=${CONTAINER_RUNTIME} \
        --allow-privileged=true \
        --pod-manifest-path=/etc/kubernetes/manifests \
        --logtostderr=true \
        --v=0 \
        --cadvisor-port=4194 \
        --kubeconfig=${KUBE_CONFIG} \
        --tls-cert-file=${TLS_CERT_FILE} \
        --tls-private-key-file=${TLS_PRIVATE_KEY_FILE} \
        --cluster_dns=${DNS_SERVICE_IP} \
        --cluster_domain=${DNS_CLUSTER_DOMAIN} \
        ${INSECURE_REGISTRY_ARGS}
      Restart=always
      RestartSec=10
      ExecStop=-/usr/bin/rkt stop --uuid-file=${uuid_file}
      [Install]
      WantedBy=multi-user.target
      EOF

      TEMPLATE=/opt/bin/host-rkt
      mkdir -p $(dirname $TEMPLATE)
      cat << EOF > $TEMPLATE
      #!/bin/sh
      # This is bind mounted into the kubelet rootfs and all rkt shell-outs go
      # through this rkt wrapper. It essentially enters the host mount namespace
      # (which it is already in) only for the purpose of breaking out of the chroot
      # before calling rkt. It makes things like rkt gc work and avoids bind mounting
      # in certain rkt filesystem dependancies into the kubelet rootfs. This can
      # eventually be obviated when the write-api stuff gets upstream and rkt gc is
      # through the api-server. Related issue:
      # https://github.com/coreos/rkt/issues/2878
      exec nsenter -m -u -i -n -p -t 1 -- /usr/bin/rkt "\$@"
      EOF

      systemctl enable kubelet
      systemctl --no-block start kubelet