typhoon/aws/flatcar-linux/kubernetes/workers/butane/worker.yaml

variant: flatcar
version: 1.0.0
systemd:
  units:
    - name: docker.service
      enabled: true
    - name: locksmithd.service
      mask: true
    - name: wait-for-dns.service
      enabled: true
      contents: |
        [Unit]
        Description=Wait for DNS entries
        Wants=systemd-resolved.service
        Before=kubelet.service
        [Service]
        Type=oneshot
        RemainAfterExit=true
        ExecStart=/bin/sh -c 'while ! /usr/bin/grep '^[^#[:space:]]' /etc/resolv.conf > /dev/null; do sleep 1; done'
        [Install]
        RequiredBy=kubelet.service
    - name: kubelet.service
      enabled: true
      contents: |
        [Unit]
        Description=Kubelet
        Requires=docker.service
        After=docker.service
        Requires=coreos-metadata.service
        After=coreos-metadata.service
        Wants=rpc-statd.service
        [Service]
        Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.29.3
        EnvironmentFile=/run/metadata/coreos
        ExecStartPre=/bin/mkdir -p /etc/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
        ExecStartPre=/bin/mkdir -p /opt/cni/bin
        ExecStartPre=/bin/mkdir -p /var/lib/calico
        ExecStartPre=/bin/mkdir -p /var/lib/kubelet/volumeplugins
        ExecStartPre=/usr/bin/bash -c "grep 'certificate-authority-data' /etc/kubernetes/kubeconfig | awk '{print $2}' | base64 -d > /etc/kubernetes/ca.crt"
        # Podman, rkt, or runc run container processes, whereas docker run
        # is a client to a daemon and requires workarounds to use within a
        # systemd unit. https://github.com/moby/moby/issues/6791
        ExecStartPre=/usr/bin/docker run -d \
          --name kubelet \
          --privileged \
          --pid host \
          --network host \
          -v /etc/cni/net.d:/etc/cni/net.d:ro \
          -v /etc/kubernetes:/etc/kubernetes:ro \
          -v /etc/machine-id:/etc/machine-id:ro \
          -v /usr/lib/os-release:/etc/os-release:ro \
          -v /lib/modules:/lib/modules:ro \
          -v /run:/run \
          -v /sys/fs/cgroup:/sys/fs/cgroup \
          -v /var/lib/calico:/var/lib/calico:ro \
          -v /var/lib/containerd:/var/lib/containerd \
          -v /var/lib/kubelet:/var/lib/kubelet:rshared \
          -v /var/log:/var/log \
          -v /opt/cni/bin:/opt/cni/bin \
          $${KUBELET_IMAGE} \
          --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
          --config=/etc/kubernetes/kubelet.yaml \
          --container-runtime-endpoint=unix:///run/containerd/containerd.sock \
          --kubeconfig=/var/lib/kubelet/kubeconfig \
          --node-labels=node.kubernetes.io/node \
          %{~ for label in split(",", node_labels) ~}
          --node-labels=${label} \
          %{~ endfor ~}
          %{~ for taint in split(",", node_taints) ~}
          --register-with-taints=${taint} \
          %{~ endfor ~}
          --provider-id=aws:///$${COREOS_EC2_AVAILABILITY_ZONE}/$${COREOS_EC2_INSTANCE_ID}
        ExecStart=docker logs -f kubelet
        ExecStop=docker stop kubelet
        ExecStopPost=docker rm kubelet
        Restart=always
        RestartSec=5
        [Install]
        WantedBy=multi-user.target
storage:
  files:
    - path: /etc/kubernetes/kubeconfig
      mode: 0644
      contents:
        inline: |
          ${kubeconfig}
    - path: /etc/kubernetes/kubelet.yaml
      mode: 0644
      contents:
        inline: |
          apiVersion: kubelet.config.k8s.io/v1beta1
          kind: KubeletConfiguration
          authentication:
            anonymous:
              enabled: false
            webhook:
              enabled: true
            x509:
              clientCAFile: /etc/kubernetes/ca.crt
          authorization:
            mode: Webhook
          cgroupDriver: systemd
          clusterDNS:
            - ${cluster_dns_service_ip}
          clusterDomain: ${cluster_domain_suffix}
          healthzPort: 0
          rotateCertificates: true
          shutdownGracePeriod: 45s
          shutdownGracePeriodCriticalPods: 30s
          staticPodPath: /etc/kubernetes/manifests
          readOnlyPort: 0
          resolvConf: /run/systemd/resolve/resolv.conf
          volumePluginDir: /var/lib/kubelet/volumeplugins
    - path: /etc/systemd/logind.conf.d/inhibitors.conf
      contents:
        inline: |
          [Login]
          InhibitDelayMaxSec=45s
    - path: /etc/sysctl.d/max-user-watches.conf
      mode: 0644
      contents:
        inline: |
          fs.inotify.max_user_watches=16184
passwd:
  users:
    - name: core
      ssh_authorized_keys:
        - "${ssh_authorized_key}"