typhoon/digital-ocean/container-linux/kubernetes/cl/worker.yaml

---
systemd:
  units:
    - name: docker.service
      enabled: true
    - name: locksmithd.service
      mask: true
    - name: kubelet.path
      enabled: true
      contents: |
        [Unit]
        Description=Watch for kubeconfig
        [Path]
        PathExists=/etc/kubernetes/kubeconfig
        [Install]
        WantedBy=multi-user.target
    - name: wait-for-dns.service
      enabled: true
      contents: |
        [Unit]
        Description=Wait for DNS entries
        Wants=systemd-resolved.service
        Before=kubelet.service
        [Service]
        Type=oneshot
        RemainAfterExit=true
        ExecStart=/bin/sh -c 'while ! /usr/bin/grep '^[^#[:space:]]' /etc/resolv.conf > /dev/null; do sleep 1; done'
        [Install]
        RequiredBy=kubelet.service
    - name: kubelet.service
      contents: |
        [Unit]
        Description=Kubelet
        Requires=coreos-metadata.service
        After=coreos-metadata.service
        Wants=rpc-statd.service
        [Service]
        Environment=KUBELET_IMAGE=docker://quay.io/poseidon/kubelet:v1.19.3
        EnvironmentFile=/run/metadata/coreos
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
        ExecStartPre=/bin/mkdir -p /opt/cni/bin
        ExecStartPre=/bin/mkdir -p /var/lib/calico
        ExecStartPre=/bin/mkdir -p /var/lib/kubelet/volumeplugins
        ExecStartPre=/usr/bin/bash -c "grep 'certificate-authority-data' /etc/kubernetes/kubeconfig | awk '{print $2}' | base64 -d > /etc/kubernetes/ca.crt"
        ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/cache/kubelet-pod.uuid
        ExecStart=/usr/bin/rkt run \
          --uuid-file-save=/var/cache/kubelet-pod.uuid \
          --stage1-from-dir=stage1-fly.aci \
          --hosts-entry host \
          --insecure-options=image \
          --volume etc-kubernetes,kind=host,source=/etc/kubernetes,readOnly=true \
          --mount volume=etc-kubernetes,target=/etc/kubernetes \
          --volume etc-machine-id,kind=host,source=/etc/machine-id,readOnly=true \
          --mount volume=etc-machine-id,target=/etc/machine-id \
          --volume etc-os-release,kind=host,source=/usr/lib/os-release,readOnly=true \
          --mount volume=etc-os-release,target=/etc/os-release \
          --volume=etc-resolv,kind=host,source=/etc/resolv.conf,readOnly=true \
          --mount volume=etc-resolv,target=/etc/resolv.conf \
          --volume etc-ssl-certs,kind=host,source=/etc/ssl/certs,readOnly=true \
          --mount volume=etc-ssl-certs,target=/etc/ssl/certs \
          --volume lib-modules,kind=host,source=/lib/modules,readOnly=true \
          --mount volume=lib-modules,target=/lib/modules \
          --volume run,kind=host,source=/run \
          --mount volume=run,target=/run \
          --volume usr-share-certs,kind=host,source=/usr/share/ca-certificates,readOnly=true \
          --mount volume=usr-share-certs,target=/usr/share/ca-certificates \
          --volume var-lib-calico,kind=host,source=/var/lib/calico,readOnly=true \
          --mount volume=var-lib-calico,target=/var/lib/calico \
          --volume var-lib-docker,kind=host,source=/var/lib/docker \
          --mount volume=var-lib-docker,target=/var/lib/docker \
          --volume var-lib-kubelet,kind=host,source=/var/lib/kubelet,recursive=true \
          --mount volume=var-lib-kubelet,target=/var/lib/kubelet \
          --volume var-log,kind=host,source=/var/log \
          --mount volume=var-log,target=/var/log \
          --volume opt-cni-bin,kind=host,source=/opt/cni/bin \
          --mount volume=opt-cni-bin,target=/opt/cni/bin \
          $${KUBELET_IMAGE} -- \
          --anonymous-auth=false \
          --authentication-token-webhook \
          --authorization-mode=Webhook \
          --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
          --client-ca-file=/etc/kubernetes/ca.crt \
          --cluster_dns=${cluster_dns_service_ip} \
          --cluster_domain=${cluster_domain_suffix} \
          --cni-conf-dir=/etc/kubernetes/cni/net.d \
          --healthz-port=0 \
          --hostname-override=$${COREOS_DIGITALOCEAN_IPV4_PRIVATE_0} \
          --kubeconfig=/var/lib/kubelet/kubeconfig \
          --network-plugin=cni \
          --node-labels=node.kubernetes.io/node \
          --pod-manifest-path=/etc/kubernetes/manifests \
          --read-only-port=0 \
          --rotate-certificates \
          --volume-plugin-dir=/var/lib/kubelet/volumeplugins
        ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
        Restart=always
        RestartSec=5
        [Install]
        WantedBy=multi-user.target
    - name: delete-node.service
      enabled: true
      contents: |
        [Unit]
        Description=Waiting to delete Kubernetes node on shutdown
        [Service]
        Type=oneshot
        RemainAfterExit=true
        ExecStart=/bin/true
        ExecStop=/etc/kubernetes/delete-node
        [Install]
        WantedBy=multi-user.target
storage:
  directories:
    - path: /etc/kubernetes
      filesystem: root
      mode: 0755
  files:
    - path: /etc/sysctl.d/max-user-watches.conf
      filesystem: root
      mode: 0644
      contents:
        inline: |
          fs.inotify.max_user_watches=16184
    - path: /etc/kubernetes/delete-node
      filesystem: root
      mode: 0744
      contents:
        inline: |
          #!/bin/bash
          set -e
          exec /usr/bin/rkt run \
            --trust-keys-from-https \
            --volume config,kind=host,source=/etc/kubernetes \
            --mount volume=config,target=/etc/kubernetes \
            --insecure-options=image \
            docker://quay.io/poseidon/kubelet:v1.19.3 \
            --net=host \
            --dns=host \
            --exec=/usr/local/bin/kubectl -- --kubeconfig=/etc/kubernetes/kubeconfig delete node $(hostname)