next.yaml

variant: fcos
version: 1.2.0
passwd:
  users:
    - name: core
      password_hash: $1$Tl/oqLxt$r51.Qdtd50jxJPvCdW9cO0
      ssh_authorized_keys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxTPaIwBsZIeJniHYe75gdm5p0M5J7KWtJxbk60ZMhxaq/cl/s0NBCX+UOzL9EFEMeUCQdslJ1g6BgNeYc1rMaPbYYPfYE/kcFO9e4vi7Wnjiv/2cyF+IUIPoi4FSOsQWCWt6eAciWjtGvVB1i2Cx6qr2dzutukdT3Ts5u3DnCKhbxmSUMZLOb8Iof4lu6rjOwJ31/7+Hn5nsL0JaAA8TnVMxhDbqw21dpPCsNoe1Jff1/rYcZsgqkoVOtOOERD1HtxADHWQFiQuswKilAsOzTLyYQLosRnK8Pu7O5tmdoe0lDIHnrMjIpvMT0l9PnqvvWjsTu9ZeBaPKxdcQLfuWv joe@xps.ibj.io
storage:
  #disks:
  # Bay #1
  #- device: /dev/disk/by-path/pci-0000:00:1f.2-ata-1
  #  wipe_table: false
  #  partitions:
  #  - size_mib: 100000
  #    start_mib: 5000
  #    label: node-state
  filesystems:
    - path: /var
      device: /dev/disk/by-partlabel/node-state
      format: ext4
      wipe_filesystem: false
      with_mount_unit: true
  directories:
    #   - path: /var/lib/rook
    #  overwrite: true
    - path: /var/etcd
      user:
        name: root
      group:
        name: root
    - path: /var/lib/containers
      user:
        name: root
      group:
        name: root
      overwrite: true
    - path: /var/lib/kubelet
      user:
        name: root
      group:
        name: root
      overwrite: true
    - path: /var/etcd-certs
      user:
        id: 100
      mode: 0755
      overwrite: true
    - path: /var/cni
      user:
        id: 100
      mode: 0755
      overwrite: true
    - path: /var/kubelet-certs
      user:
        id: 100
      mode: 0755
      overwrite: true
    - path: /var/api-certs
      user:
        id: 100
      mode: 0755
      overwrite: true
    - path: /var/controllermanager-certs
      user:
        id: 100
      mode: 0755
      overwrite: true
    - path: /var/proxy-certs
      user:
        id: 100
      mode: 0755
      overwrite: true
    - path: /var/scheduler-certs
      user:
        id: 100
      mode: 0755
      overwrite: true
    - path: /etc/vault
      user:
        name: root
      group:
        name: root
    - path: /etc/kubelet
      user:
        name: root
      group:
        name: root
    - path: /etc/kubelet.d
      user:
        name: root
      group:
        name: root
    - path: /usr/local/bin
      user:
        name: root
      group:
        name: root
  files:
    - path: /etc/sysctl.d/90-ipv6-forwarding.conf
      contents:
        inline: net.ipv6.conf.all.forwarding = 1
    - path: /etc/hostname
      mode: 0644
      contents:
        inline: "{{.hostname}}"
    - path: /etc/vault/vault.key
      mode: 0444
      contents:
        source: "data:,{{.vault_key}}"
    - path: /etc/vault/vault.crt
      mode: 0444
      contents:
        source: "data:,{{.vault_crt}}"
    - path: /etc/vault/config.hcl
      mode: 0444
      contents:
        inline: |
          vault {
            address = "https://leader.infra.ibj.io:8200"
            tls_skip_verify="true"
            client_key="/etc/vault/vault.key"
            client_cert="/etc/vault/vault.crt"
          }

          auto_auth {
            method "cert" {
              mount_path = "auth/cert"
            }
          }

          template {
            destination = "/var/etcd-certs/client.crt"
            left_delimiter="{["
            right_delimiter="]}"
            contents = "{[ with secret \"infra-etcd-client/issue/client\" \"common_name={{.hostname}}.infra.ibj.io\" ]}{[.Data.certificate]}{[end]}"
          }
          
          template {
            destination = "/var/etcd-certs/client.key"
            left_delimiter="{["
            right_delimiter="]}"
            contents = "{[ with secret \"infra-etcd-client/issue/client\" \"common_name={{.hostname}}.infra.ibj.io\" ]}{[.Data.private_key]}{[end]}"
          }
          
          template {
            destination = "/var/api-certs/etcd-client.crt"
            left_delimiter="{["
            right_delimiter="]}"
            contents = "{[ with secret \"infra-etcd-client/issue/client\" \"common_name={{.hostname}}.infra.ibj.io\" ]}{[.Data.certificate]}{[end]}"
          }
          
          template {
            destination = "/var/api-certs/etcd-client.key"
            left_delimiter="{["
            right_delimiter="]}"
            contents = "{[ with secret \"infra-etcd-client/issue/client\" \"common_name={{.hostname}}.infra.ibj.io\" ]}{[.Data.private_key]}{[end]}"
          }
          
          template {
            destination = "/var/etcd-certs/client.ca.crt"
            left_delimiter="{["
            right_delimiter="]}"
            contents = "{[ with secret \"infra-etcd-client/cert/ca\"]}{[.Data.certificate]}{[end]}"
          }

          template {
            destination = "/var/etcd-certs/server.crt"
            left_delimiter="{["
            right_delimiter="]}"
            contents = "{[ with secret \"infra-etcd-server/issue/server\" \"common_name={{.hostname}}.infra.ibj.io\" ]}{[.Data.certificate]}{[end]}"
          }
          
          template {
            destination = "/var/etcd-certs/server.key"
            left_delimiter="{["
            right_delimiter="]}"
            contents = "{[ with secret \"infra-etcd-server/issue/server\" \"common_name={{.hostname}}.infra.ibj.io\" ]}{[.Data.private_key]}{[end]}"
          }
          
          template {
            destination = "/var/etcd-certs/server.ca.crt"
            left_delimiter="{["
            right_delimiter="]}"
            contents = "{[ with secret \"infra-etcd-server/cert/ca\" ]}{[.Data.certificate]}{[end]}"
          }
          
          template {
            destination = "/var/api-certs/etcd-server.ca.crt"
            left_delimiter="{["
            right_delimiter="]}"
            contents = "{[ with secret \"infra-etcd-server/cert/ca\" ]}{[.Data.certificate]}{[end]}"
          }
          
          template {
            destination = "/var/etcd-certs/peer.crt"
            left_delimiter="{["
            right_delimiter="]}"
            contents = "{[ with secret \"infra-etcd-peer/issue/peer\" \"common_name={{.hostname}}i.infra.ibj.io\" ]}{[.Data.certificate]}{[end]}"
          }
          
          template {
            destination = "/var/etcd-certs/peer.key"
            left_delimiter="{["
            right_delimiter="]}"
            contents = "{[ with secret \"infra-etcd-peer/issue/peer\" \"common_name={{.hostname}}i.infra.ibj.io\" ]}{[.Data.private_key]}{[end]}"
          }
          
          template {
            destination = "/var/etcd-certs/peer.ca.crt"
            left_delimiter="{["
            right_delimiter="]}"
            contents = "{[ with secret \"infra-etcd-peer/cert/ca\" ]}{[.Data.certificate]}{[end]}"
          }

          template {
            destination = "/var/kubelet-certs/server.crt"
            left_delimiter="{["
            right_delimiter="]}"
            contents = "{[ with secret \"infra-kubelet-server/issue/server\" \"common_name={{.hostname}}i.infra.ibj.io\" ]}{[.Data.certificate]}{[end]}"
          }
          
          template {
            destination = "/var/kubelet-certs/server.key"
            left_delimiter="{["
            right_delimiter="]}"
            contents = "{[ with secret \"infra-kubelet-server/issue/server\" \"common_name={{.hostname}}i.infra.ibj.io\" ]}{[.Data.private_key]}{[end]}"
          }

          template {
            destination = "/var/kubelet-certs/server.ca.crt"
            left_delimiter="{["
            right_delimiter="]}"
            contents = "{[ with secret \"infra-kubelet-server/cert/ca\" ]}{[.Data.certificate]}{[end]}"
          }
          
          template {
            destination = "/var/kubelet-certs/client.ca.crt"
            left_delimiter="{["
            right_delimiter="]}"
            contents = "{[ with secret \"infra-kubelet-client/cert/ca\" ]}{[.Data.certificate]}{[end]}"
          }
          
          template {
            destination = "/var/kubelet-certs/kubeconfig"
            left_delimiter="{["
            right_delimiter="]}"
            source = "/var/kubelet-certs/kubeconfig.tmpl"
          }
          
          template {
            destination = "/var/proxy-certs/kubeconfig"
            left_delimiter="{["
            right_delimiter="]}"
            source = "/var/proxy-certs/kubeconfig.tmpl"
          }
          
          template {
            destination = "/var/controllermanager-certs/kubeconfig"
            left_delimiter="{["
            right_delimiter="]}"
            source = "/var/controllermanager-certs/kubeconfig.tmpl"
          }

          template {
            destination = "/var/scheduler-certs/kubeconfig"
            left_delimiter="{["
            right_delimiter="]}"
            source = "/var/scheduler-certs/kubeconfig.tmpl"
          }
          
          template {
            destination = "/var/cni/kubeconfig"
            left_delimiter="{["
            right_delimiter="]}"
            source = "/var/cni/kubeconfig.tmpl"
          }

          template {
            destination = "/var/api-certs/client.ca.crt"
            left_delimiter="{["
            right_delimiter="]}"
            contents = "{[ with secret \"kube-api-client/cert/ca\" ]}{[.Data.certificate]}{[end]}"
          }

          template {
            destination = "/var/api-certs/server.crt"
            left_delimiter="{["
            right_delimiter="]}"
            contents = "{[ with secret \"kube-api-server/issue/server\" \"common_name=api.infra.ibj.io\" \"ip_sans=fde7:76fd:7444:1000::b9d8\" ]}{[.Data.certificate]}{[end]}"
          }
          
          template {
            destination = "/var/api-certs/server.key"
            left_delimiter="{["
            right_delimiter="]}"
            contents = "{[ with secret \"kube-api-server/issue/server\" \"common_name=api.infra.ibj.io\" \"ip_sans=fde7:76fd:7444:1000::b9d8\" ]}{[.Data.private_key]}{[end]}"
          }

          template {
            destination = "/var/api-certs/kubelet-client.crt"
            left_delimiter="{["
            right_delimiter="]}"
            contents = "{[ with secret \"infra-kubelet-client/issue/client\" \"common_name={{.hostname}}i.infra.ibj.io\"]}{[.Data.certificate]}{[end]}"
          }
          
          template {
            destination = "/var/api-certs/kubelet-client.key"
            left_delimiter="{["
            right_delimiter="]}"
            contents = "{[ with secret \"infra-kubelet-client/issue/client\" \"common_name={{.hostname}}i.infra.ibj.io\"]}{[.Data.private_key]}{[end]}"
          }
    - path: /var/kubelet-certs/kubeconfig.tmpl
      mode: 0444
      overwrite: true
      contents:
        inline: |
          apiVersion: v1
          kind: Config
          clusters:
          - name: joedc
            cluster:
              server: https://api.infra.ibj.io:6443
              certificate-authority-data: {[ with secret "kube-api-server/cert/ca" ]}{[base64Encode .Data.certificate]}{[end]}
          users:
          - name: local
            user:
              client-certificate-data: {[ with secret "kube-api-client/issue/node" "common_name=system:node:{{.hostname}}i.infra.ibj.io"]}{[base64Encode .Data.certificate]}{[end]}
              client-key-data: {[ with secret "kube-api-client/issue/node" "common_name=system:node:{{.hostname}}i.infra.ibj.io" ]}{[base64Encode .Data.private_key]}{[end]}
          contexts:
          - context:
              cluster: joedc
              user: local
            name: local@joedc
          current-context: local@joedc
    - path: /var/controllermanager-certs/kubeconfig.tmpl
      mode: 0444
      overwrite: true
      contents:
        inline: |
          apiVersion: v1
          kind: Config
          clusters:
          - name: joedc
            cluster:
              server: https://api.infra.ibj.io:6443
              certificate-authority-data: {[ with secret "kube-api-server/cert/ca" ]}{[base64Encode .Data.certificate]}{[end]}
          users:
          - name: local
            user:
              client-certificate-data: {[ with secret "kube-api-client/issue/controllermanager" "common_name=system:kube-controller-manager"]}{[base64Encode .Data.certificate]}{[end]}
              client-key-data: {[ with secret "kube-api-client/issue/controllermanager" "common_name=system:kube-controller-manager" ]}{[base64Encode .Data.private_key]}{[end]}
          contexts:
          - context:
              cluster: joedc
              user: local
            name: local@joedc
          current-context: local@joedc
    - path: /var/proxy-certs/kubeconfig.tmpl
      mode: 0444
      overwrite: true
      contents:
        inline: |
          apiVersion: v1
          kind: Config
          clusters:
          - name: joedc
            cluster:
              server: https://api.infra.ibj.io:6443
              certificate-authority-data: {[ with secret "kube-api-server/cert/ca" ]}{[base64Encode .Data.certificate]}{[end]}
          users:
          - name: local
            user:
              client-certificate-data: {[ with secret "kube-api-client/issue/proxy" "common_name=system:kube-proxy"]}{[base64Encode .Data.certificate]}{[end]}
              client-key-data: {[ with secret "kube-api-client/issue/proxy" "common_name=system:kube-proxy" ]}{[base64Encode .Data.private_key]}{[end]}
          contexts:
          - context:
              cluster: joedc
              user: local
            name: local@joedc
          current-context: local@joedc
    - path: /var/scheduler-certs/kubeconfig.tmpl
      mode: 0444
      overwrite: true
      contents:
        inline: |
          apiVersion: v1
          kind: Config
          clusters:
          - name: joedc
            cluster:
              server: https://api.infra.ibj.io:6443
              certificate-authority-data: {[ with secret "kube-api-server/cert/ca" ]}{[base64Encode .Data.certificate]}{[end]}
          users:
          - name: local
            user:
              client-certificate-data: {[ with secret "kube-api-client/issue/scheduler" "common_name=system:kube-scheduler"]}{[base64Encode .Data.certificate]}{[end]}
              client-key-data: {[ with secret "kube-api-client/issue/scheduler" "common_name=system:kube-scheduler" ]}{[base64Encode .Data.private_key]}{[end]}
          contexts:
          - context:
              cluster: joedc
              user: local
            name: local@joedc
          current-context: local@joedc
    - path: /var/cni/kubeconfig.tmpl
      mode: 0444
      overwrite: true
      contents:
        inline: |
          apiVersion: v1
          kind: Config
          clusters:
          - name: joedc
            cluster:
              server: https://api.infra.ibj.io:6443
              certificate-authority-data: {[ with secret "kube-api-server/cert/ca" ]}{[base64Encode .Data.certificate]}{[end]}
          users:
          - name: local
            user:
              client-certificate-data: {[ with secret "kube-api-client/issue/basic" "common_name=calico-cni"]}{[base64Encode .Data.certificate]}{[end]}
              client-key-data: {[ with secret "kube-api-client/issue/basic" "common_name=calico-cni" ]}{[base64Encode .Data.private_key]}{[end]}
          contexts:
          - context:
              cluster: joedc
              user: local
            name: local@joedc
          current-context: local@joedc
    - path: /usr/local/bin/vault
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/vault/vault
    - path: /usr/local/bin/crio
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/k8s/crio-v1.20.0/bin/crio
    - path: /usr/local/bin/crio-status
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/k8s/crio-v1.20.0/bin/crio-status
    - path: /usr/local/bin/crun
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/k8s/crio-v1.20.0/bin/crun
    - path: /usr/local/bin/pinns
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/k8s/crio-v1.20.0/bin/pinns
    - path: /usr/local/bin/etcd
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/etcd/etcd
    - path: /usr/local/bin/etcdctl
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/etcd/etcdctl
    - path: /usr/local/bin/conmon
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/k8s/crio-v1.20.0/bin/conmon
    - path: /usr/local/bin/crictl
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/k8s/crio-v1.20.0/bin/crictl
    - path: /usr/local/bin/conntrack
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/conntrack/conntrack
    - path: /usr/local/bin/tcpdump
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/tcpdump
    - path: /usr/local/lib64/libipset.so.13
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/libipset.so.13.1.0
    - path: /usr/local/bin/ipset
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/ipset
    - path: /usr/local/bin/ipvsadm
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/ipvsadm
    - path: /usr/local/bin/ipvsadm-restore
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/ipvsadm-restore
    - path: /usr/local/bin/ipvsadm-save
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/ipvsadm-save
    - path: /usr/local/bin/strapper
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/strapper
    - path: /usr/local/lib/libnetfilter_conntrack.so.3
      mode: 0444
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/conntrack/libnetfilter_conntrack.so.3
    - path: /usr/local/lib/libnfnetlink.so.0
      mode: 0444
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/conntrack/libnfnetlink.so.0
    - path: /usr/local/bin/kubelet
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/k8s/kubernetes/server/bin/kubelet
    - path: /usr/local/bin/kube-apiserver
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/k8s/kubernetes/server/bin/kube-apiserver
    - path: /usr/local/bin/kube-controller-manager
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/k8s/kubernetes/server/bin/kube-controller-manager
    - path: /usr/local/bin/kube-proxy
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/k8s/kubernetes/server/bin/kube-proxy
    - path: /usr/local/bin/kube-scheduler
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/k8s/kubernetes/server/bin/kube-scheduler
    - path: /usr/local/bin/calicoctl
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/k8s/calico/calicoctl
    - path: /opt/cni/bin/calico
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/k8s/calico/calico-amd64
    - path: /opt/cni/bin/calico-ipam
      mode: 0555
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/k8s/calico/calico-ipam-amd64
    - path: /var/api-certs/serviceaccount.key
      mode: 0444
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/tls/serviceaccount.key
    - path: /var/api-certs/serviceaccount.crt
      mode: 0444
      overwrite: true
      contents:
        source: http://leader.infra.ibj.io:8080/assets/tls/serviceaccount.crt
    - path: /etc/ld.so.conf.d/local.conf
      mode: 0444
      overwrite: true
      contents:
        inline: |
          /usr/local/lib
          /usr/local/lib64
    - path: /etc/kubelet/config.yaml
      mode: 0444
      contents:
        inline: |
          apiVersion: kubelet.config.k8s.io/v1beta1
          kind: KubeletConfiguration
          cgroupDriver: systemd
          tlsCertFile: /var/kubelet-certs/server.crt
          tlsPrivateKeyFile: /var/kubelet-certs/server.key
          clusterDNS:
          - fde7:76fd:7444:1000::a0dc
          - 10.69.240.169
          authentication:
            x509:
              clientCAFile: /var/kubelet-certs/client.ca.crt
          authorization:
            mode: AlwaysAllow
          clusterDomain: internal.ibj.io
          featureGates:
            IPv6DualStack: true
    - path: /etc/cni/net.d/10-crio.conf
      contents:
        inline: |
          {
            "name": "crio",
            "cniVersion": "0.3.1",
            "plugins": [
              {
                "type": "calico",
                "log_level": "info",
                "datastore_type": "kubernetes",
                "mtu": 1500,
                "ipam": {
                    "type": "calico-ipam"
                },
                "policy": {
                    "type": "k8s"
                },
                "kubernetes": {
                    "kubeconfig": "/var/cni/kubeconfig"
                }
              },
              {
                "type": "portmap",
                "snat": true,
                "capabilities": {"portMappings": true}
              }
            ]
          }
    - path: /etc/NetworkManager/conf.d/calico.conf
      contents:
        inline: |
          [keyfile]
          unmanaged-devices=interface-name:cali*;interface-name:tunl*;interface-name:vxlan.calico
    - path: /etc/cni/net.d/99-loopback.conf
      contents:
        inline: |
          {
              "cniVersion": "0.3.1",
              "name": "lo",
              "type": "loopback"
          }
systemd:
  units:
    - name: strapper-agent.service
      enabled: true
      contents: |
        [Unit]
        Description=Run the strapper agent
        After=network-online.target
        Wants=network-online.target
        
        [Service]
        User=root
        Group=root
        Type=notify
        ExecStart=/usr/local/bin/strapper

        [Install]
        WantedBy=multi-user.target
    - name: root-vault-agent.service
      enabled: true
      contents: |
        [Unit]
        Description=Run the root vault agent
        After=root-vault-agent-init.service
        Wants=root-vault-agent-init.service

        [Service]
        Type=oneshot
        User=root
        Group=root
        Restart=on-failure
        ExecStart=/usr/local/bin/vault agent -config /etc/vault/config.hcl
        [Install]
        WantedBy=multi-user.target
    - name: root-vault-agent-init.service
      enabled: true
      contents: |
        [Unit]
        Description=Run the root vault agent
        After=strapper-agent.service
        Wants=strapper-agent.service
        After=systemd-resolved.service
        Wants=systemd-resolved.service
        
        [Service]
        Type=oneshot
        User=root
        Group=root
        Environment="HOME=/root"
        Restart=on-failure
        ExecStart=/usr/local/bin/vault agent -config /etc/vault/config.hcl -exit-after-auth

        [Install]
        WantedBy=multi-user.target
    - name: etcd-member.service
      enabled: true
      contents: |
        [Unit]
        Description=Run an etcd node
        After=root-vault-agent-init.service
        Wants=root-vault-agent-init.service
        StartLimitBurst=5
        
        [Service]
        User=root
        Group=root
        Restart=on-failure
        RestartSec=30
        ExecStart=/usr/local/bin/etcd --data-dir /var/etcd --name {{.hostname}} \
          --initial-advertise-peer-urls https://{{.hostname}}i.infra.ibj.io:2380 --listen-peer-urls https://[::]:2380 \
          --advertise-client-urls https://{{.hostname}}.infra.ibj.io:2379 --listen-client-urls https://[::]:2379 \
          --initial-cluster node1=https://node1i.infra.ibj.io:2380,node2=https://node2i.infra.ibj.io:2380,node3=https://node3i.infra.ibj.io:2380,node4=https://node4i.infra.ibj.io:2380,node5=https://node5i.infra.ibj.io:2380 \
          --peer-cert-file=/var/etcd-certs/peer.crt --peer-key-file=/var/etcd-certs/peer.key --peer-trusted-ca-file=/var/etcd-certs/peer.ca.crt --peer-client-cert-auth \
          --cert-file=/var/etcd-certs/server.crt --key-file=/var/etcd-certs/server.key --trusted-ca-file=/var/etcd-certs/client.ca.crt --client-cert-auth

        [Install]
        WantedBy=multi-user.target
    - name: crio.service
      enabled: true
      contents: |
        [Unit]
        Description=Container Runtime Interface for OCI (CRI-O)
        Documentation=https://github.com/cri-o/cri-o
        Wants=network-online.target
        After=network-online.target

        [Service]
        User=root
        Group=root
        Environment="HOME=/root"
        Type=notify
        EnvironmentFile=-/etc/sysconfig/crio
        Environment=GOTRACEBACK=crash
        ExecStart=/usr/local/bin/crio
        ExecReload=/bin/kill -s HUP $MAINPID
        TasksMax=infinity
        LimitNOFILE=1048576
        LimitNPROC=1048576
        LimitCORE=infinity
        OOMScoreAdjust=-999
        TimeoutStartSec=0
        Restart=on-abnormal

        [Install]
        WantedBy=multi-user.target
    - name: kubelet.service
      enabled: true
      contents: |
        [Unit]
        Description=Run the kubelet agent
        After=root-vault-agent-init.service
        Wants=root-vault-agent-init.service
        After=crio.service
        Requires=crio.service
        User=root
        Group=root

        [Service]
        Restart=on-failure
        RestartSec=30
        ExecStart=/usr/local/bin/kubelet \
          --config /etc/kubelet/config.yaml \
          --container-runtime=remote \
          --container-runtime-endpoint=unix:///var/run/crio/crio.sock \
          --hostname-override={{.hostname}}i.infra.ibj.io \
          --kubeconfig /var/kubelet-certs/kubeconfig
        [Install]
        WantedBy=multi-user.target
    - name: apiserver.service
      enabled: true
      contents: |
        [Unit]
        Description=Run the kube apiserver
        After=root-vault-agent-init.service
        Wants=root-vault-agent-init.service

        [Service]
        User=root
        Group=root
        Environment="HOME=/root"
        Restart=on-failure
        RestartSec=30
        ExecStart=/usr/local/bin/kube-apiserver \
          --allow-privileged \
          --authorization-mode=Node,RBAC \
          --bind-address=:: \
          --client-ca-file=/var/api-certs/client.ca.crt \
          --enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \
          --etcd-cafile=/var/api-certs/etcd-server.ca.crt \
          --etcd-certfile=/var/api-certs/etcd-client.crt \
          --etcd-keyfile=/var/api-certs/etcd-client.key \
          --etcd-servers=https://{{.hostname}}.infra.ibj.io:2379 \
          --event-ttl=1h \
          --feature-gates="IPv6DualStack=true,EphemeralContainers=true" \
          --kubelet-certificate-authority=/var/kubelet-certs/server.ca.crt \
          --kubelet-client-certificate=/var/api-certs/kubelet-client.crt \
          --kubelet-client-key=/var/api-certs/kubelet-client.key \
          --runtime-config='api/v1=true,api/ga=true,api/beta=true,api/alpha=true' \
          --service-account-issuer=joedc \
          --service-account-key-file=/var/api-certs/serviceaccount.key \
          --service-account-signing-key-file=/var/api-certs/serviceaccount.key \
          --service-node-port-range=30000-32767 \
          --service-cluster-ip-range="10.69.0.0/16,fde7:76fd:7444:1000::/108" \
          --tls-cert-file=/var/api-certs/server.crt \
          --tls-private-key-file=/var/api-certs/server.key
  
        [Install]
        WantedBy=multi-user.target
    - name: controllermanager.service
      enabled: true
      contents: |
        [Unit]
        Description=Run the kube controller-manager
        After=root-vault-agent-init.service
        Wants=root-vault-agent-init.service

        [Service]
        User=root
        Group=root
        Environment="HOME=/root"
        Restart=on-failure
        RestartSec=30
        ExecStart=/usr/local/bin/kube-controller-manager \
          --allocate-node-cidrs=true \
          --cluster-cidr="10.68.0.0/16,fde7:76fd:7444:2000::/56" \
          --service-cluster-ip-range="10.69.0.0/16,fde7:76fd:7444:1000::/108" \
          --feature-gates="IPv6DualStack=true,EphemeralContainers=true" \
          --flex-volume-plugin-dir=/opt/libexec/kubernetes/kubelet-plugins/volume/exec \
          --kubeconfig=/var/controllermanager-certs/kubeconfig \
          --service-account-private-key-file=/var/api-certs/serviceaccount.key \
          --use-service-account-credentials
        [Install]
        WantedBy=multi-user.target
    - name: scheduler.service
      enabled: true
      contents: |
        [Unit]
        Description=Run the kube scheduler
        After=root-vault-agent-init.service
        Wants=root-vault-agent-init.service

        [Service]
        User=root
        Group=root
        Environment="HOME=/root"
        Restart=on-failure
        RestartSec=30
        ExecStart=/usr/local/bin/kube-scheduler \
          --feature-gates="IPv6DualStack=true,EphemeralContainers=true" \
          --kubeconfig=/var/scheduler-certs/kubeconfig
        [Install]
        WantedBy=multi-user.target
    - name: proxy.service
      enabled: true
      contents: |
        [Unit]
        Description=Run the kube scheduler
        After=root-vault-agent-init.service
        Wants=root-vault-agent-init.service

        [Service]
        User=root
        Group=root
        Environment="HOME=/root"
        Restart=on-failure
        RestartSec=30
        ExecStart=/usr/local/bin/kube-proxy \
          --cluster-cidr="10.68.0.0/16,fde7:76fd:7444:2000::/56" \
          --feature-gates="IPv6DualStack=true,EphemeralContainers=true" \
          --hostname-override="{{.hostname}}i.infra.ibj.io" \
          --kubeconfig=/var/proxy-certs/kubeconfig \
          --proxy-mode=ipvs
        [Install]
        WantedBy=multi-user.target