bcressey/admin.template

## admin.template
{
  "user": "${SSH_USER}",
  "ssh": {
    "authorized-keys": [
      "${SSH_AUTHORIZED_KEY}"
    ]
  }
}

## awsconfig.template
[default]
region = ${AWS_REGION}

## bootstrap.template
#!/bin/bash
exec >&2
set -eux -o pipefail

HOST_ROOTFS="/.bottlerocket/rootfs"
SSM_AGENT_PERSISTENT_STATE_DIR="${HOST_ROOTFS}/local/host-containers/control/ssm"
SSM_AGENT_REGISTRATION="${SSM_AGENT_PERSISTENT_STATE_DIR}/registration"
mkdir -p "${SSM_AGENT_PERSISTENT_STATE_DIR}"

extract_ssm_agent() {
  pushd / >/dev/null 2>&1
  dnf -yq install 'dnf-command(download)' cpio rsync
  dnf download amazon-ssm-agent
  rpm2cpio amazon-ssm-agent-*.rpm | cpio -idmu '*bin/amazon-ssm-agent'
  popd >/dev/null 2>&1
}

register_hybrid_node() {
  amazon-ssm-agent \
    -register \
    -region "${AWS_REGION}" \
    -code "${SSM_ACTIVATION_CODE}" \
    -id "${SSM_ACTIVATION_ID}" \
    -disableSimilarityCheck
}

persist_ssm_state() {
  rsync -aq \
    /var/lib/amazon/ssm/ \
    "${SSM_AGENT_PERSISTENT_STATE_DIR}"
}

set_hostname_settings() {
  local ssm_node_id
  ssm_node_id="$(jq -r '.ManagedInstanceID' "${SSM_AGENT_PERSISTENT_STATE_DIR}/registration")"
  apiclient set \
    network.hostname="${ssm_node_id}" \
    kubernetes.hostname-override="${ssm_node_id}"
}

symlink_aws_creds() {
  local control_rootfs
  local control_creds
  local host_creds
  control_rootfs="${HOST_ROOTFS}/run/host-containerd/io.containerd.runtime.v2.task/default/control/rootfs"
  control_creds="${control_rootfs}/root/.aws/credentials"
  host_creds="${HOST_ROOTFS}/root/.aws/credentials"
  ln -srnf "${control_creds}" "${host_creds}"
}

if [ ! -s "${SSM_AGENT_REGISTRATION}" ] ; then
  extract_ssm_agent
  (set +x; register_hybrid_node)
  persist_ssm_state
  set_hostname_settings
fi

symlink_aws_creds

## userdata.template
[settings.kubernetes]
cluster-name = "${EKS_CLUSTER}"
api-server = "${EKS_API_SERVER}"
cluster-certificate = "${EKS_CA_CERT_BASE64}"
authentication-mode = "aws"
cloud-provider = ""
provider-id = "${PROVIDER_ID}"

[settings.kubernetes.node-labels]
"eks.amazonaws.com/compute-type" = "hybrid"
"eks.amazonaws.com/hybrid-credential-provider" = "ssm"

[settings.kubernetes.credential-providers.ecr-credential-provider]
enabled = true
cache-duration = "12h"
image-patterns = [
    "*.dkr.ecr.*.amazonaws.com",
    "*.dkr.ecr.*.amazonaws.com.cn",
    "*.dkr.ecr-fips.*.amazonaws.com",
    "*.dkr.ecr.us-iso-east-1.c2s.ic.gov",
    "*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov"
]

[settings.aws]
region = "${AWS_REGION}"
config = "${AWS_CONFIG_BASE64}"

[settings.bootstrap-containers.ssm-hybrid-node]
mode = "always"
essential = true
user-data = "${BOOTSTRAP_USERDATA_BASE64}"

[settings.host-containers.control]
enabled = true

[settings.host-containers.admin]
enabled = true
user-data = "${ADMIN_USERDATA_BASE64}"
	{
	"user": "${SSH_USER}",
	"ssh": {
	"authorized-keys": [
	"${SSH_AUTHORIZED_KEY}"
	]
	}
	}
	#!/bin/bash
	exec >&2
	set -eux -o pipefail

	HOST_ROOTFS="/.bottlerocket/rootfs"
	SSM_AGENT_PERSISTENT_STATE_DIR="${HOST_ROOTFS}/local/host-containers/control/ssm"
	SSM_AGENT_REGISTRATION="${SSM_AGENT_PERSISTENT_STATE_DIR}/registration"
	mkdir -p "${SSM_AGENT_PERSISTENT_STATE_DIR}"

	extract_ssm_agent() {
	pushd / >/dev/null 2>&1
	dnf -yq install 'dnf-command(download)' cpio rsync
	dnf download amazon-ssm-agent
	rpm2cpio amazon-ssm-agent-.rpm \| cpio -idmu 'bin/amazon-ssm-agent'
	popd >/dev/null 2>&1
	}

	register_hybrid_node() {
	amazon-ssm-agent \
	-register \
	-region "${AWS_REGION}" \
	-code "${SSM_ACTIVATION_CODE}" \
	-id "${SSM_ACTIVATION_ID}" \
	-disableSimilarityCheck
	}

	persist_ssm_state() {
	rsync -aq \
	/var/lib/amazon/ssm/ \
	"${SSM_AGENT_PERSISTENT_STATE_DIR}"
	}

	set_hostname_settings() {
	local ssm_node_id
	ssm_node_id="$(jq -r '.ManagedInstanceID' "${SSM_AGENT_PERSISTENT_STATE_DIR}/registration")"
	apiclient set \
	network.hostname="${ssm_node_id}" \
	kubernetes.hostname-override="${ssm_node_id}"
	}

	symlink_aws_creds() {
	local control_rootfs
	local control_creds
	local host_creds
	control_rootfs="${HOST_ROOTFS}/run/host-containerd/io.containerd.runtime.v2.task/default/control/rootfs"
	control_creds="${control_rootfs}/root/.aws/credentials"
	host_creds="${HOST_ROOTFS}/root/.aws/credentials"
	ln -srnf "${control_creds}" "${host_creds}"
	}

	if [ ! -s "${SSM_AGENT_REGISTRATION}" ] ; then
	extract_ssm_agent
	(set +x; register_hybrid_node)
	persist_ssm_state
	set_hostname_settings
	fi

	symlink_aws_creds
	[settings.kubernetes]
	cluster-name = "${EKS_CLUSTER}"
	api-server = "${EKS_API_SERVER}"
	cluster-certificate = "${EKS_CA_CERT_BASE64}"
	authentication-mode = "aws"
	cloud-provider = ""
	provider-id = "${PROVIDER_ID}"

	[settings.kubernetes.node-labels]
	"eks.amazonaws.com/compute-type" = "hybrid"
	"eks.amazonaws.com/hybrid-credential-provider" = "ssm"

	[settings.kubernetes.credential-providers.ecr-credential-provider]
	enabled = true
	cache-duration = "12h"
	image-patterns = [
	".dkr.ecr..amazonaws.com",
	".dkr.ecr..amazonaws.com.cn",
	".dkr.ecr-fips..amazonaws.com",
	"*.dkr.ecr.us-iso-east-1.c2s.ic.gov",
	"*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov"
	]

	[settings.aws]
	region = "${AWS_REGION}"
	config = "${AWS_CONFIG_BASE64}"

	[settings.bootstrap-containers.ssm-hybrid-node]
	mode = "always"
	essential = true
	user-data = "${BOOTSTRAP_USERDATA_BASE64}"

	[settings.host-containers.control]
	enabled = true

	[settings.host-containers.admin]
	enabled = true
	user-data = "${ADMIN_USERDATA_BASE64}"