#@ load("@ytt:data", "data")
---
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
  extraPortMappings:
  - protocol: TCP
    #! This same port number is hardcoded in the integration test setup
    #! when creating a Service on a kind cluster. It is used to talk to
    #! the supervisor app via HTTPS.
    containerPort: 31243
    hostPort: 12344
    listenAddress: 127.0.0.1
  - protocol: TCP
    #! This same port number is hardcoded in the integration test setup
    #! when creating a Service on a kind cluster. It is used to talk to
    #! the Dex app.
    containerPort: 31235
    hostPort: 12346
    listenAddress: 127.0.0.1
  #@ if data.values.enable_audit_logs:
  #! mount the local file on the control plane
  extraMounts:
  - hostPath: /tmp/metadata-audit-policy.yaml
    containerPath: /etc/kubernetes/policies/audit-policy.yaml
    readOnly: true
  #@ end
#! Apply these patches to all nodes.
kubeadmConfigPatches:
- |
  kind: ClusterConfiguration
  apiServer:
    extraArgs:
      #! To make sure the endpoints on our service are correct (this mostly matters for kubectl based
      #! installs where kapp is not doing magic changes to the deployment and service selectors).
      #! Setting this field to true makes it so that the API service will do the service cluster IP
      #! to endpoint IP translations internally instead of relying on the network stack (i.e. kube-proxy).
      #! The logic inside the API server is very straightforward - randomly pick an IP from the list
      #! of available endpoints. This means that over time, all endpoints associated with the service
      #! are exercised. For whatever reason, leaving this as false (i.e. use kube-proxy) appears to
      #! hide some network misconfigurations when used internally by the API server aggregation layer.
      enable-aggregator-routing: "true"
#@ if data.values.enable_audit_logs:
- |
  kind: ClusterConfiguration
  apiServer:
    #! enable auditing flags on the API server
    extraArgs:
      audit-log-path: /var/log/kubernetes/kube-apiserver-audit.log
      audit-policy-file: /etc/kubernetes/policies/audit-policy.yaml
    #! mount new files / directories on the control plane
    extraVolumes:
    - name: audit-policies
      hostPath: /etc/kubernetes/policies
      mountPath: /etc/kubernetes/policies
      readOnly: true
      pathType: "DirectoryOrCreate"
    - name: "audit-logs"
      hostPath: "/var/log/kubernetes"
      mountPath: "/var/log/kubernetes"
      readOnly: false
      pathType: DirectoryOrCreate
#@ end