sigs.k8s.io/cluster-api-provider-azure@v1.14.3/templates/test/ci/cluster-template-prow-ci-version-dual-stack.yaml

apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
  labels:
    cloud-provider: ${CLOUD_PROVIDER_AZURE_LABEL:=azure}
    cni: calico-dual-stack
    cni-windows: ${CLUSTER_NAME}-calico
    containerd-logger: disabled
    csi-proxy: disabled
    metrics-server: disabled
  name: ${CLUSTER_NAME}
  namespace: default
spec:
  clusterNetwork:
    pods:
      cidrBlocks:
      - 10.244.0.0/16
      - 2001:1234:5678:9a40::/58
    services:
      cidrBlocks:
      - 10.0.0.0/16
      - fd00::/108
  controlPlaneRef:
    apiVersion: controlplane.cluster.x-k8s.io/v1beta1
    kind: KubeadmControlPlane
    name: ${CLUSTER_NAME}-control-plane
  infrastructureRef:
    apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
    kind: AzureCluster
    name: ${CLUSTER_NAME}
---
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: AzureCluster
metadata:
  name: ${CLUSTER_NAME}
  namespace: default
spec:
  additionalTags:
    buildProvenance: ${BUILD_PROVENANCE}
    creationTimestamp: ${TIMESTAMP}
    jobName: ${JOB_NAME}
  identityRef:
    apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
    kind: AzureClusterIdentity
    name: ${CLUSTER_IDENTITY_NAME}
  location: ${AZURE_LOCATION}
  networkSpec:
    subnets:
    - cidrBlocks:
      - 10.0.0.0/16
      - 2001:1234:5678:9abc::/64
      name: control-plane-subnet
      role: control-plane
    - cidrBlocks:
      - 10.1.0.0/16
      - 2001:1234:5678:9abd::/64
      name: node-subnet
      role: node
    vnet:
      cidrBlocks:
      - 10.0.0.0/8
      - 2001:1234:5678:9a00::/56
      name: ${AZURE_VNET_NAME:=${CLUSTER_NAME}-vnet}
  resourceGroup: ${AZURE_RESOURCE_GROUP:=${CLUSTER_NAME}}
  subscriptionID: ${AZURE_SUBSCRIPTION_ID}
---
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane
metadata:
  name: ${CLUSTER_NAME}-control-plane
  namespace: default
spec:
  kubeadmConfigSpec:
    clusterConfiguration:
      apiServer:
        extraArgs:
          cloud-provider: external
          feature-gates: ${K8S_FEATURE_GATES:-""}
        timeoutForControlPlane: 20m
      controllerManager:
        extraArgs:
          allocate-node-cidrs: "true"
          cloud-provider: external
          cluster-cidr: 10.244.0.0/16,2001:1234:5678:9a40::/58
          cluster-name: ${CLUSTER_NAME}
          configure-cloud-routes: "true"
          feature-gates: HPAContainerMetrics=true
          v: "4"
      etcd:
        local:
          dataDir: /var/lib/etcddisk/etcd
          extraArgs:
            quota-backend-bytes: "8589934592"
      kubernetesVersion: ci/${CI_VERSION}
    diskSetup:
      filesystems:
      - device: /dev/disk/azure/scsi1/lun0
        extraOpts:
        - -E
        - lazy_itable_init=1,lazy_journal_init=1
        filesystem: ext4
        label: etcd_disk
      - device: ephemeral0.1
        filesystem: ext4
        label: ephemeral0
        replaceFS: ntfs
      partitions:
      - device: /dev/disk/azure/scsi1/lun0
        layout: true
        overwrite: false
        tableType: gpt
    files:
    - contentFrom:
        secret:
          key: control-plane-azure.json
          name: ${CLUSTER_NAME}-control-plane-azure-json
      owner: root:root
      path: /etc/kubernetes/azure.json
      permissions: "0644"
    - content: |
        #!/bin/bash

        set -o nounset
        set -o pipefail
        set -o errexit
        [[ $(id -u) != 0 ]] && SUDO="sudo" || SUDO=""

        az login --identity
        echo "Use OOT credential provider"
        mkdir -p /var/lib/kubelet/credential-provider
        az storage blob download --blob-url "https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${AZURE_BLOB_CONTAINER_NAME}/${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/azure-acr-credential-provider" -f /var/lib/kubelet/credential-provider/acr-credential-provider --auth-mode login
        chmod 755 /var/lib/kubelet/credential-provider/acr-credential-provider
        az storage blob download --blob-url "https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${AZURE_BLOB_CONTAINER_NAME}/${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/credential-provider-config.yaml" -f /var/lib/kubelet/credential-provider-config.yaml --auth-mode login
        chmod 644 /var/lib/kubelet/credential-provider-config.yaml
      owner: root:root
      path: /tmp/oot-cred-provider.sh
      permissions: "0744"
    - content: |
        #!/bin/bash

        set -o nounset
        set -o pipefail
        set -o errexit
        [[ $(id -u) != 0 ]] && SUDO="sudo" || SUDO=""

        # This test installs release packages or binaries that are a result of the CI and release builds.
        # It runs '... --version' commands to verify that the binaries are correctly installed
        # and finally uninstalls the packages.
        # For the release packages it tests all versions in the support skew.
        LINE_SEPARATOR="*************************************************"
        echo "$$LINE_SEPARATOR"
        CI_VERSION=${CI_VERSION}
        if [[ "$${CI_VERSION}" != "" ]]; then
          CI_DIR=/tmp/k8s-ci
          mkdir -p $$CI_DIR
          declare -a PACKAGES_TO_TEST=("kubectl" "kubelet" "kubeadm")
          declare -a CONTAINERS_TO_TEST=("kube-apiserver" "kube-controller-manager" "kube-proxy" "kube-scheduler")
          CONTAINER_EXT="tar"
          echo "* testing CI version $$CI_VERSION"
          # Check for semver
          if [[ "$${CI_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            VERSION_WITHOUT_PREFIX="${CI_VERSION#v}"
            DEBIAN_FRONTEND=noninteractive apt-get install -y apt-transport-https curl
            curl -fsSL https://pkgs.k8s.io/core:/stable:/${KUBERNETES_VERSION}/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
            echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/${KUBERNETES_VERSION}/deb/ /" | tee /etc/apt/sources.list.d/kubernetes.list
            apt-get update
            # replace . with \.
            VERSION_REGEX="${VERSION_WITHOUT_PREFIX//./\\.}"
            PACKAGE_VERSION="$(apt-cache madison kubelet|grep $${VERSION_REGEX}- | head -n1 | cut -d '|' -f 2 | tr -d '[:space:]')"
            for CI_PACKAGE in "$${PACKAGES_TO_TEST[@]}"; do
              echo "* installing package: $$CI_PACKAGE $${PACKAGE_VERSION}"
              DEBIAN_FRONTEND=noninteractive apt-get install -y $$CI_PACKAGE=$$PACKAGE_VERSION
            done
          else
            CI_URL="https://storage.googleapis.com/k8s-release-dev/ci/$${CI_VERSION}/bin/linux/amd64"
            for CI_PACKAGE in "$${PACKAGES_TO_TEST[@]}"; do
              echo "* downloading binary: $$CI_URL/$$CI_PACKAGE"
              wget --inet4-only "$$CI_URL/$$CI_PACKAGE" -nv -O "$$CI_DIR/$$CI_PACKAGE"
              chmod +x "$$CI_DIR/$$CI_PACKAGE"
              mv "$$CI_DIR/$$CI_PACKAGE" "/usr/bin/$$CI_PACKAGE"
            done
            IMAGE_REGISTRY_PREFIX=registry.k8s.io
            for CI_CONTAINER in "$${CONTAINERS_TO_TEST[@]}"; do
              echo "* downloading package: $$CI_URL/$$CI_CONTAINER.$$CONTAINER_EXT"
              wget --inet4-only "$$CI_URL/$$CI_CONTAINER.$$CONTAINER_EXT" -nv -O "$$CI_DIR/$$CI_CONTAINER.$$CONTAINER_EXT"
              $${SUDO} ctr -n k8s.io images import "$$CI_DIR/$$CI_CONTAINER.$$CONTAINER_EXT" || echo "* ignoring expected 'ctr images import' result"
              $${SUDO} ctr -n k8s.io images tag $$IMAGE_REGISTRY_PREFIX/$$CI_CONTAINER-amd64:"$${CI_VERSION//+/_}" $$IMAGE_REGISTRY_PREFIX/$$CI_CONTAINER:"$${CI_VERSION//+/_}"
              $${SUDO} ctr -n k8s.io images tag $$IMAGE_REGISTRY_PREFIX/$$CI_CONTAINER-amd64:"$${CI_VERSION//+/_}" gcr.io/k8s-staging-ci-images/$$CI_CONTAINER:"$${CI_VERSION//+/_}"
            done
          fi
          systemctl restart kubelet
        fi
        echo "* checking binary versions"
        echo "ctr version: " $(ctr version)
        echo "kubeadm version: " $(kubeadm version -o=short)
        echo "kubectl version: " $(kubectl version --client=true)
        echo "kubelet version: " $(kubelet --version)
        echo "$$LINE_SEPARATOR"
      owner: root:root
      path: /tmp/kubeadm-bootstrap.sh
      permissions: "0744"
    initConfiguration:
      localAPIEndpoint:
        bindPort: 6443
      nodeRegistration:
        kubeletExtraArgs:
          cloud-provider: external
          image-credential-provider-bin-dir: /var/lib/kubelet/credential-provider
          image-credential-provider-config: /var/lib/kubelet/credential-provider-config.yaml
        name: '{{ ds.meta_data["local_hostname"] }}'
    joinConfiguration:
      controlPlane:
        localAPIEndpoint:
          bindPort: 6443
      nodeRegistration:
        kubeletExtraArgs:
          cloud-provider: external
          image-credential-provider-bin-dir: /var/lib/kubelet/credential-provider
          image-credential-provider-config: /var/lib/kubelet/credential-provider-config.yaml
        name: '{{ ds.meta_data["local_hostname"] }}'
    mounts:
    - - LABEL=etcd_disk
      - /var/lib/etcddisk
    postKubeadmCommands: []
    preKubeadmCommands:
    - bash -c /tmp/oot-cred-provider.sh
    - bash -c /tmp/kubeadm-bootstrap.sh
    verbosity: 5
  machineTemplate:
    infrastructureRef:
      apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
      kind: AzureMachineTemplate
      name: ${CLUSTER_NAME}-control-plane
  replicas: ${CONTROL_PLANE_MACHINE_COUNT:=1}
  version: ${KUBERNETES_VERSION}
---
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: AzureMachineTemplate
metadata:
  name: ${CLUSTER_NAME}-control-plane
  namespace: default
spec:
  template:
    spec:
      dataDisks:
      - diskSizeGB: 256
        lun: 0
        nameSuffix: etcddisk
      enableIPForwarding: true
      image:
        marketplace:
          offer: capi
          publisher: cncf-upstream
          sku: ubuntu-2204-gen1
          version: latest
      osDisk:
        diskSizeGB: 128
        osType: Linux
      sshPublicKey: ${AZURE_SSH_PUBLIC_KEY_B64:=""}
      vmSize: ${AZURE_CONTROL_PLANE_MACHINE_TYPE}
---
apiVersion: cluster.x-k8s.io/v1beta1
kind: MachineDeployment
metadata:
  name: ${CLUSTER_NAME}-md-0
  namespace: default
spec:
  clusterName: ${CLUSTER_NAME}
  replicas: ${WORKER_MACHINE_COUNT:=2}
  selector: {}
  template:
    metadata:
      labels:
        nodepool: pool1
    spec:
      bootstrap:
        configRef:
          apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
          kind: KubeadmConfigTemplate
          name: ${CLUSTER_NAME}-md-0
      clusterName: ${CLUSTER_NAME}
      infrastructureRef:
        apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
        kind: AzureMachineTemplate
        name: ${CLUSTER_NAME}-md-0
      version: ${KUBERNETES_VERSION}
---
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: AzureMachineTemplate
metadata:
  name: ${CLUSTER_NAME}-md-0
  namespace: default
spec:
  template:
    spec:
      enableIPForwarding: true
      image:
        marketplace:
          offer: capi
          publisher: cncf-upstream
          sku: ubuntu-2204-gen1
          version: latest
      osDisk:
        diskSizeGB: 128
        osType: Linux
      sshPublicKey: ${AZURE_SSH_PUBLIC_KEY_B64:=""}
      vmExtensions:
      - name: CustomScript
        protectedSettings:
          commandToExecute: |
            #!/bin/sh
            echo "This script is a no-op used for extension testing purposes ..."
            touch test_file
        publisher: Microsoft.Azure.Extensions
        version: "2.1"
      vmSize: ${AZURE_NODE_MACHINE_TYPE}
---
apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
kind: KubeadmConfigTemplate
metadata:
  name: ${CLUSTER_NAME}-md-0
  namespace: default
spec:
  template:
    spec:
      files:
      - contentFrom:
          secret:
            key: worker-node-azure.json
            name: ${CLUSTER_NAME}-md-0-azure-json
        owner: root:root
        path: /etc/kubernetes/azure.json
        permissions: "0644"
      - content: |
          #!/bin/bash

          set -o nounset
          set -o pipefail
          set -o errexit
          [[ $(id -u) != 0 ]] && SUDO="sudo" || SUDO=""

          az login --identity
          echo "Use OOT credential provider"
          mkdir -p /var/lib/kubelet/credential-provider
          az storage blob download --blob-url "https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${AZURE_BLOB_CONTAINER_NAME}/${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/azure-acr-credential-provider" -f /var/lib/kubelet/credential-provider/acr-credential-provider --auth-mode login
          chmod 755 /var/lib/kubelet/credential-provider/acr-credential-provider
          az storage blob download --blob-url "https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${AZURE_BLOB_CONTAINER_NAME}/${IMAGE_TAG_ACR_CREDENTIAL_PROVIDER}/credential-provider-config.yaml" -f /var/lib/kubelet/credential-provider-config.yaml --auth-mode login
          chmod 644 /var/lib/kubelet/credential-provider-config.yaml
        owner: root:root
        path: /tmp/oot-cred-provider.sh
        permissions: "0744"
      - content: |
          #!/bin/bash

          set -o nounset
          set -o pipefail
          set -o errexit
          [[ $(id -u) != 0 ]] && SUDO="sudo" || SUDO=""

          # This test installs release packages or binaries that are a result of the CI and release builds.
          # It runs '... --version' commands to verify that the binaries are correctly installed
          # and finally uninstalls the packages.
          # For the release packages it tests all versions in the support skew.
          LINE_SEPARATOR="*************************************************"
          echo "$$LINE_SEPARATOR"
          CI_VERSION=${CI_VERSION}
          if [[ "$${CI_VERSION}" != "" ]]; then
            CI_DIR=/tmp/k8s-ci
            mkdir -p $$CI_DIR
            declare -a PACKAGES_TO_TEST=("kubectl" "kubelet" "kubeadm")
            declare -a CONTAINERS_TO_TEST=("kube-apiserver" "kube-controller-manager" "kube-proxy" "kube-scheduler")
            CONTAINER_EXT="tar"
            echo "* testing CI version $$CI_VERSION"
            # Check for semver
            if [[ "$${CI_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
              VERSION_WITHOUT_PREFIX="${CI_VERSION#v}"
              DEBIAN_FRONTEND=noninteractive apt-get install -y apt-transport-https curl
              curl -fsSL https://pkgs.k8s.io/core:/stable:/${KUBERNETES_VERSION}/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
              echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/${KUBERNETES_VERSION}/deb/ /" | tee /etc/apt/sources.list.d/kubernetes.list
              apt-get update
              # replace . with \.
              VERSION_REGEX="${VERSION_WITHOUT_PREFIX//./\\.}"
              PACKAGE_VERSION="$(apt-cache madison kubelet|grep $${VERSION_REGEX}- | head -n1 | cut -d '|' -f 2 | tr -d '[:space:]')"
              for CI_PACKAGE in "$${PACKAGES_TO_TEST[@]}"; do
                echo "* installing package: $$CI_PACKAGE $${PACKAGE_VERSION}"
                DEBIAN_FRONTEND=noninteractive apt-get install -y $$CI_PACKAGE=$$PACKAGE_VERSION
              done
            else
              CI_URL="https://storage.googleapis.com/k8s-release-dev/ci/$${CI_VERSION}/bin/linux/amd64"
              for CI_PACKAGE in "$${PACKAGES_TO_TEST[@]}"; do
                echo "* downloading binary: $$CI_URL/$$CI_PACKAGE"
                wget --inet4-only "$$CI_URL/$$CI_PACKAGE" -nv -O "$$CI_DIR/$$CI_PACKAGE"
                chmod +x "$$CI_DIR/$$CI_PACKAGE"
                mv "$$CI_DIR/$$CI_PACKAGE" "/usr/bin/$$CI_PACKAGE"
              done
              IMAGE_REGISTRY_PREFIX=registry.k8s.io
              for CI_CONTAINER in "$${CONTAINERS_TO_TEST[@]}"; do
                echo "* downloading package: $$CI_URL/$$CI_CONTAINER.$$CONTAINER_EXT"
                wget --inet4-only "$$CI_URL/$$CI_CONTAINER.$$CONTAINER_EXT" -nv -O "$$CI_DIR/$$CI_CONTAINER.$$CONTAINER_EXT"
                $${SUDO} ctr -n k8s.io images import "$$CI_DIR/$$CI_CONTAINER.$$CONTAINER_EXT" || echo "* ignoring expected 'ctr images import' result"
                $${SUDO} ctr -n k8s.io images tag $$IMAGE_REGISTRY_PREFIX/$$CI_CONTAINER-amd64:"$${CI_VERSION//+/_}" $$IMAGE_REGISTRY_PREFIX/$$CI_CONTAINER:"$${CI_VERSION//+/_}"
                $${SUDO} ctr -n k8s.io images tag $$IMAGE_REGISTRY_PREFIX/$$CI_CONTAINER-amd64:"$${CI_VERSION//+/_}" gcr.io/k8s-staging-ci-images/$$CI_CONTAINER:"$${CI_VERSION//+/_}"
              done
            fi
            systemctl restart kubelet
          fi
          echo "* checking binary versions"
          echo "ctr version: " $(ctr version)
          echo "kubeadm version: " $(kubeadm version -o=short)
          echo "kubectl version: " $(kubectl version --client=true)
          echo "kubelet version: " $(kubelet --version)
          echo "$$LINE_SEPARATOR"
        owner: root:root
        path: /tmp/kubeadm-bootstrap.sh
        permissions: "0744"
      joinConfiguration:
        nodeRegistration:
          kubeletExtraArgs:
            cloud-provider: external
            image-credential-provider-bin-dir: /var/lib/kubelet/credential-provider
            image-credential-provider-config: /var/lib/kubelet/credential-provider-config.yaml
          name: '{{ ds.meta_data["local_hostname"] }}'
      preKubeadmCommands:
      - bash -c /tmp/oot-cred-provider.sh
      - bash -c /tmp/kubeadm-bootstrap.sh
      verbosity: 5
---
apiVersion: cluster.x-k8s.io/v1beta1
kind: MachineHealthCheck
metadata:
  name: ${CLUSTER_NAME}-mhc-0
  namespace: default
spec:
  clusterName: ${CLUSTER_NAME}
  maxUnhealthy: 100%
  selector:
    matchLabels:
      nodepool: pool1
  unhealthyConditions:
  - status: "True"
    timeout: 30s
    type: E2ENodeUnhealthy
---
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: AzureClusterIdentity
metadata:
  labels:
    clusterctl.cluster.x-k8s.io/move-hierarchy: "true"
  name: ${CLUSTER_IDENTITY_NAME}
  namespace: default
spec:
  allowedNamespaces: {}
  clientID: ${AZURE_CLIENT_ID}
  clientSecret:
    name: ${AZURE_CLUSTER_IDENTITY_SECRET_NAME}
    namespace: ${AZURE_CLUSTER_IDENTITY_SECRET_NAMESPACE}
  tenantID: ${AZURE_TENANT_ID}
  type: ServicePrincipal
---
apiVersion: addons.cluster.x-k8s.io/v1beta1
kind: ClusterResourceSet
metadata:
  name: csi-proxy
  namespace: default
spec:
  clusterSelector:
    matchLabels:
      csi-proxy: enabled
  resources:
  - kind: ConfigMap
    name: csi-proxy-addon
  strategy: ApplyOnce
---
apiVersion: addons.cluster.x-k8s.io/v1beta1
kind: ClusterResourceSet
metadata:
  name: containerd-logger-${CLUSTER_NAME}
  namespace: default
spec:
  clusterSelector:
    matchLabels:
      containerd-logger: enabled
  resources:
  - kind: ConfigMap
    name: containerd-logger-${CLUSTER_NAME}
  strategy: ApplyOnce
---
apiVersion: addons.cluster.x-k8s.io/v1alpha1
kind: HelmChartProxy
metadata:
  name: azuredisk-csi-driver-chart
  namespace: default
spec:
  chartName: azuredisk-csi-driver
  clusterSelector:
    matchLabels:
      azuredisk-csi: "true"
  namespace: kube-system
  releaseName: azuredisk-csi-driver-oot
  repoURL: https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/master/charts
  valuesTemplate: |-
    controller:
      replicas: 1
      runOnControlPlane: true
    windows:
      useHostProcessContainers: {{ hasKey .Cluster.metadata.labels "cni-windows" }}
---
apiVersion: addons.cluster.x-k8s.io/v1alpha1
kind: HelmChartProxy
metadata:
  name: cloud-provider-azure-chart
  namespace: default
spec:
  chartName: cloud-provider-azure
  clusterSelector:
    matchLabels:
      cloud-provider: azure
  releaseName: cloud-provider-azure-oot
  repoURL: https://raw.githubusercontent.com/kubernetes-sigs/cloud-provider-azure/master/helm/repo
  valuesTemplate: |
    infra:
      clusterName: {{ .Cluster.metadata.name }}
    cloudControllerManager:
      clusterCIDR: {{ .Cluster.spec.clusterNetwork.pods.cidrBlocks | join "," }}
      logVerbosity: 4
---
apiVersion: addons.cluster.x-k8s.io/v1alpha1
kind: HelmChartProxy
metadata:
  name: cloud-provider-azure-chart-ci
  namespace: default
spec:
  chartName: cloud-provider-azure
  clusterSelector:
    matchLabels:
      cloud-provider: azure-ci
  releaseName: cloud-provider-azure-oot
  repoURL: https://raw.githubusercontent.com/kubernetes-sigs/cloud-provider-azure/master/helm/repo
  valuesTemplate: |
    infra:
      clusterName: {{ .Cluster.metadata.name }}
    cloudControllerManager:
      cloudConfig: ${CLOUD_CONFIG:-"/etc/kubernetes/azure.json"}
      cloudConfigSecretName: ${CONFIG_SECRET_NAME:-""}
      clusterCIDR: {{ .Cluster.spec.clusterNetwork.pods.cidrBlocks | join "," }}
      imageName: "${CCM_IMAGE_NAME:-""}"
      imageRepository: "${IMAGE_REGISTRY:-""}"
      imageTag: "${IMAGE_TAG_CCM:-""}"
      logVerbosity: ${CCM_LOG_VERBOSITY:-4}
      replicas: ${CCM_COUNT:-1}
      enableDynamicReloading: ${ENABLE_DYNAMIC_RELOADING:-false}
    cloudNodeManager:
      imageName: "${CNM_IMAGE_NAME:-""}"
      imageRepository: "${IMAGE_REGISTRY:-""}"
      imageTag: "${IMAGE_TAG_CNM:-""}"
---
apiVersion: v1
data:
  csi-proxy: |
    apiVersion: apps/v1
    kind: DaemonSet
    metadata:
      labels:
        k8s-app: csi-proxy
      name: csi-proxy
      namespace: kube-system
    spec:
      selector:
        matchLabels:
          k8s-app: csi-proxy
      template:
        metadata:
          labels:
            k8s-app: csi-proxy
        spec:
          nodeSelector:
            "kubernetes.io/os": windows
          securityContext:
            windowsOptions:
              hostProcess: true
              runAsUserName: "NT AUTHORITY\\SYSTEM"
          hostNetwork: true
          containers:
            - name: csi-proxy
              image: ghcr.io/kubernetes-sigs/sig-windows/csi-proxy:v1.0.2
kind: ConfigMap
metadata:
  annotations:
    note: generated
  labels:
    type: generated
  name: csi-proxy-addon
  namespace: default
---
apiVersion: v1
data:
  containerd-windows-logger: |
    apiVersion: apps/v1
    kind: DaemonSet
    metadata:
      labels:
        k8s-app: containerd-logger
      name: containerd-logger
      namespace: kube-system
    spec:
      selector:
        matchLabels:
          k8s-app: containerd-logger
      template:
        metadata:
          labels:
            k8s-app: containerd-logger
        spec:
          securityContext:
            windowsOptions:
              hostProcess: true
              runAsUserName: "NT AUTHORITY\\system"
          hostNetwork: true
          containers:
          - image: ghcr.io/kubernetes-sigs/sig-windows/eventflow-logger:v0.1.0
            args: [ "config.json" ]
            name: containerd-logger
            imagePullPolicy: Always
            volumeMounts:
            - name: containerd-logger-config
              mountPath: /config.json
              subPath: config.json
          nodeSelector:
            kubernetes.io/os: windows
          tolerations:
          - key: CriticalAddonsOnly
            operator: Exists
          - operator: Exists
          volumes:
          - configMap:
              name: containerd-logger-config
            name: containerd-logger-config
      updateStrategy:
        type: RollingUpdate
    ---
    kind: ConfigMap
    apiVersion: v1
    metadata:
      name: containerd-logger-config
      namespace: kube-system
    data:
      config.json: |
        {
          "inputs": [
            {
              "type": "ETW",
              "sessionNamePrefix": "containerd",
              "cleanupOldSessions": true,
              "reuseExistingSession": true,
              "providers": [
                {
                  "providerName": "Microsoft.Virtualization.RunHCS",
                  "providerGuid": "0B52781F-B24D-5685-DDF6-69830ED40EC3",
                  "level": "Verbose"
                },
                {
                  "providerName": "ContainerD",
                  "providerGuid": "2acb92c0-eb9b-571a-69cf-8f3410f383ad",
                  "level": "Verbose"
                }
              ]
            }
          ],
          "filters": [
            {
                "type": "drop",
                "include": "ProviderName == Microsoft.Virtualization.RunHCS && name == Stats && hasnoproperty error"
            },
            {
                "type": "drop",
                "include": "ProviderName == Microsoft.Virtualization.RunHCS && name == hcsshim::LayerID && hasnoproperty error"
            },
            {
                "type": "drop",
                "include": "ProviderName == Microsoft.Virtualization.RunHCS && name == hcsshim::NameToGuid && hasnoproperty error"
            },
            {
                "type": "drop",
                "include": "ProviderName == Microsoft.Virtualization.RunHCS && name == containerd.task.v2.Task.Stats && hasnoproperty error"
            },
            {
                "type": "drop",
                "include": "ProviderName == Microsoft.Virtualization.RunHCS && name == containerd.task.v2.Task.State && hasnoproperty error"
            },
            {
                "type": "drop",
                "include": "ProviderName == Microsoft.Virtualization.RunHCS && name == HcsGetProcessProperties && hasnoproperty error"
            },
            {
                "type": "drop",
                "include": "ProviderName == Microsoft.Virtualization.RunHCS && name == HcsGetComputeSystemProperties && hasnoproperty error"
            }
          ],
          "outputs": [
            {
              "type": "StdOutput"
            }
          ],
          "schemaVersion": "2016-08-11"
        }
kind: ConfigMap
metadata:
  annotations:
    note: generated
  labels:
    type: generated
  name: containerd-logger-${CLUSTER_NAME}
  namespace: default
---
apiVersion: addons.cluster.x-k8s.io/v1beta1
kind: ClusterResourceSet
metadata:
  name: metrics-server-${CLUSTER_NAME}
  namespace: default
spec:
  clusterSelector:
    matchLabels:
      metrics-server: enabled
  resources:
  - kind: ConfigMap
    name: metrics-server-${CLUSTER_NAME}
  strategy: ApplyOnce
---
apiVersion: v1
data:
  metrics-server: |
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      labels:
        k8s-app: metrics-server
      name: metrics-server
      namespace: kube-system
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      labels:
        k8s-app: metrics-server
        rbac.authorization.k8s.io/aggregate-to-admin: "true"
        rbac.authorization.k8s.io/aggregate-to-edit: "true"
        rbac.authorization.k8s.io/aggregate-to-view: "true"
      name: system:aggregated-metrics-reader
    rules:
    - apiGroups:
      - metrics.k8s.io
      resources:
      - pods
      - nodes
      verbs:
      - get
      - list
      - watch
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      labels:
        k8s-app: metrics-server
      name: system:metrics-server
    rules:
    - apiGroups:
      - ""
      resources:
      - nodes/metrics
      verbs:
      - get
    - apiGroups:
      - ""
      resources:
      - pods
      - nodes
      verbs:
      - get
      - list
      - watch
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      labels:
        k8s-app: metrics-server
      name: metrics-server-auth-reader
      namespace: kube-system
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: extension-apiserver-authentication-reader
    subjects:
    - kind: ServiceAccount
      name: metrics-server
      namespace: kube-system
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      labels:
        k8s-app: metrics-server
      name: metrics-server:system:auth-delegator
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: system:auth-delegator
    subjects:
    - kind: ServiceAccount
      name: metrics-server
      namespace: kube-system
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      labels:
        k8s-app: metrics-server
      name: system:metrics-server
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: system:metrics-server
    subjects:
    - kind: ServiceAccount
      name: metrics-server
      namespace: kube-system
    ---
    apiVersion: v1
    kind: Service
    metadata:
      labels:
        k8s-app: metrics-server
      name: metrics-server
      namespace: kube-system
    spec:
      ports:
      - name: https
        port: 443
        protocol: TCP
        targetPort: https
      selector:
        k8s-app: metrics-server
    ---
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      labels:
        k8s-app: metrics-server
      name: metrics-server
      namespace: kube-system
    spec:
      selector:
        matchLabels:
          k8s-app: metrics-server
      strategy:
        rollingUpdate:
          maxUnavailable: 0
      template:
        metadata:
          labels:
            k8s-app: metrics-server
        spec:
          containers:
          - args:
            - --cert-dir=/tmp
            - --secure-port=4443
            - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
            - --kubelet-use-node-status-port
            - --metric-resolution=15s
            - --kubelet-insecure-tls
            image: registry.k8s.io/metrics-server/metrics-server:v0.6.3
            imagePullPolicy: IfNotPresent
            livenessProbe:
              failureThreshold: 3
              httpGet:
                path: /livez
                port: https
                scheme: HTTPS
              periodSeconds: 10
            name: metrics-server
            ports:
            - containerPort: 4443
              name: https
              protocol: TCP
            readinessProbe:
              failureThreshold: 3
              httpGet:
                path: /readyz
                port: https
                scheme: HTTPS
              initialDelaySeconds: 20
              periodSeconds: 10
            resources:
              requests:
                cpu: 100m
                memory: 200Mi
            securityContext:
              allowPrivilegeEscalation: false
              readOnlyRootFilesystem: true
              runAsNonRoot: true
              runAsUser: 1000
            volumeMounts:
            - mountPath: /tmp
              name: tmp-dir
          nodeSelector:
            kubernetes.io/os: linux
          priorityClassName: system-cluster-critical
          serviceAccountName: metrics-server
          tolerations:
          - effect: NoSchedule
            key: node-role.kubernetes.io/master
            operator: Exists
          - effect: NoSchedule
            key: node-role.kubernetes.io/control-plane
            operator: Exists
          volumes:
          - emptyDir: {}
            name: tmp-dir
    ---
    apiVersion: apiregistration.k8s.io/v1
    kind: APIService
    metadata:
      labels:
        k8s-app: metrics-server
      name: v1beta1.metrics.k8s.io
    spec:
      group: metrics.k8s.io
      groupPriorityMinimum: 100
      insecureSkipTLSVerify: true
      service:
        name: metrics-server
        namespace: kube-system
      version: v1beta1
      versionPriority: 100
kind: ConfigMap
metadata:
  annotations:
    note: generated
  labels:
    type: generated
  name: metrics-server-${CLUSTER_NAME}
  namespace: default
---
apiVersion: addons.cluster.x-k8s.io/v1alpha1
kind: HelmChartProxy
metadata:
  name: calico-dual-stack
  namespace: default
spec:
  chartName: tigera-operator
  clusterSelector:
    matchLabels:
      cni: calico-dual-stack
  namespace: tigera-operator
  releaseName: projectcalico
  repoURL: https://docs.tigera.io/calico/charts
  valuesTemplate: |
    installation:
      cni:
        type: Calico
        ipam:
          type: HostLocal
      calicoNetwork:
        bgp: Disabled
        mtu: 1350
        ipPools:
        - blockSize: 26
          cidr: {{ index .Cluster.spec.clusterNetwork.pods.cidrBlocks 0 }}
          encapsulation: None
          natOutgoing: Enabled
          nodeSelector: all()
        - blockSize: 122
          cidr: {{ index .Cluster.spec.clusterNetwork.pods.cidrBlocks 1 }}
          encapsulation: None
          natOutgoing: Enabled
          nodeSelector: all()
      registry: mcr.microsoft.com/oss
    # Image and registry configuration for the tigera/operator pod.
    tigeraOperator:
      image: tigera/operator
      registry: mcr.microsoft.com/oss
    calicoctl:
      image: mcr.microsoft.com/oss/calico/ctl
  version: ${CALICO_VERSION}