dynk8s-provisioner/terraform/userdata.yml

#cloud-config
bootcmd:
- [ ln, -sf, /run/systemd/resolve/stub-resolv.conf, /etc/resolv.conf ]

packages:
- cri-o
- cri-tools
- crun
- ethtool
- iptables-nft
- iscsi-initiator-utils
- kubernetes-kubeadm
- kubernetes-node
- runc
- wireguard-tools

write_files:
- path: /etc/dnf/dnf.conf
  content: |+
    install_weak_deps=False    
  append: true
- path: /etc/modules-load.d/k8s.conf
  content: |+
    br_netfilter    
- path: /etc/sysctl.d/k8s.conf
  content: |+
    net.bridge.bridge-nf-call-iptables = 1
    net.bridge.bridge-nf-call-ip6tables = 1
    net.ipv4.ip_forward = 1    
- path: /etc/crio/crio.conf.d/10-crio-crun.conf
  content: |+
    [crio.runtime]
    default_runtime = "crun"

    [crio.runtime.runtimes.crun]
    runtime_path = "/usr/bin/crun"
    runtime_type = "oci"
    runtime_root = "/run/crun"    
- path: /var/lib/cloud/scripts/per-instance/kubeadm-join
  permissions: '0755'
  content: |+
    #!/bin/sh

    BASE_URL=https://dynk8s-provisioner.pyrocufflink.net

    imds_token=$(curl 169.254.169.254/latest/api/token \
      -X PUT \
      -H 'X-aws-ec2-metadata-token-ttl-seconds: 3600'
    )
    instance_id=$(curl -s 169.254.169.254/latest/meta-data/instance-id \
      -H "X-aws-ec2-metadata-token: ${imds_token}"
    )
    az=$(curl -s 169.254.169.254/latest/meta-data/placement/availability-zone \
      -H "X-aws-ec2-metadata-token: ${imds_token}"
    )

    curl -fs "${BASE_URL}"/wireguard/config/${instance_id} \
        -o /etc/wireguard/wg0.conf || exit
    systemctl enable --now wg-quick@wg0 || exit

    resolvectl revert eth0

    modprobe br_netfilter || exit
    sysctl -w -f /etc/sysctl.d/k8s.conf || exit

    swapoff -a || exit
    touch /etc/systemd/zram-generator.conf || exit
    systemctl daemon-reload || exit
    systemctl stop 'systemd-zram-setup@*' || exit

    if [ -b /dev/nvme1n1 ]; then
      printf '%s %s %s %s 0 0\n' \
        /dev/nvme1n1 \
        /var/lib/kubelet \
        ext4 \
        noatime,x-systemd.makefs,nofail \
        >> /etc/fstab
      systemctl daemon-reload
      systemctl start var-lib-kubelet.mount
    fi

    systemctl enable crio iscsid kubelet || exit
    systemctl start crio iscsid || exit

    internal_ip=$(
      ip address show dev wg0 primary | \
      sed -rn 's/.*inet ([0-9.]+).*/\1/p'
    )

    cat > longhorn-issue4988.cil <<EOF
    (allow iscsid_t self (capability (dac_override)))
    EOF
    semodule -i longhorn-issue4988.cil

    rm -f /etc/cni/net.d/*.conflist

    cat > /run/joinconfiguration <<EOF
    apiVersion: kubeadm.k8s.io/v1beta3
    kind: JoinConfiguration
    nodeRegistration:
      taints:
      - key: du5t1n.me/jenkins
        effect: NoSchedule
      kubeletExtraArgs:
        provider-id: aws:///${az}/${instance_id}
        node-ip: ${internal_ip}
        config: /var/lib/kubelet/config.yaml
    discovery:
      file:
        kubeConfigPath: ${BASE_URL}/kubeadm/kubeconfig/${instance_id}
    EOF
    kubeadm join --config=/run/joinconfiguration    

runcmd:
- [ dnf, remove, -y, zram-generator ]