apiVersion: v1
data:
  cloudInit: |
    #cloud-config
    package_update: false
    package_upgrade: false
    snap:
      commands:
        00: snap refresh --hold=forever
    package_reboot_if_required: true
    packages:
      - qemu-guest-agent
      - yq
      - jq

    runcmd:
      - sysctl -w net.ipv6.conf.all.disable_ipv6=1
      - systemctl enable --now qemu-guest-agent.service
      - [sh, '/root/updates.sh']

    disable_root: true
    ssh_pwauth: false
    groups:
      - etcd
    users:
      - name: rancher
        gecos: Rancher service account
        hashed_passwd: $6$Jn9gljJAbr9tjxD2$4D4O5YokrpYvYd5lznvtuWRPWWcREo325pEhn5r5vzfIU/1fX6werOG4LlXxNNBOkmbKaabekQ9NQL32IZOiH1
        lock_passwd: false
        shell: /bin/bash
        groups: [users, sudo, docker]
        sudo: ALL=(ALL:ALL) ALL
        ssh_authorized_keys:
        - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEwWnnOTAu0LlAZRczQ0Z0KvNlUdPhGQhpZie+nF1O3s'
      - name: etcd
        gecos: ETCD service account
        lock_passwd: true
        shell: /sbin/nologin
        groups: [etcd]

    write_files:
      - path: /root/updates.sh
        permissions: '0550'
        owner: root:root
        content: |
          #!/bin/bash
          export DEBIAN_FRONTEND=noninteractive
          apt-mark hold linux-headers-generic
          apt-mark hold linux-headers-virtual
          apt-mark hold linux-image-virtual
          apt-mark hold linux-virtual
          apt-get update
          apt-get upgrade -y
          apt-get autoremove -y
      - path: /var/lib/rancher/rke2/server/manifests/disable-sa-automount.yaml
        permissions: '0600'
        owner: root:root
        content: |
          apiVersion: v1
          kind: ServiceAccount
          metadata:
            name: disable-automount-sa
            namespace: kube-system
          ---
          apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            name: disable-automount-clusterrole
          rules:
            - apiGroups: [""]
              resources: ["namespaces"]
              verbs: ["get", "list"]
            - apiGroups: [""]
              resources: ["serviceaccounts"]
              verbs: ["get", "patch"]
          ---
          apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            name: disable-automount-binding
          subjects:
            - kind: ServiceAccount
              name: disable-automount-sa
              namespace: kube-system
          roleRef:
            kind: ClusterRole
            name: disable-automount-clusterrole
            apiGroup: rbac.authorization.k8s.io
          ---
          apiVersion: batch/v1
          kind: CronJob
          metadata:
            name: disable-default-sa-automount
            namespace: kube-system
          spec:
            schedule: "0 0 * * *"
            concurrencyPolicy: Forbid
            jobTemplate:
              spec:
                template:
                  spec:
                    serviceAccountName: disable-automount-sa
                    containers:
                    - name: kubectl-patcher
                      image: alpine/kubectl:1.35.0
                      command:
                      - /bin/sh
                      - -c
                      - |
                        for n in $(kubectl get namespaces -o=jsonpath="{.items[*]['metadata.name']}"); do
                          echo "Patching default SA in namespace: $n"
                          kubectl patch serviceaccount default -p '{"automountServiceAccountToken": false}' -n $n
                        done
                    restartPolicy: OnFailure
kind: ConfigMap
metadata:
  labels:
    harvesterhci.io/cloud-init-template: user
  name: rke2-ubuntu-24.04-cloudinit-cp
  namespace: vanderlande