apiVersion: v1
kind: ConfigMap
metadata:
  namespace: kube-system
  name: kube-proxy
data:
  kubeconfig.conf: |
    apiVersion: v1
    kind: Config
    current-context: default
    contexts:
    - name: default
      context:
        cluster: default
        namespace: default
        user: default
    clusters:
    - name: default
      cluster:
        certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
        server: https://[::1]:6444
    users:
    - name: default
      user:
        tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kube-proxy
  namespace: kube-system
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: system:kube-proxy
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
subjects:
  - kind: ServiceAccount
    name: kube-proxy
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: system:node-proxier
  apiGroup: rbac.authorization.k8s.io

---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  namespace: kube-system
  name: kube-proxy
  labels:
    k8s-app: kube-proxy
spec:
  minReadySeconds: 60
  updateStrategy:
    type: RollingUpdate
  selector:
    matchLabels:
      k8s-app: kube-proxy
  template:
    metadata:
      labels:
        k8s-app: kube-proxy
        app: kube-proxy
    spec:
      tolerations:
      - effect: NoSchedule
        operator: Exists
      - effect: NoExecute
        operator: Exists
      serviceAccountName: kube-proxy
      hostNetwork: true
{{ if eq "kpng" .vars.kube_proxy }}
      containers:
      - image: mcluseau/kpng:0.4
        name: kpng
        volumeMounts:
        - name: empty
          mountPath: /k8s
        - mountPath: /var/lib/kpng
          name: kpng-config
        args:
        - kube
        - --kubeconfig=/var/lib/kpng/kubeconfig.conf
        - to-api
        - --listen=unix:///k8s/proxy.sock
      - image: mcluseau/kpng:0.4
        name: kpng-nftables
        securityContext:
          capabilities:
           add:
           - NET_ADMIN
        volumeMounts:
        - name: empty
          mountPath: /k8s
        - name: modules
          mountPath: /lib/modules
          readOnly: true
        args:
        - local
        - --api=unix:///k8s/proxy.sock
        - to-nft
        - --cluster-cidrs={{ .subnets.pods }}
        #- --v=2
        #- --dry-run
      volumes:
      - name: empty
        emptyDir: {}
      - name: modules
        hostPath:
          path: /lib/modules
      - name: kpng-config
        configMap:
          name: kube-proxy
{{ else }}
      containers:
      - command:
        - kube-proxy
        - --kubeconfig=/var/lib/kube-proxy/kubeconfig.conf
        - --hostname-override=$(HOSTNAME_OVERRIDE)
        - --cluster-cidr={{.subnets.services}}
        - --proxy-mode=iptables
        env:
        - name: HOSTNAME_OVERRIDE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: spec.nodeName
        image: {{.vars.k8s_registry}}/kube-proxy:{{.vars.kubernetes_version}}
        imagePullPolicy: IfNotPresent
        name: kube-proxy
        securityContext:
          privileged: true
        volumeMounts:
        - mountPath: /var/lib/kube-proxy
          name: kube-proxy
        - mountPath: /lib/modules
          name: modules
      volumes:
      - name: kube-proxy
        configMap:
          name: kube-proxy
      - name: modules
        hostPath:
          path: /lib/modules
{{ end }}