{% set kubeconfig = "--kubeconfig=/var/lib/kube-proxy/kubeconfig" -%}
{% if grains.api_servers is defined -%}
  {% set api_servers = "--master=https://" + grains.api_servers -%}
{% else -%}
  {% set ips = salt['mine.get']('roles:kubernetes-master', 'network.ip_addrs', 'grain').values() -%}
  {% set api_servers = "--master=https://" + ips[0][0] -%}
{% endif -%}
{% if grains['cloud'] is defined and grains.cloud in [ 'aws', 'gce', 'vagrant', 'photon-controller', 'openstack', 'azure-legacy' ]  %}
  {% set api_servers_with_port = api_servers -%}
{% else -%}
  {% set api_servers_with_port = api_servers + ":6443" -%}
{% endif -%}
{% set test_args = "" -%}
{% if pillar['kubeproxy_test_args'] is defined -%}
  {% set test_args=pillar['kubeproxy_test_args'] %}
{% endif -%}
{% set cluster_cidr = "" -%}
{% if pillar['cluster_cidr'] is defined -%}
  {% set cluster_cidr=" --cluster-cidr=" + pillar['cluster_cidr'] %}
{% endif -%}

{% set log_level = pillar['log_level'] -%}
{% if pillar['kubeproxy_test_log_level'] is defined -%}
  {% set log_level = pillar['kubeproxy_test_log_level'] -%}
{% endif -%}

{% set feature_gates = "" -%}
{% if grains.feature_gates is defined -%}
 {% set feature_gates = "--feature-gates=" + grains.feature_gates -%}
{% endif -%}

{% set throttles = "--iptables-sync-period=1m --iptables-min-sync-period=10s" -%}

# test_args should always go last to overwrite prior configuration
{% set params = log_level + " " + throttles + " " + feature_gates + " " + test_args -%}

{% set container_env = "" -%}

# kube-proxy podspec
apiVersion: v1
kind: Pod
metadata:
  name: kube-proxy
  namespace: kube-system
  # This annotation ensures that kube-proxy does not get evicted if the node
  # supports critical pod annotation based priority scheme.
  # Note that kube-proxy runs as a static pod so this annotation does NOT have
  # any effect on rescheduler (default scheduler and rescheduler are not
  # involved in scheduling kube-proxy).
  annotations:
    scheduler.alpha.kubernetes.io/critical-pod: ''
  labels:
    tier: node
    component: kube-proxy
spec:
  hostNetwork: true
  initContainers:
  - name: touch-lock
    image: busybox
    command: ['/bin/touch', '/run/xtables.lock']
    securityContext:
      privileged: true
    volumeMounts:
    - mountPath: /run
      name: run
      readOnly: false
  containers:
  - name: kube-proxy
    image: {{pillar['kube_docker_registry']}}/kube-proxy:{{pillar['kube-proxy_docker_tag']}}
    resources:
      requests:
        cpu: {{ cpurequest }}
    command:
    - /bin/sh
    - -c
    - echo -998 > /proc/$$$/oom_score_adj && kube-proxy {{api_servers_with_port}} {{kubeconfig}} {{cluster_cidr}} --resource-container="" {{params}} 1>>/var/log/kube-proxy.log 2>&1
    {{container_env}}
    securityContext:
      privileged: true
    volumeMounts:
    - mountPath: /etc/ssl/certs
      name: etc-ssl-certs
      readOnly: true
    - mountPath: /usr/share/ca-certificates
      name: usr-ca-certs
      readOnly: true
    - mountPath: /var/log
      name: varlog
      readOnly: false
    - mountPath: /var/lib/kube-proxy/kubeconfig
      name: kubeconfig
      readOnly: false
    - mountPath: /run/xtables.lock
      name: iptableslock
      readOnly: false
  volumes:
  - hostPath:
      path: /usr/share/ca-certificates
    name: usr-ca-certs
  - hostPath:
      path: /etc/ssl/certs
    name: etc-ssl-certs
  - hostPath:
      path: /var/lib/kube-proxy/kubeconfig
      type: FileOrCreate
    name: kubeconfig
  - hostPath:
      path: /var/log
    name: varlog
  - hostPath:
      path: /run
    name: run
  - hostPath:
      path: /run/xtables.lock
      type: FileOrCreate
    name: iptableslock