fix tinkerbell audit config

pkg/providers/tinkerbell/config/template-cp.yaml

@@ -119,15 +119,14 @@ spec:
           pathType: DirectoryOrCreate
           readOnly: false
 {{- if .awsIamAuth}}
-        extraVolumes:
-          - hostPath: /var/lib/kubeadm/aws-iam-authenticator/
-            mountPath: /etc/kubernetes/aws-iam-authenticator/
-            name: authconfig
-            readOnly: false
-          - hostPath: /var/lib/kubeadm/aws-iam-authenticator/pki/
-            mountPath: /var/aws-iam-authenticator/
-            name: awsiamcert
-            readOnly: false
+        - hostPath: /var/lib/kubeadm/aws-iam-authenticator/
+          mountPath: /etc/kubernetes/aws-iam-authenticator/
+          name: authconfig
+          readOnly: false
+        - hostPath: /var/lib/kubeadm/aws-iam-authenticator/pki/
+          mountPath: /var/aws-iam-authenticator/
+          name: awsiamcert
+          readOnly: false
 {{- end}}
 {{- /*
   BottleRocket uses different host paths for kubeconfigs requiring host mount path overwrites for
@@ -299,6 +298,10 @@ spec:
         owner: root:root
         path: /etc/kubernetes/manifests/kube-vip.yaml
 {{- end }}
+      - content: |
+{{ .auditPolicy | indent 8 }}
+        owner: root:root
+        path: /etc/kubernetes/audit-policy.yaml
 {{- if .awsIamAuth}}
       - content: |
           # clusters refers to the remote service.
@@ -336,9 +339,6 @@ spec:
         owner: root:root
         path: /var/lib/kubeadm/aws-iam-authenticator/pki/key.pem
 {{- end}}
-{{ .auditPolicy | indent 8 }}
-      owner: root:root
-      path: /etc/kubernetes/audit-policy.yaml
 {{- if (ne .format "bottlerocket") }}
 {{- if .proxyConfig }}
       - content: |

pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_cert_bundles_config_cp.yaml

@@ -216,6 +216,7 @@ spec:
           status: {}
         owner: root:root
         path: /etc/kubernetes/manifests/kube-vip.yaml
+      - content: |
         apiVersion: audit.k8s.io/v1beta1
         kind: Policy
         rules:
@@ -371,8 +372,8 @@ spec:
         - level: Metadata
           omitStages:
           - "RequestReceived"
-      owner: root:root
-      path: /etc/kubernetes/audit-policy.yaml
+        owner: root:root
+        path: /etc/kubernetes/audit-policy.yaml
     users:
     - name: ec2-user
       sshAuthorizedKeys:

pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_kernel_config_cp.yaml

@@ -182,6 +182,7 @@ spec:
           status: {}
         owner: root:root
         path: /etc/kubernetes/manifests/kube-vip.yaml
+      - content: |
         apiVersion: audit.k8s.io/v1beta1
         kind: Policy
         rules:
@@ -337,8 +338,8 @@ spec:
         - level: Metadata
           omitStages:
           - "RequestReceived"
-      owner: root:root
-      path: /etc/kubernetes/audit-policy.yaml
+        owner: root:root
+        path: /etc/kubernetes/audit-policy.yaml
     users:
     - name: ec2-user
       sshAuthorizedKeys:

pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_ntp_config_cp.yaml

@@ -156,6 +156,7 @@ spec:
           status: {}
         owner: root:root
         path: /etc/kubernetes/manifests/kube-vip.yaml
+      - content: |
         apiVersion: audit.k8s.io/v1beta1
         kind: Policy
         rules:
@@ -311,8 +312,8 @@ spec:
         - level: Metadata
           omitStages:
           - "RequestReceived"
-      owner: root:root
-      path: /etc/kubernetes/audit-policy.yaml
+        owner: root:root
+        path: /etc/kubernetes/audit-policy.yaml
     ntp:
       enabled: true
       servers: 

pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_settings_config_cp.yaml

@@ -174,6 +174,7 @@ spec:
           status: {}
         owner: root:root
         path: /etc/kubernetes/manifests/kube-vip.yaml
+      - content: |
         apiVersion: audit.k8s.io/v1beta1
         kind: Policy
         rules:
@@ -329,8 +330,8 @@ spec:
         - level: Metadata
           omitStages:
           - "RequestReceived"
-      owner: root:root
-      path: /etc/kubernetes/audit-policy.yaml
+        owner: root:root
+        path: /etc/kubernetes/audit-policy.yaml
     users:
     - name: ec2-user
       sshAuthorizedKeys: