typhoon/google-cloud/flatcar-linux/kubernetes/bootstrap.tf

# Kubernetes assets (kubeconfig, manifests)
module "bootstrap" {
  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=1609060f4f138f3b3aef74a9e5494e0fe831c423"

  cluster_name          = var.cluster_name
  api_servers           = [format("%s.%s", var.cluster_name, var.dns_zone)]
  etcd_servers          = [for fqdn in google_dns_record_set.etcds.*.name : trimsuffix(fqdn, ".")]
  networking            = var.networking
  network_mtu           = 1440
  pod_cidr              = var.pod_cidr
  service_cidr          = var.service_cidr
  cluster_domain_suffix = var.cluster_domain_suffix
  enable_reporting      = var.enable_reporting
  enable_aggregation    = var.enable_aggregation
  daemonset_tolerations = var.daemonset_tolerations
  components            = var.components

  // temporary
  external_apiserver_port = 443
}
Update CHANGES for control plane static pod switch * Remove old references to bootkube / self-hosted 2019-09-07 22:38:51 +02:00			`# Kubernetes assets (kubeconfig, manifests)`
Rename bootkube modules to bootstrap * Rename render module from bootkube to bootstrap. Avoid confusion with the kubernetes-incubator/bootkube tool since it is no longer used * Use the poseidon/terraform-render-bootstrap Terraform module (formerly poseidon/terraform-render-bootkube) * https://github.com/poseidon/terraform-render-bootkube/pull/149 2019-09-15 01:24:32 +02:00			`module "bootstrap" {`
Fix incorrect terraform-render-bootstrap SHA 2024-07-26 06:41:54 +02:00			`source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=1609060f4f138f3b3aef74a9e5494e0fe831c423"`
Add dghubble/pegasus GCE Kubernetes Terraform module 2017-06-27 06:55:39 +02:00
Migrate Google Cloud module Terraform v0.11 to v0.12 * Replace v0.11 bracket type hints with Terraform v0.12 list expressions * Use expression syntax instead of interpolated strings, where suggested * Update Google Cloud tutorial and worker pools documentation * Define Terraform and plugin version requirements in versions.tf * Require google ~> 2.5 to support Terraform v0.12 * Require ct ~> 0.3.2 to support Terraform v0.12 2019-05-28 06:14:25 +02:00			`cluster_name = var.cluster_name`
			`api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]`
Fix bug provisioning multi-controller clusters on Google Cloud * Google Cloud Terraform provider resource google_dns_record_set's name field provides the full domain name with a trailing ".". This isn't a new behavior, Google has behaved this way as long as I can remember * etcd domain names are passed to the bootstrap module to generate TLS certificates. What seems to be new(ish?) is that etcd peers see example.foo and example.foo. as different domains during TLS SANs validation. As a result, clusters with multiple controller nodes fail to run etcd-member, which manifests as cluster provisioning hanging. Single controller/master clusters (default) are unaffected * Fix etcd-member.service error in multi-controller clusters: ``` "error":"x509: certificate is valid for conformance-etcd0.redacted., conform-etcd1.redacted., conform-etcd2.redacted., not conform-etcd1.redacted"} ``` 2022-08-03 05:11:21 +02:00			`etcd_servers = [for fqdn in google_dns_record_set.etcds.*.name : trimsuffix(fqdn, ".")]`
Introduce the component system for managing pre-installed addons * Previously: Typhoon provisions clusters with kube-system components like CoreDNS, kube-proxy, and a chosen CNI provider (among flannel, Calico, or Cilium) pre-installed. This is convenient since clusters come with "batteries included". But it also means upgrading these components is generally done in lock-step, by upgrading to a new Typhoon / Kubernetes release * It can be valuable to manage these components with a separate plan/apply process or through automations and deploy systems. For example, this allows managing CoreDNS separately from the cluster's lifecycle. * These "components" will continue to be pre-installed by default, but a new `components` variable allows them to be disabled and managed as "addons", components you apply after cluster creation and manage on a rolling basis. For some of these, we may provide Terraform modules to aide in managing these components. ``` module "cluster" { # defaults components = { enable = true coredns = { enable = true } kube_proxy = { enable = true } # Only the CNI set in var.networking will be installed flannel = { enable = true } calico = { enable = true } cilium = { enable = true } } } ``` An earlier variable `install_container_networking = true/false` has been removed, since it can now be achieved with this more extensible and general components mechanism by setting the chosen networking provider enable field to false. 2024-05-19 00:05:33 +02:00			`networking = var.networking`
Add optional cluster_domain_suffix variable * Allow kube-dns to respond to DNS queries with a custom suffix, instead of the default 'cluster.local' * Useful when multiple clusters exist on the same local network and wish to query services on one another 2017-12-09 22:36:59 +01:00			`network_mtu = 1440`
Migrate Google Cloud module Terraform v0.11 to v0.12 * Replace v0.11 bracket type hints with Terraform v0.12 list expressions * Use expression syntax instead of interpolated strings, where suggested * Update Google Cloud tutorial and worker pools documentation * Define Terraform and plugin version requirements in versions.tf * Require google ~> 2.5 to support Terraform v0.12 * Require ct ~> 0.3.2 to support Terraform v0.12 2019-05-28 06:14:25 +02:00			`pod_cidr = var.pod_cidr`
			`service_cidr = var.service_cidr`
			`cluster_domain_suffix = var.cluster_domain_suffix`
			`enable_reporting = var.enable_reporting`
			`enable_aggregation = var.enable_aggregation`
Allow custom initial node taints on worker pool nodes * Add `node_taints` variable to worker modules to set custom initial node taints on cloud platforms that support auto-scaling worker pools of heterogeneous nodes (i.e. AWS, Azure, GCP) * Worker pools could use custom `node_labels` to allowed workloads to select among differentiated nodes, while custom `node_taints` allows a worker pool's nodes to be tainted as special to prevent scheduling, except by workloads that explicitly tolerate the taint * Expose `daemonset_tolerations` in AWS, Azure, and GCP kubernetes cluster modules, to determine whether `kube-system` components should tolerate the custom taint (advanced use covered in docs) Rel: #550, #663 Closes #429 2021-04-11 21:08:56 +02:00			`daemonset_tolerations = var.daemonset_tolerations`
Allow CoreDNS and kube-proxy to be optional components * Allow for more minimal base cluster setups, that manage CoreDNS or kube-proxy as applications, with rolling updates, or deploy systems. Or in the case of kube-proxy, its becoming more common to not install it and instead use Cilium * Add a `components` pass-through variable to configure pre-installed components like kube-proxy and CoreDNS. These components can be disabled (individually or together) to allow for managing components with separate plan/apply processes or automations * terraform-render-bootstrap manifest assets are now structured as manifests/{coredns,kube-proxy,network} so adapt the controller layout scripts accordingly * This is similar to some changes in v1.29.2 that allowed for the container networking provider manifests to be skipped Related: https://github.com/poseidon/typhoon/pull/1419, https://github.com/poseidon/typhoon/pull/1421 2024-05-13 06:03:40 +02:00			`components = var.components`
Fix terraform formatting 2018-06-22 09:28:36 +02:00
Change kube-apiserver port from 443 to 6443 * Adjust firewall rules, security groups, cloud load balancers, and generated kubeconfig's * Facilitates some future simplifications and cost reductions * Bare-Metal users who exposed kube-apiserver on a WAN via their router or load balancer will need to adjust its configuration. This is uncommon, most apiserver are on LAN and/or behind VPN so no routing infrastructure is configured with the port number 2018-06-19 06:57:58 +02:00			`// temporary`
Run kube-apiserver with lower privilege user (nobody) * Run kube-apiserver as a non-root user (nobody). User no longer needs to bind low number ports. * On most platforms, the kube-apiserver load balancer listens on 6443 and fronts controllers with kube-apiserver pods using port 6443. Google Cloud TCP proxy load balancers cannot listen on 6443. However, GCP's load balancer can be made to listen on 443, while kube-apiserver uses 6443 across all platforms. 2019-07-06 22:11:37 +02:00			`external_apiserver_port = 443`
Add dghubble/pegasus GCE Kubernetes Terraform module 2017-06-27 06:55:39 +02:00			`}`
Migrate Google Cloud module Terraform v0.11 to v0.12 * Replace v0.11 bracket type hints with Terraform v0.12 list expressions * Use expression syntax instead of interpolated strings, where suggested * Update Google Cloud tutorial and worker pools documentation * Define Terraform and plugin version requirements in versions.tf * Require google ~> 2.5 to support Terraform v0.12 * Require ct ~> 0.3.2 to support Terraform v0.12 2019-05-28 06:14:25 +02:00