Introduce cluster creation without local writes to asset_dir
* Allow generated assets (TLS materials, manifests) to be securely distributed to controller node(s) via file provisioner (i.e. ssh-agent) as an assets bundle file, rather than relying on assets being locally rendered to disk in an asset_dir and then securely distributed * Change `asset_dir` from required to optional. Left unset, asset_dir defaults to "" and no assets will be written to files on the machine that runs terraform apply * Enhancement: Managed cluster assets are kept only in Terraform state, which supports different backends (GCS, S3, etcd, etc) and optional encryption. terraform apply accesses state, runs in-memory, and distributes sensitive materials to controllers without making use of local disk (simplifies use in CI systems) * Enhancement: Improve asset unpack and layout process to position etcd certificates and control plane certificates more cleanly, without unneeded secret materials Details: * Terraform file provisioner support for distributing directories of contents (with unknown structure) has been limited to reading from a local directory, meaning local writes to asset_dir were required. https://github.com/poseidon/typhoon/issues/585 discusses the problem and newer or upcoming Terraform features that might help. * Observation: Terraform provisioner support for single files works well, but iteration isn't viable. We're also constrained to Terraform language features on the apply side (no extra plugins, no shelling out) and CoreOS / Fedora tools on the receive side. * Take a map representation of the contents that would have been splayed out in asset_dir and pack/encode them into a single file format devised for easy unpacking. Use an awk one-liner on the receive side to unpack. In pratice, this has worked well and its rather nice that a single assets file is transferred by file provisioner (all or none) Rel: https://github.com/poseidon/terraform-render-bootstrap/pull/162
This commit is contained in:
parent
5fa002f4f7
commit
2837275265
|
@ -1,6 +1,6 @@
|
||||||
# Kubernetes assets (kubeconfig, manifests)
|
# Kubernetes assets (kubeconfig, manifests)
|
||||||
module "bootstrap" {
|
module "bootstrap" {
|
||||||
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=0f1f16c612a6877d25a3fedcb476b3087a3de999"
|
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=dce49114a083436c5af6d9174b9c1248786ba3b6"
|
||||||
|
|
||||||
cluster_name = var.cluster_name
|
cluster_name = var.cluster_name
|
||||||
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]
|
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]
|
||||||
|
|
|
@ -108,6 +108,8 @@ systemd:
|
||||||
ExecStartPre=-/usr/bin/bash -c 'set -x && [ -n "$(ls /opt/bootstrap/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootstrap/assets/manifests-*/* /opt/bootstrap/assets/manifests && rm -rf /opt/bootstrap/assets/manifests-*'
|
ExecStartPre=-/usr/bin/bash -c 'set -x && [ -n "$(ls /opt/bootstrap/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootstrap/assets/manifests-*/* /opt/bootstrap/assets/manifests && rm -rf /opt/bootstrap/assets/manifests-*'
|
||||||
ExecStart=/usr/bin/rkt run \
|
ExecStart=/usr/bin/rkt run \
|
||||||
--trust-keys-from-https \
|
--trust-keys-from-https \
|
||||||
|
--volume config,kind=host,source=/etc/kubernetes/bootstrap-secrets \
|
||||||
|
--mount volume=config,target=/etc/kubernetes/secrets \
|
||||||
--volume assets,kind=host,source=/opt/bootstrap/assets \
|
--volume assets,kind=host,source=/opt/bootstrap/assets \
|
||||||
--mount volume=assets,target=/assets \
|
--mount volume=assets,target=/assets \
|
||||||
--volume script,kind=host,source=/opt/bootstrap/apply \
|
--volume script,kind=host,source=/opt/bootstrap/apply \
|
||||||
|
@ -135,13 +137,35 @@ storage:
|
||||||
inline: |
|
inline: |
|
||||||
KUBELET_IMAGE_URL=docker://k8s.gcr.io/hyperkube
|
KUBELET_IMAGE_URL=docker://k8s.gcr.io/hyperkube
|
||||||
KUBELET_IMAGE_TAG=v1.16.3
|
KUBELET_IMAGE_TAG=v1.16.3
|
||||||
|
- path: /opt/bootstrap/layout
|
||||||
|
filesystem: root
|
||||||
|
mode: 0544
|
||||||
|
contents:
|
||||||
|
inline: |
|
||||||
|
#!/bin/bash -e
|
||||||
|
mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking
|
||||||
|
awk '/#####/ {filename=$2; next} {print > filename}' assets
|
||||||
|
mkdir -p /etc/ssl/etcd/etcd
|
||||||
|
mkdir -p /etc/kubernetes/bootstrap-secrets
|
||||||
|
mv tls/etcd/{peer*,server*} /etc/ssl/etcd/etcd/
|
||||||
|
mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/
|
||||||
|
chown -R etcd:etcd /etc/ssl/etcd
|
||||||
|
chmod -R 500 /etc/ssl/etcd
|
||||||
|
mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
|
||||||
|
mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
|
||||||
|
sudo mkdir -p /etc/kubernetes/manifests
|
||||||
|
sudo mv static-manifests/* /etc/kubernetes/manifests/
|
||||||
|
sudo mkdir -p /opt/bootstrap/assets
|
||||||
|
sudo mv manifests /opt/bootstrap/assets/manifests
|
||||||
|
sudo mv manifests-networking /opt/bootstrap/assets/manifests-networking
|
||||||
|
rm -rf assets auth static-manifests tls
|
||||||
- path: /opt/bootstrap/apply
|
- path: /opt/bootstrap/apply
|
||||||
filesystem: root
|
filesystem: root
|
||||||
mode: 0544
|
mode: 0544
|
||||||
contents:
|
contents:
|
||||||
inline: |
|
inline: |
|
||||||
#!/bin/bash -e
|
#!/bin/bash -e
|
||||||
export KUBECONFIG=/assets/auth/kubeconfig
|
export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig
|
||||||
until kubectl version; do
|
until kubectl version; do
|
||||||
echo "Waiting for static pod control plane"
|
echo "Waiting for static pod control plane"
|
||||||
sleep 5
|
sleep 5
|
||||||
|
|
|
@ -1,3 +1,12 @@
|
||||||
|
locals {
|
||||||
|
# format assets for distribution
|
||||||
|
assets_bundle = [
|
||||||
|
# header with the unpack location
|
||||||
|
for key, value in module.bootstrap.assets_dist:
|
||||||
|
format("##### %s\n%s", key, value)
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
# Secure copy assets to controllers.
|
# Secure copy assets to controllers.
|
||||||
resource "null_resource" "copy-controller-secrets" {
|
resource "null_resource" "copy-controller-secrets" {
|
||||||
count = var.controller_count
|
count = var.controller_count
|
||||||
|
@ -14,63 +23,13 @@ resource "null_resource" "copy-controller-secrets" {
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "file" {
|
provisioner "file" {
|
||||||
content = module.bootstrap.etcd_ca_cert
|
content = join("\n", local.assets_bundle)
|
||||||
destination = "$HOME/etcd-client-ca.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_client_cert
|
|
||||||
destination = "$HOME/etcd-client.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_client_key
|
|
||||||
destination = "$HOME/etcd-client.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_server_cert
|
|
||||||
destination = "$HOME/etcd-server.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_server_key
|
|
||||||
destination = "$HOME/etcd-server.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_peer_cert
|
|
||||||
destination = "$HOME/etcd-peer.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_peer_key
|
|
||||||
destination = "$HOME/etcd-peer.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
source = var.asset_dir
|
|
||||||
destination = "$HOME/assets"
|
destination = "$HOME/assets"
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "remote-exec" {
|
provisioner "remote-exec" {
|
||||||
inline = [
|
inline = [
|
||||||
"sudo mkdir -p /etc/ssl/etcd/etcd",
|
"sudo /opt/bootstrap/layout",
|
||||||
"sudo mv etcd-client* /etc/ssl/etcd/",
|
|
||||||
"sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/server-ca.crt",
|
|
||||||
"sudo mv etcd-server.crt /etc/ssl/etcd/etcd/server.crt",
|
|
||||||
"sudo mv etcd-server.key /etc/ssl/etcd/etcd/server.key",
|
|
||||||
"sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/peer-ca.crt",
|
|
||||||
"sudo mv etcd-peer.crt /etc/ssl/etcd/etcd/peer.crt",
|
|
||||||
"sudo mv etcd-peer.key /etc/ssl/etcd/etcd/peer.key",
|
|
||||||
"sudo chown -R etcd:etcd /etc/ssl/etcd",
|
|
||||||
"sudo chmod -R 500 /etc/ssl/etcd",
|
|
||||||
"sudo mv $HOME/assets /opt/bootstrap/assets",
|
|
||||||
"sudo mkdir -p /etc/kubernetes/manifests",
|
|
||||||
"sudo mkdir -p /etc/kubernetes/bootstrap-secrets",
|
|
||||||
"sudo cp -r /opt/bootstrap/assets/tls/* /etc/kubernetes/bootstrap-secrets/",
|
|
||||||
"sudo cp /opt/bootstrap/assets/auth/kubeconfig /etc/kubernetes/bootstrap-secrets/",
|
|
||||||
"sudo cp -r /opt/bootstrap/assets/static-manifests/* /etc/kubernetes/manifests/",
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Kubernetes assets (kubeconfig, manifests)
|
# Kubernetes assets (kubeconfig, manifests)
|
||||||
module "bootstrap" {
|
module "bootstrap" {
|
||||||
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=0f1f16c612a6877d25a3fedcb476b3087a3de999"
|
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=dce49114a083436c5af6d9174b9c1248786ba3b6"
|
||||||
|
|
||||||
cluster_name = var.cluster_name
|
cluster_name = var.cluster_name
|
||||||
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]
|
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]
|
||||||
|
|
|
@ -119,6 +119,7 @@ systemd:
|
||||||
ExecStartPre=-/usr/bin/bash -c 'set -x && [ -n "$(ls /opt/bootstrap/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootstrap/assets/manifests-*/* /opt/bootstrap/assets/manifests && rm -rf /opt/bootstrap/assets/manifests-*'
|
ExecStartPre=-/usr/bin/bash -c 'set -x && [ -n "$(ls /opt/bootstrap/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootstrap/assets/manifests-*/* /opt/bootstrap/assets/manifests && rm -rf /opt/bootstrap/assets/manifests-*'
|
||||||
ExecStart=/usr/bin/podman run --name bootstrap \
|
ExecStart=/usr/bin/podman run --name bootstrap \
|
||||||
--network host \
|
--network host \
|
||||||
|
--volume /etc/kubernetes/bootstrap-secrets:/etc/kubernetes/secrets:ro,Z \
|
||||||
--volume /opt/bootstrap/assets:/assets:ro,Z \
|
--volume /opt/bootstrap/assets:/assets:ro,Z \
|
||||||
--volume /opt/bootstrap/apply:/apply:ro,Z \
|
--volume /opt/bootstrap/apply:/apply:ro,Z \
|
||||||
k8s.gcr.io/hyperkube:v1.16.3 \
|
k8s.gcr.io/hyperkube:v1.16.3 \
|
||||||
|
@ -135,12 +136,33 @@ storage:
|
||||||
contents:
|
contents:
|
||||||
inline: |
|
inline: |
|
||||||
${kubeconfig}
|
${kubeconfig}
|
||||||
|
- path: /opt/bootstrap/layout
|
||||||
|
mode: 0544
|
||||||
|
contents:
|
||||||
|
inline: |
|
||||||
|
#!/bin/bash -e
|
||||||
|
mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking
|
||||||
|
awk '/#####/ {filename=$2; next} {print > filename}' assets
|
||||||
|
mkdir -p /etc/ssl/etcd/etcd
|
||||||
|
mkdir -p /etc/kubernetes/bootstrap-secrets
|
||||||
|
mv tls/etcd/{peer*,server*} /etc/ssl/etcd/etcd/
|
||||||
|
mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/
|
||||||
|
chown -R etcd:etcd /etc/ssl/etcd
|
||||||
|
chmod -R 500 /etc/ssl/etcd
|
||||||
|
mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
|
||||||
|
mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
|
||||||
|
sudo mkdir -p /etc/kubernetes/manifests
|
||||||
|
sudo mv static-manifests/* /etc/kubernetes/manifests/
|
||||||
|
sudo mkdir -p /opt/bootstrap/assets
|
||||||
|
sudo mv manifests /opt/bootstrap/assets/manifests
|
||||||
|
sudo mv manifests-networking /opt/bootstrap/assets/manifests-networking
|
||||||
|
rm -rf assets auth static-manifests tls
|
||||||
- path: /opt/bootstrap/apply
|
- path: /opt/bootstrap/apply
|
||||||
mode: 0544
|
mode: 0544
|
||||||
contents:
|
contents:
|
||||||
inline: |
|
inline: |
|
||||||
#!/bin/bash -e
|
#!/bin/bash -e
|
||||||
export KUBECONFIG=/assets/auth/kubeconfig
|
export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig
|
||||||
until kubectl version; do
|
until kubectl version; do
|
||||||
echo "Waiting for static pod control plane"
|
echo "Waiting for static pod control plane"
|
||||||
sleep 5
|
sleep 5
|
||||||
|
|
|
@ -1,3 +1,12 @@
|
||||||
|
locals {
|
||||||
|
# format assets for distribution
|
||||||
|
assets_bundle = [
|
||||||
|
# header with the unpack location
|
||||||
|
for key, value in module.bootstrap.assets_dist:
|
||||||
|
format("##### %s\n%s", key, value)
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
# Secure copy assets to controllers.
|
# Secure copy assets to controllers.
|
||||||
resource "null_resource" "copy-controller-secrets" {
|
resource "null_resource" "copy-controller-secrets" {
|
||||||
count = var.controller_count
|
count = var.controller_count
|
||||||
|
@ -12,65 +21,15 @@ resource "null_resource" "copy-controller-secrets" {
|
||||||
user = "core"
|
user = "core"
|
||||||
timeout = "15m"
|
timeout = "15m"
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "file" {
|
provisioner "file" {
|
||||||
content = module.bootstrap.etcd_ca_cert
|
content = join("\n", local.assets_bundle)
|
||||||
destination = "$HOME/etcd-client-ca.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_client_cert
|
|
||||||
destination = "$HOME/etcd-client.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_client_key
|
|
||||||
destination = "$HOME/etcd-client.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_server_cert
|
|
||||||
destination = "$HOME/etcd-server.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_server_key
|
|
||||||
destination = "$HOME/etcd-server.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_peer_cert
|
|
||||||
destination = "$HOME/etcd-peer.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_peer_key
|
|
||||||
destination = "$HOME/etcd-peer.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
source = var.asset_dir
|
|
||||||
destination = "$HOME/assets"
|
destination = "$HOME/assets"
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "remote-exec" {
|
provisioner "remote-exec" {
|
||||||
inline = [
|
inline = [
|
||||||
"sudo mkdir -p /etc/ssl/etcd/etcd",
|
"sudo /opt/bootstrap/layout",
|
||||||
"sudo mv etcd-client* /etc/ssl/etcd/",
|
|
||||||
"sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/server-ca.crt",
|
|
||||||
"sudo mv etcd-server.crt /etc/ssl/etcd/etcd/server.crt",
|
|
||||||
"sudo mv etcd-server.key /etc/ssl/etcd/etcd/server.key",
|
|
||||||
"sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/peer-ca.crt",
|
|
||||||
"sudo mv etcd-peer.crt /etc/ssl/etcd/etcd/peer.crt",
|
|
||||||
"sudo mv etcd-peer.key /etc/ssl/etcd/etcd/peer.key",
|
|
||||||
"sudo chown -R etcd:etcd /etc/ssl/etcd",
|
|
||||||
"sudo chmod -R 500 /etc/ssl/etcd",
|
|
||||||
"sudo mv $HOME/assets /opt/bootstrap/assets",
|
|
||||||
"sudo mkdir -p /etc/kubernetes/manifests",
|
|
||||||
"sudo mkdir -p /etc/kubernetes/bootstrap-secrets",
|
|
||||||
"sudo cp -r /opt/bootstrap/assets/tls/* /etc/kubernetes/bootstrap-secrets/",
|
|
||||||
"sudo cp /opt/bootstrap/assets/auth/kubeconfig /etc/kubernetes/bootstrap-secrets/",
|
|
||||||
"sudo cp -r /opt/bootstrap/assets/static-manifests/* /etc/kubernetes/manifests/"
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Kubernetes assets (kubeconfig, manifests)
|
# Kubernetes assets (kubeconfig, manifests)
|
||||||
module "bootstrap" {
|
module "bootstrap" {
|
||||||
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=0f1f16c612a6877d25a3fedcb476b3087a3de999"
|
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=dce49114a083436c5af6d9174b9c1248786ba3b6"
|
||||||
|
|
||||||
cluster_name = var.cluster_name
|
cluster_name = var.cluster_name
|
||||||
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]
|
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]
|
||||||
|
|
|
@ -106,6 +106,8 @@ systemd:
|
||||||
ExecStartPre=-/usr/bin/bash -c 'set -x && [ -n "$(ls /opt/bootstrap/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootstrap/assets/manifests-*/* /opt/bootstrap/assets/manifests && rm -rf /opt/bootstrap/assets/manifests-*'
|
ExecStartPre=-/usr/bin/bash -c 'set -x && [ -n "$(ls /opt/bootstrap/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootstrap/assets/manifests-*/* /opt/bootstrap/assets/manifests && rm -rf /opt/bootstrap/assets/manifests-*'
|
||||||
ExecStart=/usr/bin/rkt run \
|
ExecStart=/usr/bin/rkt run \
|
||||||
--trust-keys-from-https \
|
--trust-keys-from-https \
|
||||||
|
--volume config,kind=host,source=/etc/kubernetes/bootstrap-secrets \
|
||||||
|
--mount volume=config,target=/etc/kubernetes/secrets \
|
||||||
--volume assets,kind=host,source=/opt/bootstrap/assets \
|
--volume assets,kind=host,source=/opt/bootstrap/assets \
|
||||||
--mount volume=assets,target=/assets \
|
--mount volume=assets,target=/assets \
|
||||||
--volume script,kind=host,source=/opt/bootstrap/apply \
|
--volume script,kind=host,source=/opt/bootstrap/apply \
|
||||||
|
@ -133,13 +135,35 @@ storage:
|
||||||
inline: |
|
inline: |
|
||||||
KUBELET_IMAGE_URL=docker://k8s.gcr.io/hyperkube
|
KUBELET_IMAGE_URL=docker://k8s.gcr.io/hyperkube
|
||||||
KUBELET_IMAGE_TAG=v1.16.3
|
KUBELET_IMAGE_TAG=v1.16.3
|
||||||
|
- path: /opt/bootstrap/layout
|
||||||
|
filesystem: root
|
||||||
|
mode: 0544
|
||||||
|
contents:
|
||||||
|
inline: |
|
||||||
|
#!/bin/bash -e
|
||||||
|
mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking
|
||||||
|
awk '/#####/ {filename=$2; next} {print > filename}' assets
|
||||||
|
mkdir -p /etc/ssl/etcd/etcd
|
||||||
|
mkdir -p /etc/kubernetes/bootstrap-secrets
|
||||||
|
mv tls/etcd/{peer*,server*} /etc/ssl/etcd/etcd/
|
||||||
|
mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/
|
||||||
|
chown -R etcd:etcd /etc/ssl/etcd
|
||||||
|
chmod -R 500 /etc/ssl/etcd
|
||||||
|
mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
|
||||||
|
mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
|
||||||
|
sudo mkdir -p /etc/kubernetes/manifests
|
||||||
|
sudo mv static-manifests/* /etc/kubernetes/manifests/
|
||||||
|
sudo mkdir -p /opt/bootstrap/assets
|
||||||
|
sudo mv manifests /opt/bootstrap/assets/manifests
|
||||||
|
sudo mv manifests-networking /opt/bootstrap/assets/manifests-networking
|
||||||
|
rm -rf assets auth static-manifests tls
|
||||||
- path: /opt/bootstrap/apply
|
- path: /opt/bootstrap/apply
|
||||||
filesystem: root
|
filesystem: root
|
||||||
mode: 0544
|
mode: 0544
|
||||||
contents:
|
contents:
|
||||||
inline: |
|
inline: |
|
||||||
#!/bin/bash -e
|
#!/bin/bash -e
|
||||||
export KUBECONFIG=/assets/auth/kubeconfig
|
export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig
|
||||||
until kubectl version; do
|
until kubectl version; do
|
||||||
echo "Waiting for static pod control plane"
|
echo "Waiting for static pod control plane"
|
||||||
sleep 5
|
sleep 5
|
||||||
|
|
|
@ -1,3 +1,12 @@
|
||||||
|
locals {
|
||||||
|
# format assets for distribution
|
||||||
|
assets_bundle = [
|
||||||
|
# header with the unpack location
|
||||||
|
for key, value in module.bootstrap.assets_dist:
|
||||||
|
format("##### %s\n%s", key, value)
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
# Secure copy assets to controllers.
|
# Secure copy assets to controllers.
|
||||||
resource "null_resource" "copy-controller-secrets" {
|
resource "null_resource" "copy-controller-secrets" {
|
||||||
count = var.controller_count
|
count = var.controller_count
|
||||||
|
@ -13,65 +22,15 @@ resource "null_resource" "copy-controller-secrets" {
|
||||||
user = "core"
|
user = "core"
|
||||||
timeout = "15m"
|
timeout = "15m"
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "file" {
|
provisioner "file" {
|
||||||
content = module.bootstrap.etcd_ca_cert
|
content = join("\n", local.assets_bundle)
|
||||||
destination = "$HOME/etcd-client-ca.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_client_cert
|
|
||||||
destination = "$HOME/etcd-client.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_client_key
|
|
||||||
destination = "$HOME/etcd-client.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_server_cert
|
|
||||||
destination = "$HOME/etcd-server.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_server_key
|
|
||||||
destination = "$HOME/etcd-server.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_peer_cert
|
|
||||||
destination = "$HOME/etcd-peer.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_peer_key
|
|
||||||
destination = "$HOME/etcd-peer.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
source = var.asset_dir
|
|
||||||
destination = "$HOME/assets"
|
destination = "$HOME/assets"
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "remote-exec" {
|
provisioner "remote-exec" {
|
||||||
inline = [
|
inline = [
|
||||||
"sudo mkdir -p /etc/ssl/etcd/etcd",
|
"sudo /opt/bootstrap/layout",
|
||||||
"sudo mv etcd-client* /etc/ssl/etcd/",
|
|
||||||
"sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/server-ca.crt",
|
|
||||||
"sudo mv etcd-server.crt /etc/ssl/etcd/etcd/server.crt",
|
|
||||||
"sudo mv etcd-server.key /etc/ssl/etcd/etcd/server.key",
|
|
||||||
"sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/peer-ca.crt",
|
|
||||||
"sudo mv etcd-peer.crt /etc/ssl/etcd/etcd/peer.crt",
|
|
||||||
"sudo mv etcd-peer.key /etc/ssl/etcd/etcd/peer.key",
|
|
||||||
"sudo chown -R etcd:etcd /etc/ssl/etcd",
|
|
||||||
"sudo chmod -R 500 /etc/ssl/etcd",
|
|
||||||
"sudo mv $HOME/assets /opt/bootstrap/assets",
|
|
||||||
"sudo mkdir -p /etc/kubernetes/manifests",
|
|
||||||
"sudo mkdir -p /etc/kubernetes/bootstrap-secrets",
|
|
||||||
"sudo cp -r /opt/bootstrap/assets/tls/* /etc/kubernetes/bootstrap-secrets/",
|
|
||||||
"sudo cp /opt/bootstrap/assets/auth/kubeconfig /etc/kubernetes/bootstrap-secrets/",
|
|
||||||
"sudo cp -r /opt/bootstrap/assets/static-manifests/* /etc/kubernetes/manifests/",
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Kubernetes assets (kubeconfig, manifests)
|
# Kubernetes assets (kubeconfig, manifests)
|
||||||
module "bootstrap" {
|
module "bootstrap" {
|
||||||
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=0f1f16c612a6877d25a3fedcb476b3087a3de999"
|
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=dce49114a083436c5af6d9174b9c1248786ba3b6"
|
||||||
|
|
||||||
cluster_name = var.cluster_name
|
cluster_name = var.cluster_name
|
||||||
api_servers = [var.k8s_domain_name]
|
api_servers = [var.k8s_domain_name]
|
||||||
|
|
|
@ -121,6 +121,8 @@ systemd:
|
||||||
ExecStartPre=-/usr/bin/bash -c 'set -x && [ -n "$(ls /opt/bootstrap/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootstrap/assets/manifests-*/* /opt/bootstrap/assets/manifests && rm -rf /opt/bootstrap/assets/manifests-*'
|
ExecStartPre=-/usr/bin/bash -c 'set -x && [ -n "$(ls /opt/bootstrap/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootstrap/assets/manifests-*/* /opt/bootstrap/assets/manifests && rm -rf /opt/bootstrap/assets/manifests-*'
|
||||||
ExecStart=/usr/bin/rkt run \
|
ExecStart=/usr/bin/rkt run \
|
||||||
--trust-keys-from-https \
|
--trust-keys-from-https \
|
||||||
|
--volume config,kind=host,source=/etc/kubernetes/bootstrap-secrets \
|
||||||
|
--mount volume=config,target=/etc/kubernetes/secrets \
|
||||||
--volume assets,kind=host,source=/opt/bootstrap/assets \
|
--volume assets,kind=host,source=/opt/bootstrap/assets \
|
||||||
--mount volume=assets,target=/assets \
|
--mount volume=assets,target=/assets \
|
||||||
--volume script,kind=host,source=/opt/bootstrap/apply \
|
--volume script,kind=host,source=/opt/bootstrap/apply \
|
||||||
|
@ -148,13 +150,35 @@ storage:
|
||||||
contents:
|
contents:
|
||||||
inline:
|
inline:
|
||||||
${domain_name}
|
${domain_name}
|
||||||
|
- path: /opt/bootstrap/layout
|
||||||
|
filesystem: root
|
||||||
|
mode: 0544
|
||||||
|
contents:
|
||||||
|
inline: |
|
||||||
|
#!/bin/bash -e
|
||||||
|
mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking
|
||||||
|
awk '/#####/ {filename=$2; next} {print > filename}' assets
|
||||||
|
mkdir -p /etc/ssl/etcd/etcd
|
||||||
|
mkdir -p /etc/kubernetes/bootstrap-secrets
|
||||||
|
mv tls/etcd/{peer*,server*} /etc/ssl/etcd/etcd/
|
||||||
|
mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/
|
||||||
|
chown -R etcd:etcd /etc/ssl/etcd
|
||||||
|
chmod -R 500 /etc/ssl/etcd
|
||||||
|
mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
|
||||||
|
mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
|
||||||
|
sudo mkdir -p /etc/kubernetes/manifests
|
||||||
|
sudo mv static-manifests/* /etc/kubernetes/manifests/
|
||||||
|
sudo mkdir -p /opt/bootstrap/assets
|
||||||
|
sudo mv manifests /opt/bootstrap/assets/manifests
|
||||||
|
sudo mv manifests-networking /opt/bootstrap/assets/manifests-networking
|
||||||
|
rm -rf assets auth static-manifests tls
|
||||||
- path: /opt/bootstrap/apply
|
- path: /opt/bootstrap/apply
|
||||||
filesystem: root
|
filesystem: root
|
||||||
mode: 0544
|
mode: 0544
|
||||||
contents:
|
contents:
|
||||||
inline: |
|
inline: |
|
||||||
#!/bin/bash -e
|
#!/bin/bash -e
|
||||||
export KUBECONFIG=/assets/auth/kubeconfig
|
export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig
|
||||||
until kubectl version; do
|
until kubectl version; do
|
||||||
echo "Waiting for static pod control plane"
|
echo "Waiting for static pod control plane"
|
||||||
sleep 5
|
sleep 5
|
||||||
|
|
|
@ -1,3 +1,12 @@
|
||||||
|
locals {
|
||||||
|
# format assets for distribution
|
||||||
|
assets_bundle = [
|
||||||
|
# header with the unpack location
|
||||||
|
for key, value in module.bootstrap.assets_dist:
|
||||||
|
format("##### %s\n%s", key, value)
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
# Secure copy assets to controllers. Activates kubelet.service
|
# Secure copy assets to controllers. Activates kubelet.service
|
||||||
resource "null_resource" "copy-controller-secrets" {
|
resource "null_resource" "copy-controller-secrets" {
|
||||||
count = length(var.controllers)
|
count = length(var.controllers)
|
||||||
|
@ -24,64 +33,14 @@ resource "null_resource" "copy-controller-secrets" {
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "file" {
|
provisioner "file" {
|
||||||
content = module.bootstrap.etcd_ca_cert
|
content = join("\n", local.assets_bundle)
|
||||||
destination = "$HOME/etcd-client-ca.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_client_cert
|
|
||||||
destination = "$HOME/etcd-client.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_client_key
|
|
||||||
destination = "$HOME/etcd-client.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_server_cert
|
|
||||||
destination = "$HOME/etcd-server.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_server_key
|
|
||||||
destination = "$HOME/etcd-server.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_peer_cert
|
|
||||||
destination = "$HOME/etcd-peer.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_peer_key
|
|
||||||
destination = "$HOME/etcd-peer.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
source = var.asset_dir
|
|
||||||
destination = "$HOME/assets"
|
destination = "$HOME/assets"
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "remote-exec" {
|
provisioner "remote-exec" {
|
||||||
inline = [
|
inline = [
|
||||||
"sudo mkdir -p /etc/ssl/etcd/etcd",
|
|
||||||
"sudo mv etcd-client* /etc/ssl/etcd/",
|
|
||||||
"sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/server-ca.crt",
|
|
||||||
"sudo mv etcd-server.crt /etc/ssl/etcd/etcd/server.crt",
|
|
||||||
"sudo mv etcd-server.key /etc/ssl/etcd/etcd/server.key",
|
|
||||||
"sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/peer-ca.crt",
|
|
||||||
"sudo mv etcd-peer.crt /etc/ssl/etcd/etcd/peer.crt",
|
|
||||||
"sudo mv etcd-peer.key /etc/ssl/etcd/etcd/peer.key",
|
|
||||||
"sudo chown -R etcd:etcd /etc/ssl/etcd",
|
|
||||||
"sudo chmod -R 500 /etc/ssl/etcd",
|
|
||||||
"sudo mv $HOME/assets /opt/bootstrap/assets",
|
|
||||||
"sudo mkdir -p /etc/kubernetes/manifests",
|
|
||||||
"sudo mkdir -p /etc/kubernetes/bootstrap-secrets",
|
|
||||||
"sudo mv $HOME/kubeconfig /etc/kubernetes/kubeconfig",
|
"sudo mv $HOME/kubeconfig /etc/kubernetes/kubeconfig",
|
||||||
"sudo cp -r /opt/bootstrap/assets/tls/* /etc/kubernetes/bootstrap-secrets/",
|
"sudo /opt/bootstrap/layout",
|
||||||
"sudo cp /opt/bootstrap/assets/auth/kubeconfig /etc/kubernetes/bootstrap-secrets/",
|
|
||||||
"sudo cp -r /opt/bootstrap/assets/static-manifests/* /etc/kubernetes/manifests/",
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Kubernetes assets (kubeconfig, manifests)
|
# Kubernetes assets (kubeconfig, manifests)
|
||||||
module "bootstrap" {
|
module "bootstrap" {
|
||||||
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=0f1f16c612a6877d25a3fedcb476b3087a3de999"
|
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=dce49114a083436c5af6d9174b9c1248786ba3b6"
|
||||||
|
|
||||||
cluster_name = var.cluster_name
|
cluster_name = var.cluster_name
|
||||||
api_servers = [var.k8s_domain_name]
|
api_servers = [var.k8s_domain_name]
|
||||||
|
|
|
@ -130,6 +130,7 @@ systemd:
|
||||||
ExecStartPre=-/usr/bin/bash -c 'set -x && [ -n "$(ls /opt/bootstrap/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootstrap/assets/manifests-*/* /opt/bootstrap/assets/manifests && rm -rf /opt/bootstrap/assets/manifests-*'
|
ExecStartPre=-/usr/bin/bash -c 'set -x && [ -n "$(ls /opt/bootstrap/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootstrap/assets/manifests-*/* /opt/bootstrap/assets/manifests && rm -rf /opt/bootstrap/assets/manifests-*'
|
||||||
ExecStart=/usr/bin/podman run --name bootstrap \
|
ExecStart=/usr/bin/podman run --name bootstrap \
|
||||||
--network host \
|
--network host \
|
||||||
|
--volume /etc/kubernetes/bootstrap-secrets:/etc/kubernetes/secrets:ro,Z \
|
||||||
--volume /opt/bootstrap/assets:/assets:ro,Z \
|
--volume /opt/bootstrap/assets:/assets:ro,Z \
|
||||||
--volume /opt/bootstrap/apply:/apply:ro,Z \
|
--volume /opt/bootstrap/apply:/apply:ro,Z \
|
||||||
k8s.gcr.io/hyperkube:v1.16.3 \
|
k8s.gcr.io/hyperkube:v1.16.3 \
|
||||||
|
@ -146,12 +147,33 @@ storage:
|
||||||
contents:
|
contents:
|
||||||
inline:
|
inline:
|
||||||
${domain_name}
|
${domain_name}
|
||||||
|
- path: /opt/bootstrap/layout
|
||||||
|
mode: 0544
|
||||||
|
contents:
|
||||||
|
inline: |
|
||||||
|
#!/bin/bash -e
|
||||||
|
mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking
|
||||||
|
awk '/#####/ {filename=$2; next} {print > filename}' assets
|
||||||
|
mkdir -p /etc/ssl/etcd/etcd
|
||||||
|
mkdir -p /etc/kubernetes/bootstrap-secrets
|
||||||
|
mv tls/etcd/{peer*,server*} /etc/ssl/etcd/etcd/
|
||||||
|
mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/
|
||||||
|
chown -R etcd:etcd /etc/ssl/etcd
|
||||||
|
chmod -R 500 /etc/ssl/etcd
|
||||||
|
mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
|
||||||
|
mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
|
||||||
|
sudo mkdir -p /etc/kubernetes/manifests
|
||||||
|
sudo mv static-manifests/* /etc/kubernetes/manifests/
|
||||||
|
sudo mkdir -p /opt/bootstrap/assets
|
||||||
|
sudo mv manifests /opt/bootstrap/assets/manifests
|
||||||
|
sudo mv manifests-networking /opt/bootstrap/assets/manifests-networking
|
||||||
|
rm -rf assets auth static-manifests tls
|
||||||
- path: /opt/bootstrap/apply
|
- path: /opt/bootstrap/apply
|
||||||
mode: 0544
|
mode: 0544
|
||||||
contents:
|
contents:
|
||||||
inline: |
|
inline: |
|
||||||
#!/bin/bash -e
|
#!/bin/bash -e
|
||||||
export KUBECONFIG=/assets/auth/kubeconfig
|
export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig
|
||||||
until kubectl version; do
|
until kubectl version; do
|
||||||
echo "Waiting for static pod control plane"
|
echo "Waiting for static pod control plane"
|
||||||
sleep 5
|
sleep 5
|
||||||
|
|
|
@ -1,3 +1,12 @@
|
||||||
|
locals {
|
||||||
|
# format assets for distribution
|
||||||
|
assets_bundle = [
|
||||||
|
# header with the unpack location
|
||||||
|
for key, value in module.bootstrap.assets_dist:
|
||||||
|
format("##### %s\n%s", key, value)
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
# Secure copy assets to controllers. Activates kubelet.service
|
# Secure copy assets to controllers. Activates kubelet.service
|
||||||
resource "null_resource" "copy-controller-secrets" {
|
resource "null_resource" "copy-controller-secrets" {
|
||||||
count = length(var.controllers)
|
count = length(var.controllers)
|
||||||
|
@ -23,62 +32,14 @@ resource "null_resource" "copy-controller-secrets" {
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "file" {
|
provisioner "file" {
|
||||||
content = module.bootstrap.etcd_ca_cert
|
content = join("\n", local.assets_bundle)
|
||||||
destination = "$HOME/etcd-client-ca.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_client_cert
|
|
||||||
destination = "$HOME/etcd-client.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_client_key
|
|
||||||
destination = "$HOME/etcd-client.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_server_cert
|
|
||||||
destination = "$HOME/etcd-server.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_server_key
|
|
||||||
destination = "$HOME/etcd-server.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_peer_cert
|
|
||||||
destination = "$HOME/etcd-peer.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_peer_key
|
|
||||||
destination = "$HOME/etcd-peer.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
source = var.asset_dir
|
|
||||||
destination = "$HOME/assets"
|
destination = "$HOME/assets"
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "remote-exec" {
|
provisioner "remote-exec" {
|
||||||
inline = [
|
inline = [
|
||||||
"sudo mkdir -p /etc/ssl/etcd/etcd",
|
|
||||||
"sudo mv etcd-client* /etc/ssl/etcd/",
|
|
||||||
"sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/server-ca.crt",
|
|
||||||
"sudo mv etcd-server.crt /etc/ssl/etcd/etcd/server.crt",
|
|
||||||
"sudo mv etcd-server.key /etc/ssl/etcd/etcd/server.key",
|
|
||||||
"sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/peer-ca.crt",
|
|
||||||
"sudo mv etcd-peer.crt /etc/ssl/etcd/etcd/peer.crt",
|
|
||||||
"sudo mv etcd-peer.key /etc/ssl/etcd/etcd/peer.key",
|
|
||||||
"sudo mv $HOME/assets /opt/bootstrap/assets",
|
|
||||||
"sudo mkdir -p /etc/kubernetes/manifests",
|
|
||||||
"sudo mkdir -p /etc/kubernetes/bootstrap-secrets",
|
|
||||||
"sudo mv $HOME/kubeconfig /etc/kubernetes/kubeconfig",
|
"sudo mv $HOME/kubeconfig /etc/kubernetes/kubeconfig",
|
||||||
"sudo cp -r /opt/bootstrap/assets/tls/* /etc/kubernetes/bootstrap-secrets/",
|
"sudo /opt/bootstrap/layout",
|
||||||
"sudo cp /opt/bootstrap/assets/auth/kubeconfig /etc/kubernetes/bootstrap-secrets/",
|
|
||||||
"sudo cp -r /opt/bootstrap/assets/static-manifests/* /etc/kubernetes/manifests/"
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Kubernetes assets (kubeconfig, manifests)
|
# Kubernetes assets (kubeconfig, manifests)
|
||||||
module "bootstrap" {
|
module "bootstrap" {
|
||||||
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=0f1f16c612a6877d25a3fedcb476b3087a3de999"
|
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=dce49114a083436c5af6d9174b9c1248786ba3b6"
|
||||||
|
|
||||||
cluster_name = var.cluster_name
|
cluster_name = var.cluster_name
|
||||||
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]
|
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]
|
||||||
|
|
|
@ -118,6 +118,8 @@ systemd:
|
||||||
ExecStartPre=-/usr/bin/bash -c 'set -x && [ -n "$(ls /opt/bootstrap/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootstrap/assets/manifests-*/* /opt/bootstrap/assets/manifests && rm -rf /opt/bootstrap/assets/manifests-*'
|
ExecStartPre=-/usr/bin/bash -c 'set -x && [ -n "$(ls /opt/bootstrap/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootstrap/assets/manifests-*/* /opt/bootstrap/assets/manifests && rm -rf /opt/bootstrap/assets/manifests-*'
|
||||||
ExecStart=/usr/bin/rkt run \
|
ExecStart=/usr/bin/rkt run \
|
||||||
--trust-keys-from-https \
|
--trust-keys-from-https \
|
||||||
|
--volume config,kind=host,source=/etc/kubernetes/bootstrap-secrets \
|
||||||
|
--mount volume=config,target=/etc/kubernetes/secrets \
|
||||||
--volume assets,kind=host,source=/opt/bootstrap/assets \
|
--volume assets,kind=host,source=/opt/bootstrap/assets \
|
||||||
--mount volume=assets,target=/assets \
|
--mount volume=assets,target=/assets \
|
||||||
--volume script,kind=host,source=/opt/bootstrap/apply \
|
--volume script,kind=host,source=/opt/bootstrap/apply \
|
||||||
|
@ -139,13 +141,35 @@ storage:
|
||||||
inline: |
|
inline: |
|
||||||
KUBELET_IMAGE_URL=docker://k8s.gcr.io/hyperkube
|
KUBELET_IMAGE_URL=docker://k8s.gcr.io/hyperkube
|
||||||
KUBELET_IMAGE_TAG=v1.16.3
|
KUBELET_IMAGE_TAG=v1.16.3
|
||||||
|
- path: /opt/bootstrap/layout
|
||||||
|
filesystem: root
|
||||||
|
mode: 0544
|
||||||
|
contents:
|
||||||
|
inline: |
|
||||||
|
#!/bin/bash -e
|
||||||
|
mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking
|
||||||
|
awk '/#####/ {filename=$2; next} {print > filename}' assets
|
||||||
|
mkdir -p /etc/ssl/etcd/etcd
|
||||||
|
mkdir -p /etc/kubernetes/bootstrap-secrets
|
||||||
|
mv tls/etcd/{peer*,server*} /etc/ssl/etcd/etcd/
|
||||||
|
mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/
|
||||||
|
chown -R etcd:etcd /etc/ssl/etcd
|
||||||
|
chmod -R 500 /etc/ssl/etcd
|
||||||
|
mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
|
||||||
|
mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
|
||||||
|
sudo mkdir -p /etc/kubernetes/manifests
|
||||||
|
sudo mv static-manifests/* /etc/kubernetes/manifests/
|
||||||
|
sudo mkdir -p /opt/bootstrap/assets
|
||||||
|
sudo mv manifests /opt/bootstrap/assets/manifests
|
||||||
|
sudo mv manifests-networking /opt/bootstrap/assets/manifests-networking
|
||||||
|
rm -rf assets auth static-manifests tls
|
||||||
- path: /opt/bootstrap/apply
|
- path: /opt/bootstrap/apply
|
||||||
filesystem: root
|
filesystem: root
|
||||||
mode: 0544
|
mode: 0544
|
||||||
contents:
|
contents:
|
||||||
inline: |
|
inline: |
|
||||||
#!/bin/bash -e
|
#!/bin/bash -e
|
||||||
export KUBECONFIG=/assets/auth/kubeconfig
|
export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig
|
||||||
until kubectl version; do
|
until kubectl version; do
|
||||||
echo "Waiting for static pod control plane"
|
echo "Waiting for static pod control plane"
|
||||||
sleep 5
|
sleep 5
|
||||||
|
|
|
@ -1,3 +1,12 @@
|
||||||
|
locals {
|
||||||
|
# format assets for distribution
|
||||||
|
assets_bundle = [
|
||||||
|
# header with the unpack location
|
||||||
|
for key, value in module.bootstrap.assets_dist:
|
||||||
|
format("##### %s\n%s", key, value)
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
# Secure copy assets to controllers. Activates kubelet.service
|
# Secure copy assets to controllers. Activates kubelet.service
|
||||||
resource "null_resource" "copy-controller-secrets" {
|
resource "null_resource" "copy-controller-secrets" {
|
||||||
count = var.controller_count
|
count = var.controller_count
|
||||||
|
@ -20,64 +29,14 @@ resource "null_resource" "copy-controller-secrets" {
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "file" {
|
provisioner "file" {
|
||||||
content = module.bootstrap.etcd_ca_cert
|
content = join("\n", local.assets_bundle)
|
||||||
destination = "$HOME/etcd-client-ca.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_client_cert
|
|
||||||
destination = "$HOME/etcd-client.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_client_key
|
|
||||||
destination = "$HOME/etcd-client.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_server_cert
|
|
||||||
destination = "$HOME/etcd-server.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_server_key
|
|
||||||
destination = "$HOME/etcd-server.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_peer_cert
|
|
||||||
destination = "$HOME/etcd-peer.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_peer_key
|
|
||||||
destination = "$HOME/etcd-peer.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
source = var.asset_dir
|
|
||||||
destination = "$HOME/assets"
|
destination = "$HOME/assets"
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "remote-exec" {
|
provisioner "remote-exec" {
|
||||||
inline = [
|
inline = [
|
||||||
"sudo mkdir -p /etc/ssl/etcd/etcd",
|
|
||||||
"sudo mv etcd-client* /etc/ssl/etcd/",
|
|
||||||
"sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/server-ca.crt",
|
|
||||||
"sudo mv etcd-server.crt /etc/ssl/etcd/etcd/server.crt",
|
|
||||||
"sudo mv etcd-server.key /etc/ssl/etcd/etcd/server.key",
|
|
||||||
"sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/peer-ca.crt",
|
|
||||||
"sudo mv etcd-peer.crt /etc/ssl/etcd/etcd/peer.crt",
|
|
||||||
"sudo mv etcd-peer.key /etc/ssl/etcd/etcd/peer.key",
|
|
||||||
"sudo chown -R etcd:etcd /etc/ssl/etcd",
|
|
||||||
"sudo chmod -R 500 /etc/ssl/etcd",
|
|
||||||
"sudo mv $HOME/assets /opt/bootstrap/assets",
|
|
||||||
"sudo mkdir -p /etc/kubernetes/manifests",
|
|
||||||
"sudo mkdir -p /etc/kubernetes/bootstrap-secrets",
|
|
||||||
"sudo mv $HOME/kubeconfig /etc/kubernetes/kubeconfig",
|
"sudo mv $HOME/kubeconfig /etc/kubernetes/kubeconfig",
|
||||||
"sudo cp -r /opt/bootstrap/assets/tls/* /etc/kubernetes/bootstrap-secrets/",
|
"sudo /opt/bootstrap/layout",
|
||||||
"sudo cp /opt/bootstrap/assets/auth/kubeconfig /etc/kubernetes/bootstrap-secrets/",
|
|
||||||
"sudo cp -r /opt/bootstrap/assets/static-manifests/* /etc/kubernetes/manifests/",
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Kubernetes assets (kubeconfig, manifests)
|
# Kubernetes assets (kubeconfig, manifests)
|
||||||
module "bootstrap" {
|
module "bootstrap" {
|
||||||
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=0f1f16c612a6877d25a3fedcb476b3087a3de999"
|
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=dce49114a083436c5af6d9174b9c1248786ba3b6"
|
||||||
|
|
||||||
cluster_name = var.cluster_name
|
cluster_name = var.cluster_name
|
||||||
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]
|
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]
|
||||||
|
|
|
@ -107,6 +107,8 @@ systemd:
|
||||||
ExecStartPre=-/usr/bin/bash -c 'set -x && [ -n "$(ls /opt/bootstrap/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootstrap/assets/manifests-*/* /opt/bootstrap/assets/manifests && rm -rf /opt/bootstrap/assets/manifests-*'
|
ExecStartPre=-/usr/bin/bash -c 'set -x && [ -n "$(ls /opt/bootstrap/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootstrap/assets/manifests-*/* /opt/bootstrap/assets/manifests && rm -rf /opt/bootstrap/assets/manifests-*'
|
||||||
ExecStart=/usr/bin/rkt run \
|
ExecStart=/usr/bin/rkt run \
|
||||||
--trust-keys-from-https \
|
--trust-keys-from-https \
|
||||||
|
--volume config,kind=host,source=/etc/kubernetes/bootstrap-secrets \
|
||||||
|
--mount volume=config,target=/etc/kubernetes/secrets \
|
||||||
--volume assets,kind=host,source=/opt/bootstrap/assets \
|
--volume assets,kind=host,source=/opt/bootstrap/assets \
|
||||||
--mount volume=assets,target=/assets \
|
--mount volume=assets,target=/assets \
|
||||||
--volume script,kind=host,source=/opt/bootstrap/apply \
|
--volume script,kind=host,source=/opt/bootstrap/apply \
|
||||||
|
@ -134,13 +136,35 @@ storage:
|
||||||
inline: |
|
inline: |
|
||||||
KUBELET_IMAGE_URL=docker://k8s.gcr.io/hyperkube
|
KUBELET_IMAGE_URL=docker://k8s.gcr.io/hyperkube
|
||||||
KUBELET_IMAGE_TAG=v1.16.3
|
KUBELET_IMAGE_TAG=v1.16.3
|
||||||
|
- path: /opt/bootstrap/layout
|
||||||
|
filesystem: root
|
||||||
|
mode: 0544
|
||||||
|
contents:
|
||||||
|
inline: |
|
||||||
|
#!/bin/bash -e
|
||||||
|
mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking
|
||||||
|
awk '/#####/ {filename=$2; next} {print > filename}' assets
|
||||||
|
mkdir -p /etc/ssl/etcd/etcd
|
||||||
|
mkdir -p /etc/kubernetes/bootstrap-secrets
|
||||||
|
mv tls/etcd/{peer*,server*} /etc/ssl/etcd/etcd/
|
||||||
|
mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/
|
||||||
|
chown -R etcd:etcd /etc/ssl/etcd
|
||||||
|
chmod -R 500 /etc/ssl/etcd
|
||||||
|
mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
|
||||||
|
mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
|
||||||
|
sudo mkdir -p /etc/kubernetes/manifests
|
||||||
|
sudo mv static-manifests/* /etc/kubernetes/manifests/
|
||||||
|
sudo mkdir -p /opt/bootstrap/assets
|
||||||
|
sudo mv manifests /opt/bootstrap/assets/manifests
|
||||||
|
sudo mv manifests-networking /opt/bootstrap/assets/manifests-networking
|
||||||
|
rm -rf assets auth static-manifests tls
|
||||||
- path: /opt/bootstrap/apply
|
- path: /opt/bootstrap/apply
|
||||||
filesystem: root
|
filesystem: root
|
||||||
mode: 0544
|
mode: 0544
|
||||||
contents:
|
contents:
|
||||||
inline: |
|
inline: |
|
||||||
#!/bin/bash -e
|
#!/bin/bash -e
|
||||||
export KUBECONFIG=/assets/auth/kubeconfig
|
export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig
|
||||||
until kubectl version; do
|
until kubectl version; do
|
||||||
echo "Waiting for static pod control plane"
|
echo "Waiting for static pod control plane"
|
||||||
sleep 5
|
sleep 5
|
||||||
|
|
|
@ -1,3 +1,12 @@
|
||||||
|
locals {
|
||||||
|
# format assets for distribution
|
||||||
|
assets_bundle = [
|
||||||
|
# header with the unpack location
|
||||||
|
for key, value in module.bootstrap.assets_dist:
|
||||||
|
format("##### %s\n%s", key, value)
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
# Secure copy assets to controllers.
|
# Secure copy assets to controllers.
|
||||||
resource "null_resource" "copy-controller-secrets" {
|
resource "null_resource" "copy-controller-secrets" {
|
||||||
count = var.controller_count
|
count = var.controller_count
|
||||||
|
@ -12,65 +21,15 @@ resource "null_resource" "copy-controller-secrets" {
|
||||||
user = "core"
|
user = "core"
|
||||||
timeout = "15m"
|
timeout = "15m"
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "file" {
|
provisioner "file" {
|
||||||
content = module.bootstrap.etcd_ca_cert
|
content = join("\n", local.assets_bundle)
|
||||||
destination = "$HOME/etcd-client-ca.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_client_cert
|
|
||||||
destination = "$HOME/etcd-client.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_client_key
|
|
||||||
destination = "$HOME/etcd-client.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_server_cert
|
|
||||||
destination = "$HOME/etcd-server.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_server_key
|
|
||||||
destination = "$HOME/etcd-server.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_peer_cert
|
|
||||||
destination = "$HOME/etcd-peer.crt"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
content = module.bootstrap.etcd_peer_key
|
|
||||||
destination = "$HOME/etcd-peer.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
provisioner "file" {
|
|
||||||
source = var.asset_dir
|
|
||||||
destination = "$HOME/assets"
|
destination = "$HOME/assets"
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "remote-exec" {
|
provisioner "remote-exec" {
|
||||||
inline = [
|
inline = [
|
||||||
"sudo mkdir -p /etc/ssl/etcd/etcd",
|
"sudo /opt/bootstrap/layout",
|
||||||
"sudo mv etcd-client* /etc/ssl/etcd/",
|
|
||||||
"sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/server-ca.crt",
|
|
||||||
"sudo mv etcd-server.crt /etc/ssl/etcd/etcd/server.crt",
|
|
||||||
"sudo mv etcd-server.key /etc/ssl/etcd/etcd/server.key",
|
|
||||||
"sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/peer-ca.crt",
|
|
||||||
"sudo mv etcd-peer.crt /etc/ssl/etcd/etcd/peer.crt",
|
|
||||||
"sudo mv etcd-peer.key /etc/ssl/etcd/etcd/peer.key",
|
|
||||||
"sudo chown -R etcd:etcd /etc/ssl/etcd",
|
|
||||||
"sudo chmod -R 500 /etc/ssl/etcd",
|
|
||||||
"sudo mv $HOME/assets /opt/bootstrap/assets",
|
|
||||||
"sudo mkdir -p /etc/kubernetes/manifests",
|
|
||||||
"sudo mkdir -p /etc/kubernetes/bootstrap-secrets",
|
|
||||||
"sudo cp -r /opt/bootstrap/assets/tls/* /etc/kubernetes/bootstrap-secrets/",
|
|
||||||
"sudo cp /opt/bootstrap/assets/auth/kubeconfig /etc/kubernetes/bootstrap-secrets/",
|
|
||||||
"sudo cp -r /opt/bootstrap/assets/static-manifests/* /etc/kubernetes/manifests/",
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue