digital-ocean: Distribute kubeconfig via Terraform null_resource
* Keep kubeconfig out of DigitalOcean metadata user-data
This commit is contained in:
parent
64e8d207b1
commit
2ff6d602d8
|
@ -5,6 +5,15 @@ systemd:
|
||||||
enable: true
|
enable: true
|
||||||
- name: locksmithd.service
|
- name: locksmithd.service
|
||||||
mask: true
|
mask: true
|
||||||
|
- name: kubelet.path
|
||||||
|
enable: true
|
||||||
|
contents: |
|
||||||
|
[Unit]
|
||||||
|
Description=Watch for kubeconfig
|
||||||
|
[Path]
|
||||||
|
PathExists=/etc/kubernetes/kubeconfig
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
- name: wait-for-dns.service
|
- name: wait-for-dns.service
|
||||||
enable: true
|
enable: true
|
||||||
contents: |
|
contents: |
|
||||||
|
@ -19,7 +28,6 @@ systemd:
|
||||||
[Install]
|
[Install]
|
||||||
RequiredBy=kubelet.service
|
RequiredBy=kubelet.service
|
||||||
- name: kubelet.service
|
- name: kubelet.service
|
||||||
enable: true
|
|
||||||
contents: |
|
contents: |
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=Kubelet via Hyperkube ACI
|
Description=Kubelet via Hyperkube ACI
|
||||||
|
@ -78,27 +86,6 @@ systemd:
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
storage:
|
storage:
|
||||||
files:
|
files:
|
||||||
- path: /etc/kubernetes/kubeconfig
|
|
||||||
filesystem: root
|
|
||||||
mode: 0644
|
|
||||||
contents:
|
|
||||||
inline: |
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Config
|
|
||||||
clusters:
|
|
||||||
- name: local
|
|
||||||
cluster:
|
|
||||||
server: ${kubeconfig_server}
|
|
||||||
certificate-authority-data: ${kubeconfig_ca_cert}
|
|
||||||
users:
|
|
||||||
- name: kubelet
|
|
||||||
user:
|
|
||||||
client-certificate-data: ${kubeconfig_kubelet_cert}
|
|
||||||
client-key-data: ${kubeconfig_kubelet_key}
|
|
||||||
contexts:
|
|
||||||
- context:
|
|
||||||
cluster: local
|
|
||||||
user: kubelet
|
|
||||||
- path: /etc/kubernetes/kubelet.env
|
- path: /etc/kubernetes/kubelet.env
|
||||||
filesystem: root
|
filesystem: root
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
|
@ -5,6 +5,15 @@ systemd:
|
||||||
enable: true
|
enable: true
|
||||||
- name: locksmithd.service
|
- name: locksmithd.service
|
||||||
mask: true
|
mask: true
|
||||||
|
- name: kubelet.path
|
||||||
|
enable: true
|
||||||
|
contents: |
|
||||||
|
[Unit]
|
||||||
|
Description=Watch for kubeconfig
|
||||||
|
[Path]
|
||||||
|
PathExists=/etc/kubernetes/kubeconfig
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
- name: wait-for-dns.service
|
- name: wait-for-dns.service
|
||||||
enable: true
|
enable: true
|
||||||
contents: |
|
contents: |
|
||||||
|
@ -19,7 +28,6 @@ systemd:
|
||||||
[Install]
|
[Install]
|
||||||
RequiredBy=kubelet.service
|
RequiredBy=kubelet.service
|
||||||
- name: kubelet.service
|
- name: kubelet.service
|
||||||
enable: true
|
|
||||||
contents: |
|
contents: |
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=Kubelet via Hyperkube ACI
|
Description=Kubelet via Hyperkube ACI
|
||||||
|
@ -76,27 +84,6 @@ systemd:
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
storage:
|
storage:
|
||||||
files:
|
files:
|
||||||
- path: /etc/kubernetes/kubeconfig
|
|
||||||
filesystem: root
|
|
||||||
mode: 0644
|
|
||||||
contents:
|
|
||||||
inline: |
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Config
|
|
||||||
clusters:
|
|
||||||
- name: local
|
|
||||||
cluster:
|
|
||||||
server: ${kubeconfig_server}
|
|
||||||
certificate-authority-data: ${kubeconfig_ca_cert}
|
|
||||||
users:
|
|
||||||
- name: kubelet
|
|
||||||
user:
|
|
||||||
client-certificate-data: ${kubeconfig_kubelet_cert}
|
|
||||||
client-key-data: ${kubeconfig_kubelet_key}
|
|
||||||
contexts:
|
|
||||||
- context:
|
|
||||||
cluster: local
|
|
||||||
user: kubelet
|
|
||||||
- path: /etc/kubernetes/kubelet.env
|
- path: /etc/kubernetes/kubelet.env
|
||||||
filesystem: root
|
filesystem: root
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
|
@ -48,10 +48,6 @@ data "template_file" "controller_config" {
|
||||||
vars = {
|
vars = {
|
||||||
k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}"
|
k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}"
|
||||||
k8s_etcd_service_ip = "${cidrhost(var.service_cidr, 15)}"
|
k8s_etcd_service_ip = "${cidrhost(var.service_cidr, 15)}"
|
||||||
kubeconfig_ca_cert = "${module.bootkube.ca_cert}"
|
|
||||||
kubeconfig_kubelet_cert = "${module.bootkube.kubelet_cert}"
|
|
||||||
kubeconfig_kubelet_key = "${module.bootkube.kubelet_key}"
|
|
||||||
kubeconfig_server = "${module.bootkube.server}"
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,30 @@
|
||||||
|
# Secure copy kubeconfig to all nodes. Activates kubelet.service
|
||||||
|
resource "null_resource" "copy-secrets" {
|
||||||
|
count = "${var.controller_count + var.worker_count}"
|
||||||
|
|
||||||
|
connection {
|
||||||
|
type = "ssh"
|
||||||
|
host = "${element(concat(digitalocean_droplet.controllers.*.ipv4_address, digitalocean_droplet.workers.*.ipv4_address), count.index)}"
|
||||||
|
user = "core"
|
||||||
|
timeout = "15m"
|
||||||
|
}
|
||||||
|
|
||||||
|
provisioner "file" {
|
||||||
|
content = "${module.bootkube.kubeconfig}"
|
||||||
|
destination = "$HOME/kubeconfig"
|
||||||
|
}
|
||||||
|
|
||||||
|
provisioner "remote-exec" {
|
||||||
|
inline = [
|
||||||
|
"sudo mv /home/core/kubeconfig /etc/kubernetes/kubeconfig",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
# Secure copy bootkube assets to ONE controller and start bootkube to perform
|
# Secure copy bootkube assets to ONE controller and start bootkube to perform
|
||||||
# one-time self-hosted cluster bootstrapping.
|
# one-time self-hosted cluster bootstrapping.
|
||||||
resource "null_resource" "bootkube-start" {
|
resource "null_resource" "bootkube-start" {
|
||||||
depends_on = ["module.bootkube", "digitalocean_droplet.controllers"]
|
depends_on = ["module.bootkube", "null_resource.copy-secrets", "digitalocean_droplet.controllers"]
|
||||||
|
|
||||||
connection {
|
connection {
|
||||||
type = "ssh"
|
type = "ssh"
|
||||||
|
|
|
@ -45,10 +45,6 @@ data "template_file" "worker_config" {
|
||||||
vars = {
|
vars = {
|
||||||
k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}"
|
k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}"
|
||||||
k8s_etcd_service_ip = "${cidrhost(var.service_cidr, 15)}"
|
k8s_etcd_service_ip = "${cidrhost(var.service_cidr, 15)}"
|
||||||
kubeconfig_ca_cert = "${module.bootkube.ca_cert}"
|
|
||||||
kubeconfig_kubelet_cert = "${module.bootkube.kubelet_cert}"
|
|
||||||
kubeconfig_kubelet_key = "${module.bootkube.kubelet_key}"
|
|
||||||
kubeconfig_server = "${module.bootkube.server}"
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue