digital-ocean: Distribute kubeconfig via Terraform null_resource

* Keep kubeconfig out of DigitalOcean metadata user-data
This commit is contained in:
Dalton Hubble 2017-09-13 20:08:28 -07:00
parent 64e8d207b1
commit 2ff6d602d8
5 changed files with 42 additions and 53 deletions

View File

@ -5,6 +5,15 @@ systemd:
enable: true enable: true
- name: locksmithd.service - name: locksmithd.service
mask: true mask: true
- name: kubelet.path
enable: true
contents: |
[Unit]
Description=Watch for kubeconfig
[Path]
PathExists=/etc/kubernetes/kubeconfig
[Install]
WantedBy=multi-user.target
- name: wait-for-dns.service - name: wait-for-dns.service
enable: true enable: true
contents: | contents: |
@ -19,7 +28,6 @@ systemd:
[Install] [Install]
RequiredBy=kubelet.service RequiredBy=kubelet.service
- name: kubelet.service - name: kubelet.service
enable: true
contents: | contents: |
[Unit] [Unit]
Description=Kubelet via Hyperkube ACI Description=Kubelet via Hyperkube ACI
@ -78,27 +86,6 @@ systemd:
WantedBy=multi-user.target WantedBy=multi-user.target
storage: storage:
files: files:
- path: /etc/kubernetes/kubeconfig
filesystem: root
mode: 0644
contents:
inline: |
apiVersion: v1
kind: Config
clusters:
- name: local
cluster:
server: ${kubeconfig_server}
certificate-authority-data: ${kubeconfig_ca_cert}
users:
- name: kubelet
user:
client-certificate-data: ${kubeconfig_kubelet_cert}
client-key-data: ${kubeconfig_kubelet_key}
contexts:
- context:
cluster: local
user: kubelet
- path: /etc/kubernetes/kubelet.env - path: /etc/kubernetes/kubelet.env
filesystem: root filesystem: root
mode: 0644 mode: 0644

View File

@ -5,6 +5,15 @@ systemd:
enable: true enable: true
- name: locksmithd.service - name: locksmithd.service
mask: true mask: true
- name: kubelet.path
enable: true
contents: |
[Unit]
Description=Watch for kubeconfig
[Path]
PathExists=/etc/kubernetes/kubeconfig
[Install]
WantedBy=multi-user.target
- name: wait-for-dns.service - name: wait-for-dns.service
enable: true enable: true
contents: | contents: |
@ -19,7 +28,6 @@ systemd:
[Install] [Install]
RequiredBy=kubelet.service RequiredBy=kubelet.service
- name: kubelet.service - name: kubelet.service
enable: true
contents: | contents: |
[Unit] [Unit]
Description=Kubelet via Hyperkube ACI Description=Kubelet via Hyperkube ACI
@ -76,27 +84,6 @@ systemd:
WantedBy=multi-user.target WantedBy=multi-user.target
storage: storage:
files: files:
- path: /etc/kubernetes/kubeconfig
filesystem: root
mode: 0644
contents:
inline: |
apiVersion: v1
kind: Config
clusters:
- name: local
cluster:
server: ${kubeconfig_server}
certificate-authority-data: ${kubeconfig_ca_cert}
users:
- name: kubelet
user:
client-certificate-data: ${kubeconfig_kubelet_cert}
client-key-data: ${kubeconfig_kubelet_key}
contexts:
- context:
cluster: local
user: kubelet
- path: /etc/kubernetes/kubelet.env - path: /etc/kubernetes/kubelet.env
filesystem: root filesystem: root
mode: 0644 mode: 0644

View File

@ -48,10 +48,6 @@ data "template_file" "controller_config" {
vars = { vars = {
k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}" k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}"
k8s_etcd_service_ip = "${cidrhost(var.service_cidr, 15)}" k8s_etcd_service_ip = "${cidrhost(var.service_cidr, 15)}"
kubeconfig_ca_cert = "${module.bootkube.ca_cert}"
kubeconfig_kubelet_cert = "${module.bootkube.kubelet_cert}"
kubeconfig_kubelet_key = "${module.bootkube.kubelet_key}"
kubeconfig_server = "${module.bootkube.server}"
} }
} }

View File

@ -1,7 +1,30 @@
# Secure copy kubeconfig to all nodes. Activates kubelet.service
resource "null_resource" "copy-secrets" {
count = "${var.controller_count + var.worker_count}"
connection {
type = "ssh"
host = "${element(concat(digitalocean_droplet.controllers.*.ipv4_address, digitalocean_droplet.workers.*.ipv4_address), count.index)}"
user = "core"
timeout = "15m"
}
provisioner "file" {
content = "${module.bootkube.kubeconfig}"
destination = "$HOME/kubeconfig"
}
provisioner "remote-exec" {
inline = [
"sudo mv /home/core/kubeconfig /etc/kubernetes/kubeconfig",
]
}
}
# Secure copy bootkube assets to ONE controller and start bootkube to perform # Secure copy bootkube assets to ONE controller and start bootkube to perform
# one-time self-hosted cluster bootstrapping. # one-time self-hosted cluster bootstrapping.
resource "null_resource" "bootkube-start" { resource "null_resource" "bootkube-start" {
depends_on = ["module.bootkube", "digitalocean_droplet.controllers"] depends_on = ["module.bootkube", "null_resource.copy-secrets", "digitalocean_droplet.controllers"]
connection { connection {
type = "ssh" type = "ssh"

View File

@ -45,10 +45,6 @@ data "template_file" "worker_config" {
vars = { vars = {
k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}" k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}"
k8s_etcd_service_ip = "${cidrhost(var.service_cidr, 15)}" k8s_etcd_service_ip = "${cidrhost(var.service_cidr, 15)}"
kubeconfig_ca_cert = "${module.bootkube.ca_cert}"
kubeconfig_kubelet_cert = "${module.bootkube.kubelet_cert}"
kubeconfig_kubelet_key = "${module.bootkube.kubelet_key}"
kubeconfig_server = "${module.bootkube.server}"
} }
} }