From 37ce722f9c32a259f19dcbc2369ef8c0e7dcf184 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Fri, 17 May 2019 12:52:16 +0200 Subject: [PATCH] Fix race condition in DigitalOcean cluster create * DigitalOcean clusters must secure copy a kubeconfig to worker nodes, but Terraform could decide to try copying before firewall rules have been added to allow SSH access. * Add an explicit dependency on adding firewall rules first --- CHANGES.md | 5 +++++ digital-ocean/container-linux/kubernetes/ssh.tf | 3 +++ digital-ocean/fedora-atomic/kubernetes/ssh.tf | 3 +++ 3 files changed, 11 insertions(+) diff --git a/CHANGES.md b/CHANGES.md index 7e662aad..27e52f71 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -12,6 +12,11 @@ Notable changes between versions. * Only set internal VXLAN rules when `networking` is flannel (default: calico) +#### DigitalOcean + +* Add explicit ordering between firewall rule creation and secure copying Kubelet credentials ([#469](https://github.com/poseidon/typhoon/pull/469)) + * Fix race scenario if copies to nodes were before rule creation, blocking cluster creation + #### Addons * Update Prometheus from v2.8.1 to v2.9.2 diff --git a/digital-ocean/container-linux/kubernetes/ssh.tf b/digital-ocean/container-linux/kubernetes/ssh.tf index 5c5ed774..98740a22 100644 --- a/digital-ocean/container-linux/kubernetes/ssh.tf +++ b/digital-ocean/container-linux/kubernetes/ssh.tf @@ -1,6 +1,9 @@ # Secure copy etcd TLS assets and kubeconfig to controllers. Activates kubelet.service resource "null_resource" "copy-controller-secrets" { count = "${var.controller_count}" + depends_on = [ + "digitalocean_firewall.rules", + ] connection { type = "ssh" diff --git a/digital-ocean/fedora-atomic/kubernetes/ssh.tf b/digital-ocean/fedora-atomic/kubernetes/ssh.tf index 1d7e0002..156a4894 100644 --- a/digital-ocean/fedora-atomic/kubernetes/ssh.tf +++ b/digital-ocean/fedora-atomic/kubernetes/ssh.tf @@ -1,6 +1,9 @@ # Secure copy etcd TLS assets and kubeconfig to controllers. Activates kubelet.service resource "null_resource" "copy-controller-secrets" { count = "${var.controller_count}" + depends_on = [ + "digitalocean_firewall.rules", + ] connection { type = "ssh"