From 41f739891b5b1b72d28af5d0434997272ef96e67 Mon Sep 17 00:00:00 2001
From: Dalton Hubble <dghubble@gmail.com>
Date: Thu, 9 Dec 2021 09:53:49 -0800
Subject: [PATCH] Normalize CA certs mounts in static Pods and kube-proxy

* Mount both /etc/ssl/certs and /etc/pki into control plane static
pods and kube-proxy, rather than choosing one based a variable
(set based on Flatcar Linux or Fedora CoreOS)
* Remove deprecated `--port` from `kube-scheduler` static Pod
---
 CHANGES.md                                          | 1 +
 aws/fedora-coreos/kubernetes/bootstrap.tf           | 4 +---
 aws/flatcar-linux/kubernetes/bootstrap.tf           | 2 +-
 azure/fedora-coreos/kubernetes/bootstrap.tf         | 5 +----
 azure/flatcar-linux/kubernetes/bootstrap.tf         | 2 +-
 bare-metal/fedora-coreos/kubernetes/bootstrap.tf    | 4 +---
 bare-metal/flatcar-linux/kubernetes/bootstrap.tf    | 2 +-
 digital-ocean/fedora-coreos/kubernetes/bootstrap.tf | 5 +----
 digital-ocean/flatcar-linux/kubernetes/bootstrap.tf | 2 +-
 google-cloud/fedora-coreos/kubernetes/bootstrap.tf  | 4 +---
 google-cloud/flatcar-linux/kubernetes/bootstrap.tf  | 2 +-
 11 files changed, 11 insertions(+), 22 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index b4364a6b..e5b80837 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -5,6 +5,7 @@ Notable changes between versions.
 ## Latest
 
 * Kubernetes [v1.23.0](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#v1230)
+* Normalize CA certs mounts in static Pods and kube-proxy
 * With Calico, add missing `caliconodestatuses` CRD ([#289](https://github.com/poseidon/terraform-render-bootstrap/pull/289))
 
 ### AWS
diff --git a/aws/fedora-coreos/kubernetes/bootstrap.tf b/aws/fedora-coreos/kubernetes/bootstrap.tf
index 5cd4dfc9..e0e97420 100644
--- a/aws/fedora-coreos/kubernetes/bootstrap.tf
+++ b/aws/fedora-coreos/kubernetes/bootstrap.tf
@@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=362158a6d60aa16ef81eab347b1bb5268db652e2"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=8add7022d17a7dd64198270f80d0653b9b7a28a2"
 
   cluster_name          = var.cluster_name
   api_servers           = [format("%s.%s", var.cluster_name, var.dns_zone)]
@@ -13,7 +13,5 @@ module "bootstrap" {
   enable_reporting      = var.enable_reporting
   enable_aggregation    = var.enable_aggregation
   daemonset_tolerations = var.daemonset_tolerations
-
-  trusted_certs_dir = "/etc/pki/tls/certs"
 }
 
diff --git a/aws/flatcar-linux/kubernetes/bootstrap.tf b/aws/flatcar-linux/kubernetes/bootstrap.tf
index 8ba09fa6..e0e97420 100644
--- a/aws/flatcar-linux/kubernetes/bootstrap.tf
+++ b/aws/flatcar-linux/kubernetes/bootstrap.tf
@@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=362158a6d60aa16ef81eab347b1bb5268db652e2"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=8add7022d17a7dd64198270f80d0653b9b7a28a2"
 
   cluster_name          = var.cluster_name
   api_servers           = [format("%s.%s", var.cluster_name, var.dns_zone)]
diff --git a/azure/fedora-coreos/kubernetes/bootstrap.tf b/azure/fedora-coreos/kubernetes/bootstrap.tf
index 5a183ded..1003a742 100644
--- a/azure/fedora-coreos/kubernetes/bootstrap.tf
+++ b/azure/fedora-coreos/kubernetes/bootstrap.tf
@@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=362158a6d60aa16ef81eab347b1bb5268db652e2"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=8add7022d17a7dd64198270f80d0653b9b7a28a2"
 
   cluster_name = var.cluster_name
   api_servers  = [format("%s.%s", var.cluster_name, var.dns_zone)]
@@ -19,8 +19,5 @@ module "bootstrap" {
   enable_reporting      = var.enable_reporting
   enable_aggregation    = var.enable_aggregation
   daemonset_tolerations = var.daemonset_tolerations
-
-  # Fedora CoreOS
-  trusted_certs_dir = "/etc/pki/tls/certs"
 }
 
diff --git a/azure/flatcar-linux/kubernetes/bootstrap.tf b/azure/flatcar-linux/kubernetes/bootstrap.tf
index 349dd246..1003a742 100644
--- a/azure/flatcar-linux/kubernetes/bootstrap.tf
+++ b/azure/flatcar-linux/kubernetes/bootstrap.tf
@@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=362158a6d60aa16ef81eab347b1bb5268db652e2"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=8add7022d17a7dd64198270f80d0653b9b7a28a2"
 
   cluster_name = var.cluster_name
   api_servers  = [format("%s.%s", var.cluster_name, var.dns_zone)]
diff --git a/bare-metal/fedora-coreos/kubernetes/bootstrap.tf b/bare-metal/fedora-coreos/kubernetes/bootstrap.tf
index 5947b2bc..4daac3e0 100644
--- a/bare-metal/fedora-coreos/kubernetes/bootstrap.tf
+++ b/bare-metal/fedora-coreos/kubernetes/bootstrap.tf
@@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=362158a6d60aa16ef81eab347b1bb5268db652e2"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=8add7022d17a7dd64198270f80d0653b9b7a28a2"
 
   cluster_name                    = var.cluster_name
   api_servers                     = [var.k8s_domain_name]
@@ -13,8 +13,6 @@ module "bootstrap" {
   cluster_domain_suffix           = var.cluster_domain_suffix
   enable_reporting                = var.enable_reporting
   enable_aggregation              = var.enable_aggregation
-
-  trusted_certs_dir = "/etc/pki/tls/certs"
 }
 
 
diff --git a/bare-metal/flatcar-linux/kubernetes/bootstrap.tf b/bare-metal/flatcar-linux/kubernetes/bootstrap.tf
index 650bfa91..7b540169 100644
--- a/bare-metal/flatcar-linux/kubernetes/bootstrap.tf
+++ b/bare-metal/flatcar-linux/kubernetes/bootstrap.tf
@@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=362158a6d60aa16ef81eab347b1bb5268db652e2"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=8add7022d17a7dd64198270f80d0653b9b7a28a2"
 
   cluster_name                    = var.cluster_name
   api_servers                     = [var.k8s_domain_name]
diff --git a/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf b/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf
index 6f55f80e..61abbc5a 100644
--- a/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf
+++ b/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf
@@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=362158a6d60aa16ef81eab347b1bb5268db652e2"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=8add7022d17a7dd64198270f80d0653b9b7a28a2"
 
   cluster_name = var.cluster_name
   api_servers  = [format("%s.%s", var.cluster_name, var.dns_zone)]
@@ -17,8 +17,5 @@ module "bootstrap" {
   cluster_domain_suffix = var.cluster_domain_suffix
   enable_reporting      = var.enable_reporting
   enable_aggregation    = var.enable_aggregation
-
-  # Fedora CoreOS
-  trusted_certs_dir = "/etc/pki/tls/certs"
 }
 
diff --git a/digital-ocean/flatcar-linux/kubernetes/bootstrap.tf b/digital-ocean/flatcar-linux/kubernetes/bootstrap.tf
index 5c60e021..61abbc5a 100644
--- a/digital-ocean/flatcar-linux/kubernetes/bootstrap.tf
+++ b/digital-ocean/flatcar-linux/kubernetes/bootstrap.tf
@@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=362158a6d60aa16ef81eab347b1bb5268db652e2"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=8add7022d17a7dd64198270f80d0653b9b7a28a2"
 
   cluster_name = var.cluster_name
   api_servers  = [format("%s.%s", var.cluster_name, var.dns_zone)]
diff --git a/google-cloud/fedora-coreos/kubernetes/bootstrap.tf b/google-cloud/fedora-coreos/kubernetes/bootstrap.tf
index 0de021b3..909264ec 100644
--- a/google-cloud/fedora-coreos/kubernetes/bootstrap.tf
+++ b/google-cloud/fedora-coreos/kubernetes/bootstrap.tf
@@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=362158a6d60aa16ef81eab347b1bb5268db652e2"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=8add7022d17a7dd64198270f80d0653b9b7a28a2"
 
   cluster_name          = var.cluster_name
   api_servers           = [format("%s.%s", var.cluster_name, var.dns_zone)]
@@ -14,8 +14,6 @@ module "bootstrap" {
   enable_aggregation    = var.enable_aggregation
   daemonset_tolerations = var.daemonset_tolerations
 
-  trusted_certs_dir = "/etc/pki/tls/certs"
-
   // temporary
   external_apiserver_port = 443
 }
diff --git a/google-cloud/flatcar-linux/kubernetes/bootstrap.tf b/google-cloud/flatcar-linux/kubernetes/bootstrap.tf
index 22e9076b..909264ec 100644
--- a/google-cloud/flatcar-linux/kubernetes/bootstrap.tf
+++ b/google-cloud/flatcar-linux/kubernetes/bootstrap.tf
@@ -1,6 +1,6 @@
 # Kubernetes assets (kubeconfig, manifests)
 module "bootstrap" {
-  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=362158a6d60aa16ef81eab347b1bb5268db652e2"
+  source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=8add7022d17a7dd64198270f80d0653b9b7a28a2"
 
   cluster_name          = var.cluster_name
   api_servers           = [format("%s.%s", var.cluster_name, var.dns_zone)]