diff --git a/CHANGES.md b/CHANGES.md index 8bcab8f0..3dc782d2 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -7,8 +7,9 @@ Notable changes between versions. * Add input variable validations ([#880](https://github.com/poseidon/typhoon/pull/880)) * Require Terraform v0.13+ ([migration guide](https://typhoon.psdn.io/topics/maintenance/#terraform-versions)) * Set output sensitive to suppress console display for some cases ([#885](https://github.com/poseidon/typhoon/pull/885)) +* Add service account token [volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) ([#897](https://github.com/poseidon/typhoon/pull/897)) +* Scope kube-scheduler and kube-controller-manager permissions ([#898](https://github.com/poseidon/typhoon/pull/898)) * Update etcd from v3.4.12 to [v3.4.14](https://github.com/etcd-io/etcd/releases/tag/v3.4.14) -* Enable service account token [volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) ([#897](https://github.com/poseidon/typhoon/pull/897)) * Update Calico from v3.16.5 to v3.17.0 ([#890](https://github.com/poseidon/typhoon/pull/890)) * Enable Calico MTU auto-detection * Remove [workaround](https://github.com/poseidon/typhoon/pull/724) to Calico cni-plugin [issue](https://github.com/projectcalico/cni-plugin/issues/874) @@ -64,7 +65,6 @@ Notable changes between versions. ### Flatcar Linux * Rename `container-linux` modules to `flatcar-linux` ([#858](https://github.com/poseidon/typhoon/issues/858)) (**action required**) - * Change on-host system containers from rkt to docker * Change `etcd-member.service` container runnner from rkt to docker ([#867](https://github.com/poseidon/typhoon/pull/867)) * Change `kubelet.service` container runner from rkt-fly to docker ([#855](https://github.com/poseidon/typhoon/pull/855)) diff --git a/aws/fedora-coreos/kubernetes/bootstrap.tf b/aws/fedora-coreos/kubernetes/bootstrap.tf index 948932e2..cbe82e52 100644 --- a/aws/fedora-coreos/kubernetes/bootstrap.tf +++ b/aws/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/aws/fedora-coreos/kubernetes/fcc/controller.yaml b/aws/fedora-coreos/kubernetes/fcc/controller.yaml index 282bb0dc..810e2651 100644 --- a/aws/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/aws/fedora-coreos/kubernetes/fcc/controller.yaml @@ -147,7 +147,7 @@ storage: mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd - mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv auth/* /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests mv static-manifests/* /etc/kubernetes/manifests/ @@ -161,7 +161,7 @@ storage: contents: inline: | #!/bin/bash -e - export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/admin.conf until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/aws/flatcar-linux/kubernetes/bootstrap.tf b/aws/flatcar-linux/kubernetes/bootstrap.tf index 46cb464b..e9a957dc 100644 --- a/aws/flatcar-linux/kubernetes/bootstrap.tf +++ b/aws/flatcar-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/aws/flatcar-linux/kubernetes/cl/controller.yaml b/aws/flatcar-linux/kubernetes/cl/controller.yaml index 7fe96377..9c2f800b 100644 --- a/aws/flatcar-linux/kubernetes/cl/controller.yaml +++ b/aws/flatcar-linux/kubernetes/cl/controller.yaml @@ -155,7 +155,7 @@ storage: chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd chmod -R 700 /var/lib/etcd - mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv auth/* /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests mv static-manifests/* /etc/kubernetes/manifests/ @@ -169,7 +169,7 @@ storage: contents: inline: | #!/bin/bash -e - export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/admin.conf until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/azure/fedora-coreos/kubernetes/bootstrap.tf b/azure/fedora-coreos/kubernetes/bootstrap.tf index 96b45e71..084e63a6 100644 --- a/azure/fedora-coreos/kubernetes/bootstrap.tf +++ b/azure/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/azure/fedora-coreos/kubernetes/fcc/controller.yaml b/azure/fedora-coreos/kubernetes/fcc/controller.yaml index 424ac7f0..2a71f7ce 100644 --- a/azure/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/azure/fedora-coreos/kubernetes/fcc/controller.yaml @@ -146,7 +146,7 @@ storage: mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd - mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv auth/* /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests mv static-manifests/* /etc/kubernetes/manifests/ @@ -160,7 +160,7 @@ storage: contents: inline: | #!/bin/bash -e - export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/admin.conf until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/azure/flatcar-linux/kubernetes/bootstrap.tf b/azure/flatcar-linux/kubernetes/bootstrap.tf index 976ce448..1cb2434a 100644 --- a/azure/flatcar-linux/kubernetes/bootstrap.tf +++ b/azure/flatcar-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/azure/flatcar-linux/kubernetes/cl/controller.yaml b/azure/flatcar-linux/kubernetes/cl/controller.yaml index 7fe96377..9c2f800b 100644 --- a/azure/flatcar-linux/kubernetes/cl/controller.yaml +++ b/azure/flatcar-linux/kubernetes/cl/controller.yaml @@ -155,7 +155,7 @@ storage: chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd chmod -R 700 /var/lib/etcd - mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv auth/* /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests mv static-manifests/* /etc/kubernetes/manifests/ @@ -169,7 +169,7 @@ storage: contents: inline: | #!/bin/bash -e - export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/admin.conf until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/bare-metal/fedora-coreos/kubernetes/bootstrap.tf b/bare-metal/fedora-coreos/kubernetes/bootstrap.tf index 2646e170..d5d7ea73 100644 --- a/bare-metal/fedora-coreos/kubernetes/bootstrap.tf +++ b/bare-metal/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b" cluster_name = var.cluster_name api_servers = [var.k8s_domain_name] diff --git a/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml b/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml index 90a0b151..1919265b 100644 --- a/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml @@ -157,7 +157,7 @@ storage: mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd - mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv auth/* /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests mv static-manifests/* /etc/kubernetes/manifests/ @@ -171,7 +171,7 @@ storage: contents: inline: | #!/bin/bash -e - export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/admin.conf until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/bare-metal/flatcar-linux/kubernetes/bootstrap.tf b/bare-metal/flatcar-linux/kubernetes/bootstrap.tf index 9ea9c39d..485348e1 100644 --- a/bare-metal/flatcar-linux/kubernetes/bootstrap.tf +++ b/bare-metal/flatcar-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b" cluster_name = var.cluster_name api_servers = [var.k8s_domain_name] diff --git a/bare-metal/flatcar-linux/kubernetes/cl/controller.yaml b/bare-metal/flatcar-linux/kubernetes/cl/controller.yaml index b89524ee..3ce8b1ef 100644 --- a/bare-metal/flatcar-linux/kubernetes/cl/controller.yaml +++ b/bare-metal/flatcar-linux/kubernetes/cl/controller.yaml @@ -169,7 +169,7 @@ storage: chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd chmod -R 700 /var/lib/etcd - mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv auth/* /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests mv static-manifests/* /etc/kubernetes/manifests/ @@ -183,7 +183,7 @@ storage: contents: inline: | #!/bin/bash -e - export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/admin.conf until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf b/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf index 9ca47cfa..66d6d52f 100644 --- a/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf +++ b/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml b/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml index 62fe163d..f7f5adc4 100644 --- a/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml @@ -153,7 +153,7 @@ storage: mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd - mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv auth/* /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests mv static-manifests/* /etc/kubernetes/manifests/ @@ -167,7 +167,7 @@ storage: contents: inline: | #!/bin/bash -e - export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/admin.conf until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/digital-ocean/flatcar-linux/kubernetes/bootstrap.tf b/digital-ocean/flatcar-linux/kubernetes/bootstrap.tf index 20eb4ca8..44b97f86 100644 --- a/digital-ocean/flatcar-linux/kubernetes/bootstrap.tf +++ b/digital-ocean/flatcar-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/digital-ocean/flatcar-linux/kubernetes/cl/controller.yaml b/digital-ocean/flatcar-linux/kubernetes/cl/controller.yaml index b1ebdf14..5e7732ff 100644 --- a/digital-ocean/flatcar-linux/kubernetes/cl/controller.yaml +++ b/digital-ocean/flatcar-linux/kubernetes/cl/controller.yaml @@ -162,7 +162,7 @@ storage: chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd chmod -R 700 /var/lib/etcd - mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv auth/* /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests mv static-manifests/* /etc/kubernetes/manifests/ @@ -176,7 +176,7 @@ storage: contents: inline: | #!/bin/bash -e - export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/admin.conf until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/google-cloud/fedora-coreos/kubernetes/bootstrap.tf b/google-cloud/fedora-coreos/kubernetes/bootstrap.tf index 15407159..79b309c1 100644 --- a/google-cloud/fedora-coreos/kubernetes/bootstrap.tf +++ b/google-cloud/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml b/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml index c14fe0b1..2a3516d3 100644 --- a/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml @@ -146,7 +146,7 @@ storage: mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd - mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv auth/* /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests mv static-manifests/* /etc/kubernetes/manifests/ @@ -160,7 +160,7 @@ storage: contents: inline: | #!/bin/bash -e - export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/admin.conf until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/google-cloud/flatcar-linux/kubernetes/bootstrap.tf b/google-cloud/flatcar-linux/kubernetes/bootstrap.tf index 063c991d..5fb1f9b7 100644 --- a/google-cloud/flatcar-linux/kubernetes/bootstrap.tf +++ b/google-cloud/flatcar-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/google-cloud/flatcar-linux/kubernetes/cl/controller.yaml b/google-cloud/flatcar-linux/kubernetes/cl/controller.yaml index cc1c3a04..924f1884 100644 --- a/google-cloud/flatcar-linux/kubernetes/cl/controller.yaml +++ b/google-cloud/flatcar-linux/kubernetes/cl/controller.yaml @@ -153,7 +153,7 @@ storage: chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd chmod -R 700 /var/lib/etcd - mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv auth/* /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests mv static-manifests/* /etc/kubernetes/manifests/ @@ -167,7 +167,7 @@ storage: contents: inline: | #!/bin/bash -e - export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/admin.conf until kubectl version; do echo "Waiting for static pod control plane" sleep 5