From 812a1adb49dc9b04dd0eddfabc3f69ce26fad045 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Wed, 2 Jan 2019 23:30:42 -0800 Subject: [PATCH] Use a lower-privilege Kubelet kubeconfig in system:nodes * Kubelets can use a lower-privilege TLS client certificate with Org system:nodes and a binding to the system:node ClusterRole * Admin kubeconfig's continue to belong to Org system:masters to provide cluster-admin (available in assets/auth/kubeconfig or as a Terraform output kubeconfig-admin) * Remove bare-metal output variable kubeconfig --- CHANGES.md | 8 +++++++- aws/container-linux/kubernetes/bootkube.tf | 2 +- aws/container-linux/kubernetes/controllers.tf | 2 +- aws/container-linux/kubernetes/outputs.tf | 4 ++-- aws/container-linux/kubernetes/workers.tf | 2 +- aws/fedora-atomic/kubernetes/bootkube.tf | 2 +- aws/fedora-atomic/kubernetes/controllers.tf | 2 +- aws/fedora-atomic/kubernetes/outputs.tf | 4 ++-- aws/fedora-atomic/kubernetes/workers.tf | 2 +- azure/container-linux/kubernetes/bootkube.tf | 2 +- azure/container-linux/kubernetes/controllers.tf | 2 +- azure/container-linux/kubernetes/outputs.tf | 4 ++-- azure/container-linux/kubernetes/workers.tf | 2 +- bare-metal/container-linux/kubernetes/bootkube.tf | 2 +- bare-metal/container-linux/kubernetes/outputs.tf | 6 +----- bare-metal/container-linux/kubernetes/ssh.tf | 4 ++-- bare-metal/fedora-atomic/kubernetes/bootkube.tf | 2 +- bare-metal/fedora-atomic/kubernetes/outputs.tf | 6 +----- bare-metal/fedora-atomic/kubernetes/ssh.tf | 4 ++-- digital-ocean/container-linux/kubernetes/bootkube.tf | 2 +- digital-ocean/container-linux/kubernetes/ssh.tf | 4 ++-- digital-ocean/fedora-atomic/kubernetes/bootkube.tf | 2 +- digital-ocean/fedora-atomic/kubernetes/ssh.tf | 4 ++-- google-cloud/container-linux/kubernetes/bootkube.tf | 2 +- google-cloud/container-linux/kubernetes/controllers.tf | 2 +- google-cloud/container-linux/kubernetes/outputs.tf | 4 ++-- google-cloud/container-linux/kubernetes/workers.tf | 2 +- google-cloud/fedora-atomic/kubernetes/bootkube.tf | 2 +- google-cloud/fedora-atomic/kubernetes/controllers.tf | 2 +- google-cloud/fedora-atomic/kubernetes/outputs.tf | 4 ++-- google-cloud/fedora-atomic/kubernetes/workers.tf | 2 +- 31 files changed, 46 insertions(+), 48 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index d6df7e6b..11a11e17 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -4,13 +4,19 @@ Notable changes between versions. ## Latest -* Add ServiceAccounts for `kube-apiserver` and `kube-scheduler` +* Add ServiceAccounts for `kube-apiserver` and `kube-scheduler` ([#370](https://github.com/poseidon/typhoon/pull/370)) +* Use a lower-privilege TLS client certificate with org `system:nodes` for Kubelets ([#372](https://github.com/poseidon/typhoon/pull/372)) + * Bind the `system:nodes` group to the `system:node` ClusterRole #### AWS * Change `controller_type` and `worker_type` default from t2.small to t3.small * t3.small is cheaper, provides 2 vCPU (instead of 1), and 5 Gbps of pod-to-pod bandwidth! +#### Bare-Metal + +* Remove the `kubeconfig` output variable + #### Addons * Update Prometheus from v2.5.0 to v2.6.0 diff --git a/aws/container-linux/kubernetes/bootkube.tf b/aws/container-linux/kubernetes/bootkube.tf index e386f2ce..eb691b9d 100644 --- a/aws/container-linux/kubernetes/bootkube.tf +++ b/aws/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f382415f2bc18c7a2d39a92fe254e3823a634270" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=a7bd306679a0ce8a9e5084f928af696a284a256b" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/aws/container-linux/kubernetes/controllers.tf b/aws/container-linux/kubernetes/controllers.tf index 471ff038..5962ee47 100644 --- a/aws/container-linux/kubernetes/controllers.tf +++ b/aws/container-linux/kubernetes/controllers.tf @@ -68,7 +68,7 @@ data "template_file" "controller-configs" { # etcd0=https://cluster-etcd0.example.com,etcd1=https://cluster-etcd1.example.com,... etcd_initial_cluster = "${join(",", data.template_file.etcds.*.rendered)}" - kubeconfig = "${indent(10, module.bootkube.kubeconfig)}" + kubeconfig = "${indent(10, module.bootkube.kubeconfig-kubelet)}" ssh_authorized_key = "${var.ssh_authorized_key}" k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}" cluster_domain_suffix = "${var.cluster_domain_suffix}" diff --git a/aws/container-linux/kubernetes/outputs.tf b/aws/container-linux/kubernetes/outputs.tf index 21154957..435d9c14 100644 --- a/aws/container-linux/kubernetes/outputs.tf +++ b/aws/container-linux/kubernetes/outputs.tf @@ -1,5 +1,5 @@ output "kubeconfig-admin" { - value = "${module.bootkube.user-kubeconfig}" + value = "${module.bootkube.kubeconfig-admin-context}" } # Outputs for Kubernetes Ingress @@ -27,7 +27,7 @@ output "worker_security_groups" { } output "kubeconfig" { - value = "${module.bootkube.kubeconfig}" + value = "${module.bootkube.kubeconfig-kubelet}" } # Outputs for custom load balancing diff --git a/aws/container-linux/kubernetes/workers.tf b/aws/container-linux/kubernetes/workers.tf index 365fd637..0d39e013 100644 --- a/aws/container-linux/kubernetes/workers.tf +++ b/aws/container-linux/kubernetes/workers.tf @@ -13,7 +13,7 @@ module "workers" { spot_price = "${var.worker_price}" # configuration - kubeconfig = "${module.bootkube.kubeconfig}" + kubeconfig = "${module.bootkube.kubeconfig-kubelet}" ssh_authorized_key = "${var.ssh_authorized_key}" service_cidr = "${var.service_cidr}" cluster_domain_suffix = "${var.cluster_domain_suffix}" diff --git a/aws/fedora-atomic/kubernetes/bootkube.tf b/aws/fedora-atomic/kubernetes/bootkube.tf index 00171825..62312a4d 100644 --- a/aws/fedora-atomic/kubernetes/bootkube.tf +++ b/aws/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f382415f2bc18c7a2d39a92fe254e3823a634270" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=a7bd306679a0ce8a9e5084f928af696a284a256b" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/aws/fedora-atomic/kubernetes/controllers.tf b/aws/fedora-atomic/kubernetes/controllers.tf index a62be46c..8632910a 100644 --- a/aws/fedora-atomic/kubernetes/controllers.tf +++ b/aws/fedora-atomic/kubernetes/controllers.tf @@ -60,7 +60,7 @@ data "template_file" "controller-cloudinit" { # etcd0=https://cluster-etcd0.example.com,etcd1=https://cluster-etcd1.example.com,... etcd_initial_cluster = "${join(",", data.template_file.etcds.*.rendered)}" - kubeconfig = "${indent(6, module.bootkube.kubeconfig)}" + kubeconfig = "${indent(6, module.bootkube.kubeconfig-kubelet)}" ssh_authorized_key = "${var.ssh_authorized_key}" k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}" cluster_domain_suffix = "${var.cluster_domain_suffix}" diff --git a/aws/fedora-atomic/kubernetes/outputs.tf b/aws/fedora-atomic/kubernetes/outputs.tf index 21154957..435d9c14 100644 --- a/aws/fedora-atomic/kubernetes/outputs.tf +++ b/aws/fedora-atomic/kubernetes/outputs.tf @@ -1,5 +1,5 @@ output "kubeconfig-admin" { - value = "${module.bootkube.user-kubeconfig}" + value = "${module.bootkube.kubeconfig-admin-context}" } # Outputs for Kubernetes Ingress @@ -27,7 +27,7 @@ output "worker_security_groups" { } output "kubeconfig" { - value = "${module.bootkube.kubeconfig}" + value = "${module.bootkube.kubeconfig-kubelet}" } # Outputs for custom load balancing diff --git a/aws/fedora-atomic/kubernetes/workers.tf b/aws/fedora-atomic/kubernetes/workers.tf index bdd00e80..79273f53 100644 --- a/aws/fedora-atomic/kubernetes/workers.tf +++ b/aws/fedora-atomic/kubernetes/workers.tf @@ -12,7 +12,7 @@ module "workers" { spot_price = "${var.worker_price}" # configuration - kubeconfig = "${module.bootkube.kubeconfig}" + kubeconfig = "${module.bootkube.kubeconfig-kubelet}" ssh_authorized_key = "${var.ssh_authorized_key}" service_cidr = "${var.service_cidr}" cluster_domain_suffix = "${var.cluster_domain_suffix}" diff --git a/azure/container-linux/kubernetes/bootkube.tf b/azure/container-linux/kubernetes/bootkube.tf index 816d4207..fdf4ed5c 100644 --- a/azure/container-linux/kubernetes/bootkube.tf +++ b/azure/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f382415f2bc18c7a2d39a92fe254e3823a634270" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=a7bd306679a0ce8a9e5084f928af696a284a256b" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/azure/container-linux/kubernetes/controllers.tf b/azure/container-linux/kubernetes/controllers.tf index aa9d9fc0..057cc407 100644 --- a/azure/container-linux/kubernetes/controllers.tf +++ b/azure/container-linux/kubernetes/controllers.tf @@ -149,7 +149,7 @@ data "template_file" "controller-configs" { # etcd0=https://cluster-etcd0.example.com,etcd1=https://cluster-etcd1.example.com,... etcd_initial_cluster = "${join(",", data.template_file.etcds.*.rendered)}" - kubeconfig = "${indent(10, module.bootkube.kubeconfig)}" + kubeconfig = "${indent(10, module.bootkube.kubeconfig-kubelet)}" ssh_authorized_key = "${var.ssh_authorized_key}" k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}" cluster_domain_suffix = "${var.cluster_domain_suffix}" diff --git a/azure/container-linux/kubernetes/outputs.tf b/azure/container-linux/kubernetes/outputs.tf index e85e4f93..03417cf5 100644 --- a/azure/container-linux/kubernetes/outputs.tf +++ b/azure/container-linux/kubernetes/outputs.tf @@ -1,5 +1,5 @@ output "kubeconfig-admin" { - value = "${module.bootkube.user-kubeconfig}" + value = "${module.bootkube.kubeconfig-admin-context}" } # Outputs for Kubernetes Ingress @@ -32,5 +32,5 @@ output "backend_address_pool_id" { } output "kubeconfig" { - value = "${module.bootkube.kubeconfig}" + value = "${module.bootkube.kubeconfig-kubelet}" } diff --git a/azure/container-linux/kubernetes/workers.tf b/azure/container-linux/kubernetes/workers.tf index 12c7a754..1ff6246d 100644 --- a/azure/container-linux/kubernetes/workers.tf +++ b/azure/container-linux/kubernetes/workers.tf @@ -15,7 +15,7 @@ module "workers" { priority = "${var.worker_priority}" # configuration - kubeconfig = "${module.bootkube.kubeconfig}" + kubeconfig = "${module.bootkube.kubeconfig-kubelet}" ssh_authorized_key = "${var.ssh_authorized_key}" service_cidr = "${var.service_cidr}" cluster_domain_suffix = "${var.cluster_domain_suffix}" diff --git a/bare-metal/container-linux/kubernetes/bootkube.tf b/bare-metal/container-linux/kubernetes/bootkube.tf index bdcd84c9..00815ded 100644 --- a/bare-metal/container-linux/kubernetes/bootkube.tf +++ b/bare-metal/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f382415f2bc18c7a2d39a92fe254e3823a634270" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=a7bd306679a0ce8a9e5084f928af696a284a256b" cluster_name = "${var.cluster_name}" api_servers = ["${var.k8s_domain_name}"] diff --git a/bare-metal/container-linux/kubernetes/outputs.tf b/bare-metal/container-linux/kubernetes/outputs.tf index 727feb6b..0ed7e412 100644 --- a/bare-metal/container-linux/kubernetes/outputs.tf +++ b/bare-metal/container-linux/kubernetes/outputs.tf @@ -1,7 +1,3 @@ -output "kubeconfig" { - value = "${module.bootkube.kubeconfig}" -} - output "kubeconfig-admin" { - value = "${module.bootkube.user-kubeconfig}" + value = "${module.bootkube.kubeconfig-admin-context}" } diff --git a/bare-metal/container-linux/kubernetes/ssh.tf b/bare-metal/container-linux/kubernetes/ssh.tf index 0b6220c0..661295f4 100644 --- a/bare-metal/container-linux/kubernetes/ssh.tf +++ b/bare-metal/container-linux/kubernetes/ssh.tf @@ -18,7 +18,7 @@ resource "null_resource" "copy-controller-secrets" { } provisioner "file" { - content = "${module.bootkube.kubeconfig}" + content = "${module.bootkube.kubeconfig-kubelet}" destination = "$HOME/kubeconfig" } @@ -94,7 +94,7 @@ resource "null_resource" "copy-worker-secrets" { } provisioner "file" { - content = "${module.bootkube.kubeconfig}" + content = "${module.bootkube.kubeconfig-kubelet}" destination = "$HOME/kubeconfig" } diff --git a/bare-metal/fedora-atomic/kubernetes/bootkube.tf b/bare-metal/fedora-atomic/kubernetes/bootkube.tf index 0b1614ed..729b5f41 100644 --- a/bare-metal/fedora-atomic/kubernetes/bootkube.tf +++ b/bare-metal/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f382415f2bc18c7a2d39a92fe254e3823a634270" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=a7bd306679a0ce8a9e5084f928af696a284a256b" cluster_name = "${var.cluster_name}" api_servers = ["${var.k8s_domain_name}"] diff --git a/bare-metal/fedora-atomic/kubernetes/outputs.tf b/bare-metal/fedora-atomic/kubernetes/outputs.tf index 7af5cbfa..b1e23b10 100644 --- a/bare-metal/fedora-atomic/kubernetes/outputs.tf +++ b/bare-metal/fedora-atomic/kubernetes/outputs.tf @@ -1,8 +1,4 @@ -output "kubeconfig" { - value = "${module.bootkube.kubeconfig}" -} - output "kubeconfig-admin" { - value = "${module.bootkube.user-kubeconfig}" + value = "${module.bootkube.kubeconfig-admin-context}" } diff --git a/bare-metal/fedora-atomic/kubernetes/ssh.tf b/bare-metal/fedora-atomic/kubernetes/ssh.tf index f07871bf..71ccf6e8 100644 --- a/bare-metal/fedora-atomic/kubernetes/ssh.tf +++ b/bare-metal/fedora-atomic/kubernetes/ssh.tf @@ -18,7 +18,7 @@ resource "null_resource" "copy-controller-secrets" { } provisioner "file" { - content = "${module.bootkube.kubeconfig}" + content = "${module.bootkube.kubeconfig-kubelet}" destination = "$HOME/kubeconfig" } @@ -92,7 +92,7 @@ resource "null_resource" "copy-worker-secrets" { } provisioner "file" { - content = "${module.bootkube.kubeconfig}" + content = "${module.bootkube.kubeconfig-kubelet}" destination = "$HOME/kubeconfig" } diff --git a/digital-ocean/container-linux/kubernetes/bootkube.tf b/digital-ocean/container-linux/kubernetes/bootkube.tf index 53efcf45..5a9eb641 100644 --- a/digital-ocean/container-linux/kubernetes/bootkube.tf +++ b/digital-ocean/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f382415f2bc18c7a2d39a92fe254e3823a634270" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=a7bd306679a0ce8a9e5084f928af696a284a256b" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/digital-ocean/container-linux/kubernetes/ssh.tf b/digital-ocean/container-linux/kubernetes/ssh.tf index 0dc9c396..5c5ed774 100644 --- a/digital-ocean/container-linux/kubernetes/ssh.tf +++ b/digital-ocean/container-linux/kubernetes/ssh.tf @@ -10,7 +10,7 @@ resource "null_resource" "copy-controller-secrets" { } provisioner "file" { - content = "${module.bootkube.kubeconfig}" + content = "${module.bootkube.kubeconfig-kubelet}" destination = "$HOME/kubeconfig" } @@ -78,7 +78,7 @@ resource "null_resource" "copy-worker-secrets" { } provisioner "file" { - content = "${module.bootkube.kubeconfig}" + content = "${module.bootkube.kubeconfig-kubelet}" destination = "$HOME/kubeconfig" } diff --git a/digital-ocean/fedora-atomic/kubernetes/bootkube.tf b/digital-ocean/fedora-atomic/kubernetes/bootkube.tf index 7bd65ba4..6c92ca5b 100644 --- a/digital-ocean/fedora-atomic/kubernetes/bootkube.tf +++ b/digital-ocean/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f382415f2bc18c7a2d39a92fe254e3823a634270" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=a7bd306679a0ce8a9e5084f928af696a284a256b" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/digital-ocean/fedora-atomic/kubernetes/ssh.tf b/digital-ocean/fedora-atomic/kubernetes/ssh.tf index 60bf6ddc..1d7e0002 100644 --- a/digital-ocean/fedora-atomic/kubernetes/ssh.tf +++ b/digital-ocean/fedora-atomic/kubernetes/ssh.tf @@ -10,7 +10,7 @@ resource "null_resource" "copy-controller-secrets" { } provisioner "file" { - content = "${module.bootkube.kubeconfig}" + content = "${module.bootkube.kubeconfig-kubelet}" destination = "$HOME/kubeconfig" } @@ -76,7 +76,7 @@ resource "null_resource" "copy-worker-secrets" { } provisioner "file" { - content = "${module.bootkube.kubeconfig}" + content = "${module.bootkube.kubeconfig-kubelet}" destination = "$HOME/kubeconfig" } diff --git a/google-cloud/container-linux/kubernetes/bootkube.tf b/google-cloud/container-linux/kubernetes/bootkube.tf index a08c8af6..f4564eef 100644 --- a/google-cloud/container-linux/kubernetes/bootkube.tf +++ b/google-cloud/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f382415f2bc18c7a2d39a92fe254e3823a634270" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=a7bd306679a0ce8a9e5084f928af696a284a256b" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/google-cloud/container-linux/kubernetes/controllers.tf b/google-cloud/container-linux/kubernetes/controllers.tf index cf01c709..364d8c0c 100644 --- a/google-cloud/container-linux/kubernetes/controllers.tf +++ b/google-cloud/container-linux/kubernetes/controllers.tf @@ -87,7 +87,7 @@ data "template_file" "controller-configs" { # etcd0=https://cluster-etcd0.example.com,etcd1=https://cluster-etcd1.example.com,... etcd_initial_cluster = "${join(",", data.template_file.etcds.*.rendered)}" - kubeconfig = "${indent(10, module.bootkube.kubeconfig)}" + kubeconfig = "${indent(10, module.bootkube.kubeconfig-kubelet)}" ssh_authorized_key = "${var.ssh_authorized_key}" k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}" cluster_domain_suffix = "${var.cluster_domain_suffix}" diff --git a/google-cloud/container-linux/kubernetes/outputs.tf b/google-cloud/container-linux/kubernetes/outputs.tf index de97fad0..408ca607 100644 --- a/google-cloud/container-linux/kubernetes/outputs.tf +++ b/google-cloud/container-linux/kubernetes/outputs.tf @@ -1,5 +1,5 @@ output "kubeconfig-admin" { - value = "${module.bootkube.user-kubeconfig}" + value = "${module.bootkube.kubeconfig-admin-context}" } # Outputs for Kubernetes Ingress @@ -21,7 +21,7 @@ output "network_name" { } output "kubeconfig" { - value = "${module.bootkube.kubeconfig}" + value = "${module.bootkube.kubeconfig-kubelet}" } # Outputs for custom firewalling diff --git a/google-cloud/container-linux/kubernetes/workers.tf b/google-cloud/container-linux/kubernetes/workers.tf index 8017b685..565fbb7f 100644 --- a/google-cloud/container-linux/kubernetes/workers.tf +++ b/google-cloud/container-linux/kubernetes/workers.tf @@ -13,7 +13,7 @@ module "workers" { preemptible = "${var.worker_preemptible}" # configuration - kubeconfig = "${module.bootkube.kubeconfig}" + kubeconfig = "${module.bootkube.kubeconfig-kubelet}" ssh_authorized_key = "${var.ssh_authorized_key}" service_cidr = "${var.service_cidr}" cluster_domain_suffix = "${var.cluster_domain_suffix}" diff --git a/google-cloud/fedora-atomic/kubernetes/bootkube.tf b/google-cloud/fedora-atomic/kubernetes/bootkube.tf index a7cfba20..814107de 100644 --- a/google-cloud/fedora-atomic/kubernetes/bootkube.tf +++ b/google-cloud/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f382415f2bc18c7a2d39a92fe254e3823a634270" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=a7bd306679a0ce8a9e5084f928af696a284a256b" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/google-cloud/fedora-atomic/kubernetes/controllers.tf b/google-cloud/fedora-atomic/kubernetes/controllers.tf index 9bc3c71a..5ce6cb66 100644 --- a/google-cloud/fedora-atomic/kubernetes/controllers.tf +++ b/google-cloud/fedora-atomic/kubernetes/controllers.tf @@ -79,7 +79,7 @@ data "template_file" "controller-cloudinit" { # etcd0=https://cluster-etcd0.example.com,etcd1=https://cluster-etcd1.example.com,... etcd_initial_cluster = "${join(",", data.template_file.etcds.*.rendered)}" - kubeconfig = "${indent(6, module.bootkube.kubeconfig)}" + kubeconfig = "${indent(6, module.bootkube.kubeconfig-kubelet)}" ssh_authorized_key = "${var.ssh_authorized_key}" k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}" cluster_domain_suffix = "${var.cluster_domain_suffix}" diff --git a/google-cloud/fedora-atomic/kubernetes/outputs.tf b/google-cloud/fedora-atomic/kubernetes/outputs.tf index de97fad0..408ca607 100644 --- a/google-cloud/fedora-atomic/kubernetes/outputs.tf +++ b/google-cloud/fedora-atomic/kubernetes/outputs.tf @@ -1,5 +1,5 @@ output "kubeconfig-admin" { - value = "${module.bootkube.user-kubeconfig}" + value = "${module.bootkube.kubeconfig-admin-context}" } # Outputs for Kubernetes Ingress @@ -21,7 +21,7 @@ output "network_name" { } output "kubeconfig" { - value = "${module.bootkube.kubeconfig}" + value = "${module.bootkube.kubeconfig-kubelet}" } # Outputs for custom firewalling diff --git a/google-cloud/fedora-atomic/kubernetes/workers.tf b/google-cloud/fedora-atomic/kubernetes/workers.tf index a41dd8a0..bc16d43a 100644 --- a/google-cloud/fedora-atomic/kubernetes/workers.tf +++ b/google-cloud/fedora-atomic/kubernetes/workers.tf @@ -13,7 +13,7 @@ module "workers" { preemptible = "${var.worker_preemptible}" # configuration - kubeconfig = "${module.bootkube.kubeconfig}" + kubeconfig = "${module.bootkube.kubeconfig-kubelet}" ssh_authorized_key = "${var.ssh_authorized_key}" service_cidr = "${var.service_cidr}" cluster_domain_suffix = "${var.cluster_domain_suffix}"