From 9ec8ec4afc13633e53edc04d38d5b3336ab61c47 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Sat, 14 Oct 2017 20:41:18 -0700 Subject: [PATCH] Secure copy etcd TLS credentials to controllers only * Controllers receive etcd TLS credentials * Controllers and workers receive a kubeconfig --- bare-metal/container-linux/kubernetes/ssh.tf | 36 ++++++++++++++++---- bare-metal/container-linux/pxe-worker/ssh.tf | 2 +- 2 files changed, 31 insertions(+), 7 deletions(-) diff --git a/bare-metal/container-linux/kubernetes/ssh.tf b/bare-metal/container-linux/kubernetes/ssh.tf index 059b6e92..eb533680 100644 --- a/bare-metal/container-linux/kubernetes/ssh.tf +++ b/bare-metal/container-linux/kubernetes/ssh.tf @@ -1,10 +1,10 @@ -# Secure copy etcd TLS assets and kubeconfig to all nodes. Activates kubelet.service -resource "null_resource" "copy-secrets" { - count = "${length(var.controller_names) + length(var.worker_names)}" +# Secure copy etcd TLS assets and kubeconfig to controllers. Activates kubelet.service +resource "null_resource" "copy-etcd-secrets" { + count = "${length(var.controller_names)}" connection { type = "ssh" - host = "${element(concat(var.controller_domains, var.worker_domains), count.index)}" + host = "${element(var.controller_domains, count.index)}" user = "core" timeout = "60m" } @@ -66,19 +66,43 @@ resource "null_resource" "copy-secrets" { } } +# Secure copy kubeconfig to all workers. Activates kubelet.service +resource "null_resource" "copy-kubeconfig" { + count = "${length(var.worker_names)}" + + connection { + type = "ssh" + host = "${element(var.worker_domains, count.index)}" + user = "core" + timeout = "60m" + } + + provisioner "file" { + content = "${module.bootkube.kubeconfig}" + destination = "$HOME/kubeconfig" + } + + provisioner "remote-exec" { + inline = [ + "sudo mv /home/core/kubeconfig /etc/kubernetes/kubeconfig", + ] + } +} + + # Secure copy bootkube assets to ONE controller and start bootkube to perform # one-time self-hosted cluster bootstrapping. resource "null_resource" "bootkube-start" { # Without depends_on, this remote-exec may start before the kubeconfig copy. # Terraform only does one task at a time, so it would try to bootstrap # while no Kubelets are running. - depends_on = ["null_resource.copy-secrets"] + depends_on = ["null_resource.copy-etcd-secrets", "null_resource.copy-kubeconfig"] connection { type = "ssh" host = "${element(var.controller_domains, 0)}" user = "core" - timeout = "60m" + timeout = "30m" } provisioner "file" { diff --git a/bare-metal/container-linux/pxe-worker/ssh.tf b/bare-metal/container-linux/pxe-worker/ssh.tf index 3d57ac1c..77263b65 100644 --- a/bare-metal/container-linux/pxe-worker/ssh.tf +++ b/bare-metal/container-linux/pxe-worker/ssh.tf @@ -1,5 +1,5 @@ # Secure copy kubeconfig to all nodes to activate kubelet.service -resource "null_resource" "copy-secrets" { +resource "null_resource" "copy-kubeconfig" { count = "${length(var.worker_names)}" connection {