Secure copy etcd TLS credentials to controllers only
* Controllers receive etcd TLS credentials * Controllers and workers receive a kubeconfig
This commit is contained in:
parent
5c1ed37ff5
commit
9ec8ec4afc
|
@ -1,10 +1,10 @@
|
||||||
# Secure copy etcd TLS assets and kubeconfig to all nodes. Activates kubelet.service
|
# Secure copy etcd TLS assets and kubeconfig to controllers. Activates kubelet.service
|
||||||
resource "null_resource" "copy-secrets" {
|
resource "null_resource" "copy-etcd-secrets" {
|
||||||
count = "${length(var.controller_names) + length(var.worker_names)}"
|
count = "${length(var.controller_names)}"
|
||||||
|
|
||||||
connection {
|
connection {
|
||||||
type = "ssh"
|
type = "ssh"
|
||||||
host = "${element(concat(var.controller_domains, var.worker_domains), count.index)}"
|
host = "${element(var.controller_domains, count.index)}"
|
||||||
user = "core"
|
user = "core"
|
||||||
timeout = "60m"
|
timeout = "60m"
|
||||||
}
|
}
|
||||||
|
@ -66,19 +66,43 @@ resource "null_resource" "copy-secrets" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Secure copy kubeconfig to all workers. Activates kubelet.service
|
||||||
|
resource "null_resource" "copy-kubeconfig" {
|
||||||
|
count = "${length(var.worker_names)}"
|
||||||
|
|
||||||
|
connection {
|
||||||
|
type = "ssh"
|
||||||
|
host = "${element(var.worker_domains, count.index)}"
|
||||||
|
user = "core"
|
||||||
|
timeout = "60m"
|
||||||
|
}
|
||||||
|
|
||||||
|
provisioner "file" {
|
||||||
|
content = "${module.bootkube.kubeconfig}"
|
||||||
|
destination = "$HOME/kubeconfig"
|
||||||
|
}
|
||||||
|
|
||||||
|
provisioner "remote-exec" {
|
||||||
|
inline = [
|
||||||
|
"sudo mv /home/core/kubeconfig /etc/kubernetes/kubeconfig",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
# Secure copy bootkube assets to ONE controller and start bootkube to perform
|
# Secure copy bootkube assets to ONE controller and start bootkube to perform
|
||||||
# one-time self-hosted cluster bootstrapping.
|
# one-time self-hosted cluster bootstrapping.
|
||||||
resource "null_resource" "bootkube-start" {
|
resource "null_resource" "bootkube-start" {
|
||||||
# Without depends_on, this remote-exec may start before the kubeconfig copy.
|
# Without depends_on, this remote-exec may start before the kubeconfig copy.
|
||||||
# Terraform only does one task at a time, so it would try to bootstrap
|
# Terraform only does one task at a time, so it would try to bootstrap
|
||||||
# while no Kubelets are running.
|
# while no Kubelets are running.
|
||||||
depends_on = ["null_resource.copy-secrets"]
|
depends_on = ["null_resource.copy-etcd-secrets", "null_resource.copy-kubeconfig"]
|
||||||
|
|
||||||
connection {
|
connection {
|
||||||
type = "ssh"
|
type = "ssh"
|
||||||
host = "${element(var.controller_domains, 0)}"
|
host = "${element(var.controller_domains, 0)}"
|
||||||
user = "core"
|
user = "core"
|
||||||
timeout = "60m"
|
timeout = "30m"
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "file" {
|
provisioner "file" {
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
# Secure copy kubeconfig to all nodes to activate kubelet.service
|
# Secure copy kubeconfig to all nodes to activate kubelet.service
|
||||||
resource "null_resource" "copy-secrets" {
|
resource "null_resource" "copy-kubeconfig" {
|
||||||
count = "${length(var.worker_names)}"
|
count = "${length(var.worker_names)}"
|
||||||
|
|
||||||
connection {
|
connection {
|
||||||
|
|
Loading…
Reference in New Issue