Enable the certificates.k8s.io API to issue cluster certificates

* System components that require certificates signed by the cluster
CA can submit a CSR to the apiserver, have an administrator inspect
and approve it, and be issued a certificate
* Configure kube-controller-manager to sign Approved CSR's using the
cluster CA private key
* Admins are responsible for approving or denying CSRs, otherwise,
no certificate is issued. Read the Kubernetes docs carefully and
verify the entity making the request and the authorization level
* https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster

CHANGES.md

@@ -7,6 +7,8 @@ Notable changes between versions.
 * Add ServiceAccounts for `kube-apiserver` and `kube-scheduler` ([#370](https://github.com/poseidon/typhoon/pull/370))
 * Use a lower-privilege TLS client certificate with org `system:nodes` for Kubelets ([#372](https://github.com/poseidon/typhoon/pull/372))
   * Bind the `system:nodes` group to the `system:node` ClusterRole
+* Allow the `certificates.k8s.io` API to issue certificates signed by the cluster CA ([#376](https://github.com/poseidon/typhoon/pull/376))
+  * Configure controller manager to sign CSRs that are manually [approved](https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster) by an administrator
 * Update CoreDNS from v1.2.6 to [v1.3.0](https://coredns.io/2018/12/15/coredns-1.3.0-release/)
 
 #### AWS

aws/container-linux/kubernetes/bootkube.tf

@@ -1,6 +1,6 @@
 # Self-hosted Kubernetes assets (kubeconfig, manifests)
 module "bootkube" {
-  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
+  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
 
   cluster_name          = "${var.cluster_name}"
   api_servers           = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]

aws/fedora-atomic/kubernetes/bootkube.tf

@@ -1,6 +1,6 @@
 # Self-hosted Kubernetes assets (kubeconfig, manifests)
 module "bootkube" {
-  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
+  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
 
   cluster_name          = "${var.cluster_name}"
   api_servers           = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]

azure/container-linux/kubernetes/bootkube.tf

@@ -1,6 +1,6 @@
 # Self-hosted Kubernetes assets (kubeconfig, manifests)
 module "bootkube" {
-  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
+  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
 
   cluster_name          = "${var.cluster_name}"
   api_servers           = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]

bare-metal/container-linux/kubernetes/bootkube.tf

@@ -1,6 +1,6 @@
 # Self-hosted Kubernetes assets (kubeconfig, manifests)
 module "bootkube" {
-  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
+  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
 
   cluster_name                    = "${var.cluster_name}"
   api_servers                     = ["${var.k8s_domain_name}"]

bare-metal/fedora-atomic/kubernetes/bootkube.tf

@@ -1,6 +1,6 @@
 # Self-hosted Kubernetes assets (kubeconfig, manifests)
 module "bootkube" {
-  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
+  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
 
   cluster_name          = "${var.cluster_name}"
   api_servers           = ["${var.k8s_domain_name}"]

digital-ocean/container-linux/kubernetes/bootkube.tf

@@ -1,6 +1,6 @@
 # Self-hosted Kubernetes assets (kubeconfig, manifests)
 module "bootkube" {
-  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
+  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
 
   cluster_name          = "${var.cluster_name}"
   api_servers           = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]

digital-ocean/fedora-atomic/kubernetes/bootkube.tf

@@ -1,6 +1,6 @@
 # Self-hosted Kubernetes assets (kubeconfig, manifests)
 module "bootkube" {
-  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
+  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
 
   cluster_name          = "${var.cluster_name}"
   api_servers           = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]

google-cloud/container-linux/kubernetes/bootkube.tf

@@ -1,6 +1,6 @@
 # Self-hosted Kubernetes assets (kubeconfig, manifests)
 module "bootkube" {
-  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
+  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
 
   cluster_name          = "${var.cluster_name}"
   api_servers           = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]

google-cloud/fedora-atomic/kubernetes/bootkube.tf

@@ -1,6 +1,6 @@
 # Self-hosted Kubernetes assets (kubeconfig, manifests)
 module "bootkube" {
-  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=847ec5929b4b4b3d8b922dbbee4a3ecefd71f597"
+  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e65e3567e586b7344e332e089fea71657d7a5bb"
 
   cluster_name          = "${var.cluster_name}"
   api_servers           = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]