mirror of
https://github.com/puppetmaster/typhoon.git
synced 2024-12-24 04:19:33 +01:00
Ensure etcd secrets are only distributed to controller hosts
* Previously, etcd secrets were erroneously distributed to worker nodes (permissions 500, ownership etc:etcd).
This commit is contained in:
parent
fdb543e834
commit
cfd603bea2
@ -8,6 +8,7 @@ Notable changes between versions.
|
||||
|
||||
#### Digital Ocean
|
||||
|
||||
* Ensure etcd secrets are only distributed to controller hosts, not workers.
|
||||
* Remove optional variable `networking`. Only flannel works on Digital Ocean.
|
||||
|
||||
#### Google Cloud
|
||||
|
@ -1,10 +1,10 @@
|
||||
# Secure copy kubeconfig to all nodes. Activates kubelet.service
|
||||
resource "null_resource" "copy-secrets" {
|
||||
count = "${var.controller_count + var.worker_count}"
|
||||
# Secure copy etcd TLS assets and kubeconfig to controllers. Activates kubelet.service
|
||||
resource "null_resource" "copy-controller-secrets" {
|
||||
count = "${var.controller_count}"
|
||||
|
||||
connection {
|
||||
type = "ssh"
|
||||
host = "${element(concat(digitalocean_droplet.controllers.*.ipv4_address, digitalocean_droplet.workers.*.ipv4_address), count.index)}"
|
||||
host = "${element(concat(digitalocean_droplet.controllers.*.ipv4_address), count.index)}"
|
||||
user = "core"
|
||||
timeout = "15m"
|
||||
}
|
||||
@ -61,7 +61,30 @@ resource "null_resource" "copy-secrets" {
|
||||
"sudo mv etcd-peer.key /etc/ssl/etcd/etcd/peer.key",
|
||||
"sudo chown -R etcd:etcd /etc/ssl/etcd",
|
||||
"sudo chmod -R 500 /etc/ssl/etcd",
|
||||
"sudo mv /home/core/kubeconfig /etc/kubernetes/kubeconfig",
|
||||
"sudo mv $HOME/kubeconfig /etc/kubernetes/kubeconfig",
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
# Secure copy kubeconfig to all workers. Activates kubelet.service.
|
||||
resource "null_resource" "copy-worker-secrets" {
|
||||
count = "${var.worker_count}"
|
||||
|
||||
connection {
|
||||
type = "ssh"
|
||||
host = "${element(concat(digitalocean_droplet.workers.*.ipv4_address), count.index)}"
|
||||
user = "core"
|
||||
timeout = "15m"
|
||||
}
|
||||
|
||||
provisioner "file" {
|
||||
content = "${module.bootkube.kubeconfig}"
|
||||
destination = "$HOME/kubeconfig"
|
||||
}
|
||||
|
||||
provisioner "remote-exec" {
|
||||
inline = [
|
||||
"sudo mv $HOME/kubeconfig /etc/kubernetes/kubeconfig",
|
||||
]
|
||||
}
|
||||
}
|
||||
@ -69,7 +92,11 @@ resource "null_resource" "copy-secrets" {
|
||||
# Secure copy bootkube assets to ONE controller and start bootkube to perform
|
||||
# one-time self-hosted cluster bootstrapping.
|
||||
resource "null_resource" "bootkube-start" {
|
||||
depends_on = ["module.bootkube", "null_resource.copy-secrets"]
|
||||
depends_on = [
|
||||
"module.bootkube",
|
||||
"null_resource.copy-controller-secrets",
|
||||
"null_resource.copy-worker-secrets",
|
||||
]
|
||||
|
||||
connection {
|
||||
type = "ssh"
|
||||
@ -85,7 +112,7 @@ resource "null_resource" "bootkube-start" {
|
||||
|
||||
provisioner "remote-exec" {
|
||||
inline = [
|
||||
"sudo mv /home/core/assets /opt/bootkube",
|
||||
"sudo mv $HOME/assets /opt/bootkube",
|
||||
"sudo systemctl start bootkube",
|
||||
]
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user