From cfd603bea274ee815e0af7f3457774b390e32e34 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Sun, 25 Mar 2018 22:32:09 -0700 Subject: [PATCH] Ensure etcd secrets are only distributed to controller hosts * Previously, etcd secrets were erroneously distributed to worker nodes (permissions 500, ownership etc:etcd). --- CHANGES.md | 1 + .../container-linux/kubernetes/ssh.tf | 41 +++++++++++++++---- 2 files changed, 35 insertions(+), 7 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 43b7113a..cb602617 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -8,6 +8,7 @@ Notable changes between versions. #### Digital Ocean +* Ensure etcd secrets are only distributed to controller hosts, not workers. * Remove optional variable `networking`. Only flannel works on Digital Ocean. #### Google Cloud diff --git a/digital-ocean/container-linux/kubernetes/ssh.tf b/digital-ocean/container-linux/kubernetes/ssh.tf index d232fd50..4bb81e2e 100644 --- a/digital-ocean/container-linux/kubernetes/ssh.tf +++ b/digital-ocean/container-linux/kubernetes/ssh.tf @@ -1,10 +1,10 @@ -# Secure copy kubeconfig to all nodes. Activates kubelet.service -resource "null_resource" "copy-secrets" { - count = "${var.controller_count + var.worker_count}" +# Secure copy etcd TLS assets and kubeconfig to controllers. Activates kubelet.service +resource "null_resource" "copy-controller-secrets" { + count = "${var.controller_count}" connection { type = "ssh" - host = "${element(concat(digitalocean_droplet.controllers.*.ipv4_address, digitalocean_droplet.workers.*.ipv4_address), count.index)}" + host = "${element(concat(digitalocean_droplet.controllers.*.ipv4_address), count.index)}" user = "core" timeout = "15m" } @@ -61,7 +61,30 @@ resource "null_resource" "copy-secrets" { "sudo mv etcd-peer.key /etc/ssl/etcd/etcd/peer.key", "sudo chown -R etcd:etcd /etc/ssl/etcd", "sudo chmod -R 500 /etc/ssl/etcd", - "sudo mv /home/core/kubeconfig /etc/kubernetes/kubeconfig", + "sudo mv $HOME/kubeconfig /etc/kubernetes/kubeconfig", + ] + } +} + +# Secure copy kubeconfig to all workers. Activates kubelet.service. +resource "null_resource" "copy-worker-secrets" { + count = "${var.worker_count}" + + connection { + type = "ssh" + host = "${element(concat(digitalocean_droplet.workers.*.ipv4_address), count.index)}" + user = "core" + timeout = "15m" + } + + provisioner "file" { + content = "${module.bootkube.kubeconfig}" + destination = "$HOME/kubeconfig" + } + + provisioner "remote-exec" { + inline = [ + "sudo mv $HOME/kubeconfig /etc/kubernetes/kubeconfig", ] } } @@ -69,7 +92,11 @@ resource "null_resource" "copy-secrets" { # Secure copy bootkube assets to ONE controller and start bootkube to perform # one-time self-hosted cluster bootstrapping. resource "null_resource" "bootkube-start" { - depends_on = ["module.bootkube", "null_resource.copy-secrets"] + depends_on = [ + "module.bootkube", + "null_resource.copy-controller-secrets", + "null_resource.copy-worker-secrets", + ] connection { type = "ssh" @@ -85,7 +112,7 @@ resource "null_resource" "bootkube-start" { provisioner "remote-exec" { inline = [ - "sudo mv /home/core/assets /opt/bootkube", + "sudo mv $HOME/assets /opt/bootkube", "sudo systemctl start bootkube", ] }