Ensure etcd secrets are only distributed to controller hosts
* Previously, etcd secrets were erroneously distributed to worker nodes (permissions 500, ownership etc:etcd).
This commit is contained in:
parent
fdb543e834
commit
cfd603bea2
|
@ -8,6 +8,7 @@ Notable changes between versions.
|
||||||
|
|
||||||
#### Digital Ocean
|
#### Digital Ocean
|
||||||
|
|
||||||
|
* Ensure etcd secrets are only distributed to controller hosts, not workers.
|
||||||
* Remove optional variable `networking`. Only flannel works on Digital Ocean.
|
* Remove optional variable `networking`. Only flannel works on Digital Ocean.
|
||||||
|
|
||||||
#### Google Cloud
|
#### Google Cloud
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
# Secure copy kubeconfig to all nodes. Activates kubelet.service
|
# Secure copy etcd TLS assets and kubeconfig to controllers. Activates kubelet.service
|
||||||
resource "null_resource" "copy-secrets" {
|
resource "null_resource" "copy-controller-secrets" {
|
||||||
count = "${var.controller_count + var.worker_count}"
|
count = "${var.controller_count}"
|
||||||
|
|
||||||
connection {
|
connection {
|
||||||
type = "ssh"
|
type = "ssh"
|
||||||
host = "${element(concat(digitalocean_droplet.controllers.*.ipv4_address, digitalocean_droplet.workers.*.ipv4_address), count.index)}"
|
host = "${element(concat(digitalocean_droplet.controllers.*.ipv4_address), count.index)}"
|
||||||
user = "core"
|
user = "core"
|
||||||
timeout = "15m"
|
timeout = "15m"
|
||||||
}
|
}
|
||||||
|
@ -61,7 +61,30 @@ resource "null_resource" "copy-secrets" {
|
||||||
"sudo mv etcd-peer.key /etc/ssl/etcd/etcd/peer.key",
|
"sudo mv etcd-peer.key /etc/ssl/etcd/etcd/peer.key",
|
||||||
"sudo chown -R etcd:etcd /etc/ssl/etcd",
|
"sudo chown -R etcd:etcd /etc/ssl/etcd",
|
||||||
"sudo chmod -R 500 /etc/ssl/etcd",
|
"sudo chmod -R 500 /etc/ssl/etcd",
|
||||||
"sudo mv /home/core/kubeconfig /etc/kubernetes/kubeconfig",
|
"sudo mv $HOME/kubeconfig /etc/kubernetes/kubeconfig",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Secure copy kubeconfig to all workers. Activates kubelet.service.
|
||||||
|
resource "null_resource" "copy-worker-secrets" {
|
||||||
|
count = "${var.worker_count}"
|
||||||
|
|
||||||
|
connection {
|
||||||
|
type = "ssh"
|
||||||
|
host = "${element(concat(digitalocean_droplet.workers.*.ipv4_address), count.index)}"
|
||||||
|
user = "core"
|
||||||
|
timeout = "15m"
|
||||||
|
}
|
||||||
|
|
||||||
|
provisioner "file" {
|
||||||
|
content = "${module.bootkube.kubeconfig}"
|
||||||
|
destination = "$HOME/kubeconfig"
|
||||||
|
}
|
||||||
|
|
||||||
|
provisioner "remote-exec" {
|
||||||
|
inline = [
|
||||||
|
"sudo mv $HOME/kubeconfig /etc/kubernetes/kubeconfig",
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -69,7 +92,11 @@ resource "null_resource" "copy-secrets" {
|
||||||
# Secure copy bootkube assets to ONE controller and start bootkube to perform
|
# Secure copy bootkube assets to ONE controller and start bootkube to perform
|
||||||
# one-time self-hosted cluster bootstrapping.
|
# one-time self-hosted cluster bootstrapping.
|
||||||
resource "null_resource" "bootkube-start" {
|
resource "null_resource" "bootkube-start" {
|
||||||
depends_on = ["module.bootkube", "null_resource.copy-secrets"]
|
depends_on = [
|
||||||
|
"module.bootkube",
|
||||||
|
"null_resource.copy-controller-secrets",
|
||||||
|
"null_resource.copy-worker-secrets",
|
||||||
|
]
|
||||||
|
|
||||||
connection {
|
connection {
|
||||||
type = "ssh"
|
type = "ssh"
|
||||||
|
@ -85,7 +112,7 @@ resource "null_resource" "bootkube-start" {
|
||||||
|
|
||||||
provisioner "remote-exec" {
|
provisioner "remote-exec" {
|
||||||
inline = [
|
inline = [
|
||||||
"sudo mv /home/core/assets /opt/bootkube",
|
"sudo mv $HOME/assets /opt/bootkube",
|
||||||
"sudo systemctl start bootkube",
|
"sudo systemctl start bootkube",
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue