Ensure etcd secrets are only distributed to controller hosts

* Previously, etcd secrets were erroneously distributed to worker
nodes (permissions 500, ownership etc:etcd).
This commit is contained in:
Dalton Hubble 2018-03-25 22:32:09 -07:00
parent fdb543e834
commit cfd603bea2
2 changed files with 35 additions and 7 deletions

View File

@ -8,6 +8,7 @@ Notable changes between versions.
#### Digital Ocean #### Digital Ocean
* Ensure etcd secrets are only distributed to controller hosts, not workers.
* Remove optional variable `networking`. Only flannel works on Digital Ocean. * Remove optional variable `networking`. Only flannel works on Digital Ocean.
#### Google Cloud #### Google Cloud

View File

@ -1,10 +1,10 @@
# Secure copy kubeconfig to all nodes. Activates kubelet.service # Secure copy etcd TLS assets and kubeconfig to controllers. Activates kubelet.service
resource "null_resource" "copy-secrets" { resource "null_resource" "copy-controller-secrets" {
count = "${var.controller_count + var.worker_count}" count = "${var.controller_count}"
connection { connection {
type = "ssh" type = "ssh"
host = "${element(concat(digitalocean_droplet.controllers.*.ipv4_address, digitalocean_droplet.workers.*.ipv4_address), count.index)}" host = "${element(concat(digitalocean_droplet.controllers.*.ipv4_address), count.index)}"
user = "core" user = "core"
timeout = "15m" timeout = "15m"
} }
@ -61,7 +61,30 @@ resource "null_resource" "copy-secrets" {
"sudo mv etcd-peer.key /etc/ssl/etcd/etcd/peer.key", "sudo mv etcd-peer.key /etc/ssl/etcd/etcd/peer.key",
"sudo chown -R etcd:etcd /etc/ssl/etcd", "sudo chown -R etcd:etcd /etc/ssl/etcd",
"sudo chmod -R 500 /etc/ssl/etcd", "sudo chmod -R 500 /etc/ssl/etcd",
"sudo mv /home/core/kubeconfig /etc/kubernetes/kubeconfig", "sudo mv $HOME/kubeconfig /etc/kubernetes/kubeconfig",
]
}
}
# Secure copy kubeconfig to all workers. Activates kubelet.service.
resource "null_resource" "copy-worker-secrets" {
count = "${var.worker_count}"
connection {
type = "ssh"
host = "${element(concat(digitalocean_droplet.workers.*.ipv4_address), count.index)}"
user = "core"
timeout = "15m"
}
provisioner "file" {
content = "${module.bootkube.kubeconfig}"
destination = "$HOME/kubeconfig"
}
provisioner "remote-exec" {
inline = [
"sudo mv $HOME/kubeconfig /etc/kubernetes/kubeconfig",
] ]
} }
} }
@ -69,7 +92,11 @@ resource "null_resource" "copy-secrets" {
# Secure copy bootkube assets to ONE controller and start bootkube to perform # Secure copy bootkube assets to ONE controller and start bootkube to perform
# one-time self-hosted cluster bootstrapping. # one-time self-hosted cluster bootstrapping.
resource "null_resource" "bootkube-start" { resource "null_resource" "bootkube-start" {
depends_on = ["module.bootkube", "null_resource.copy-secrets"] depends_on = [
"module.bootkube",
"null_resource.copy-controller-secrets",
"null_resource.copy-worker-secrets",
]
connection { connection {
type = "ssh" type = "ssh"
@ -85,7 +112,7 @@ resource "null_resource" "bootkube-start" {
provisioner "remote-exec" { provisioner "remote-exec" {
inline = [ inline = [
"sudo mv /home/core/assets /opt/bootkube", "sudo mv $HOME/assets /opt/bootkube",
"sudo systemctl start bootkube", "sudo systemctl start bootkube",
] ]
} }