update bootkube module for bootstrap token

coreos · Jan 24, 2018 · 7582e62 · 7582e62
1 parent 965c01b
commit 7582e62
Show file tree

Hide file tree

Showing 8 changed files with 89 additions and 19 deletions.
diff --git a/modules/bootkube/assets.tf b/modules/bootkube/assets.tf
@@ -1,3 +1,16 @@
+# Kubelet tls bootstraping id and secret
+resource "random_string" "kubelet_bootstrap_token_id" {
+  length  = 6
+  special = false
+  upper   = false
+}
+
+resource "random_string" "kubelet_bootstrap_token_secret" {
+  length  = 16
+  special = false
+  upper   = false
+}
+
 # Self-hosted manifests (resources/generated/manifests/)
 resource "template_dir" "bootkube" {
   source_dir      = "${path.module}/resources/manifests"
@@ -13,13 +26,16 @@ resource "template_dir" "bootkube" {
     cluster_cidr          = "${var.cluster_cidr}"
     tectonic_networking   = "${var.tectonic_networking}"
 
-    kube_ca_cert       = "${base64encode(var.kube_ca_cert_pem)}"
-    apiserver_key      = "${base64encode(var.apiserver_key_pem)}"
-    apiserver_cert     = "${base64encode(var.apiserver_cert_pem)}"
-    oidc_ca_cert       = "${base64encode(var.oidc_ca_cert)}"
-    pull_secret        = "${base64encode(file(var.pull_secret_path))}"
-    serviceaccount_pub = "${base64encode(tls_private_key.service_account.public_key_pem)}"
-    serviceaccount_key = "${base64encode(tls_private_key.service_account.private_key_pem)}"
+    kube_ca_cert                   = "${base64encode(var.kube_ca_cert_pem)}"
+    kube_ca_key                    = "${base64encode(var.kube_ca_key_pem)}"
+    kubelet_bootstrap_token_id     = "${random_string.kubelet_bootstrap_token_id.result}"
+    kubelet_bootstrap_token_secret = "${random_string.kubelet_bootstrap_token_secret.result}"
+    apiserver_key                  = "${base64encode(var.apiserver_key_pem)}"
+    apiserver_cert                 = "${base64encode(var.apiserver_cert_pem)}"
+    oidc_ca_cert                   = "${base64encode(var.oidc_ca_cert)}"
+    pull_secret                    = "${base64encode(file(var.pull_secret_path))}"
+    serviceaccount_pub             = "${base64encode(tls_private_key.service_account.public_key_pem)}"
+    serviceaccount_key             = "${base64encode(tls_private_key.service_account.private_key_pem)}"
 
     etcd_ca_cert     = "${base64encode(var.etcd_ca_cert_pem)}"
     etcd_client_cert = "${base64encode(var.etcd_client_cert_pem)}"
@@ -33,8 +49,8 @@ data "template_file" "kubeconfig" {
 
   vars {
     kube_ca_cert = "${base64encode(var.kube_ca_cert_pem)}"
-    kubelet_cert = "${base64encode(var.kubelet_cert_pem)}"
-    kubelet_key  = "${base64encode(var.kubelet_key_pem)}"
+    admin_cert   = "${base64encode(var.admin_cert_pem)}"
+    admin_key    = "${base64encode(var.admin_key_pem)}"
     server       = "${var.kube_apiserver_url}"
     cluster_name = "${var.cluster_name}"
   }
@@ -45,11 +61,31 @@ resource "local_file" "kubeconfig" {
   filename = "./generated/auth/kubeconfig"
 }
 
+# kubeconfig-kubelet (resources/generated/auth/kubeconfig-kubelet)
+data "template_file" "kubeconfig-kubelet" {
+  template = "${file("${path.module}/resources/kubeconfig-kubelet")}"
+
+  vars {
+    kube_ca_cert                   = "${base64encode(var.kube_ca_cert_pem)}"
+    kubelet_bootstrap_token_id     = "${random_string.kubelet_bootstrap_token_id.result}"
+    kubelet_bootstrap_token_secret = "${random_string.kubelet_bootstrap_token_secret.result}"
+    server                         = "${var.kube_apiserver_url}"
+    cluster_name                   = "${var.cluster_name}"
+  }
+}
+
+resource "local_file" "kubeconfig-kubelet" {
+  content  = "${data.template_file.kubeconfig-kubelet.rendered}"
+  filename = "./generated/auth/kubeconfig-kubelet"
+}
+
 # kvo-config.yaml (resources/generated/kco-config.yaml)
 data "template_file" "kco-config_yaml" {
   template = "${file("${path.module}/resources/kco-config.yaml")}"
 
   vars {
+    kube_apiserver_url = "${var.kube_apiserver_url}"
+
     cloud_config_path      = "${var.cloud_config_path}"
     cloud_provider_profile = "${var.cloud_provider != "" ? "${var.cloud_provider}" : "metal"}"
 
@@ -64,8 +100,6 @@ data "template_file" "kco-config_yaml" {
     oidc_groups_claim   = "${var.oidc_groups_claim}"
     oidc_issuer_url     = "${var.oidc_issuer_url}"
     oidc_username_claim = "${var.oidc_username_claim}"
-
-    master_count = "${var.master_count}"
   }
 }
 

diff --git a/modules/bootkube/outputs.tf b/modules/bootkube/outputs.tf
@@ -18,6 +18,7 @@
 output "id" {
   value = "${sha1("
   ${local_file.kubeconfig.id}
+  ${local_file.kubeconfig-kubelet.id}
   ${local_file.bootkube_sh.id}
   ${local_file.kco-config_yaml.id}
   ${template_dir.bootkube.id}
@@ -28,6 +29,10 @@ output "kubeconfig" {
   value = "${data.template_file.kubeconfig.rendered}"
 }
 
+output "kubeconfig-kubelet" {
+  value = "${data.template_file.kubeconfig-kubelet.rendered}"
+}
+
 output "systemd_service_rendered" {
   value = "${data.template_file.bootkube_service.rendered}"
 }

diff --git a/modules/bootkube/resources/kco-config.yaml b/modules/bootkube/resources/kco-config.yaml
@@ -1,5 +1,7 @@
 apiVersion: v1
 kind: KubeCoreOperatorConfig
+clusterConfig:
+  apiserver_url: ${kube_apiserver_url}
 authConfig:
   oidc_client_id: ${oidc_client_id}
   oidc_issuer_url: ${oidc_issuer_url}
@@ -13,5 +15,3 @@ networkConfig:
   cluster_cidr: ${cluster_cidr}
   etcd_servers: ${etcd_servers}
   service_cidr: ${service_cidr}
-initialConfig:
-  initial_master_count: ${master_count}
diff --git a/modules/bootkube/resources/kubeconfig b/modules/bootkube/resources/kubeconfig
@@ -6,11 +6,11 @@ clusters:
     server: ${server}
     certificate-authority-data: ${kube_ca_cert}
 users:
-- name: kubelet
+- name: admin
   user:
-    client-certificate-data: ${kubelet_cert}
-    client-key-data: ${kubelet_key}
+    client-certificate-data: ${admin_cert}
+    client-key-data: ${admin_key}
 contexts:
 - context:
     cluster: ${cluster_name}
-    user: kubelet
+    user: admin
diff --git a/modules/bootkube/resources/kubeconfig-kubelet b/modules/bootkube/resources/kubeconfig-kubelet
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Config
+clusters:
+- name: ${cluster_name}
+  cluster:
+    server: ${server}
+    certificate-authority-data: ${kube_ca_cert}
+users:
+- name: kubelet
+  user:
+    token: ${kubelet_bootstrap_token_id}.${kubelet_bootstrap_token_secret}
+contexts:
+- context:
+    cluster: ${cluster_name}
+    user: kubelet
diff --git a/modules/bootkube/resources/manifests/kube-controller-manager-secret.yaml b/modules/bootkube/resources/manifests/kube-controller-manager-secret.yaml
@@ -7,3 +7,4 @@ type: Opaque
 data:
   service-account.key: ${serviceaccount_key}
   ca.crt: ${kube_ca_cert}
+  ca.key: ${kube_ca_key}
diff --git a/modules/bootkube/resources/manifests/kubelet-bootstrap-token.yaml b/modules/bootkube/resources/manifests/kubelet-bootstrap-token.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: bootstrap-token-${kubelet_bootstrap_token_id}
+  namespace: kube-system
+type: bootstrap.kubernetes.io/token
+stringData:
+  token-id: ${kubelet_bootstrap_token_id}
+  token-secret: ${kubelet_bootstrap_token_secret}
+  usage-bootstrap-authentication: "true"
diff --git a/modules/bootkube/variables.tf b/modules/bootkube/variables.tf
@@ -88,12 +88,17 @@ variable "kube_ca_cert_pem" {
   description = "The Kubernetes CA in PEM format."
 }
 
-variable "kubelet_cert_pem" {
+variable "kube_ca_key_pem" {
+  type        = "string"
+  description = "The Kubernetes CA key in PEM format."
+}
+
+variable "admin_cert_pem" {
   type        = "string"
   description = "The kubelet certificate in PEM format."
 }
 
-variable "kubelet_key_pem" {
+variable "admin_key_pem" {
   type        = "string"
   description = "The kubelet key in PEM format."
 }