diff --git a/config.tf b/config.tf index 1da53be525..e7b2e550d6 100644 --- a/config.tf +++ b/config.tf @@ -70,11 +70,11 @@ variable "tectonic_container_images" { addon_resizer = "gcr.io/google_containers/addon-resizer:2.1" awscli = "quay.io/coreos/awscli:025a357f05242fdad6a81e8a6b520098aa65a600" gcloudsdk = "google/cloud-sdk:178.0.0-alpine" - bootkube = "quay.io/coreos/bootkube:v0.8.1" - etcd = "quay.io/coreos/etcd:v3.2.14" + bootkube = "quay.io/coreos/bootkube:v0.10.0" + etcd = "quay.io/coreos/etcd:v3.1.8" etcd_operator = "quay.io/coreos/etcd-operator:v0.5.0" hyperkube = "quay.io/coreos/hyperkube:v1.9.1_coreos.0" - kube_core_renderer = "quay.io/coreos/kube-core-renderer-dev:79403c0864d4a98773d92d01998124c096faf59f" + kube_core_renderer = "quay.io/coreos/kube-core-renderer-dev:f16aec79cfe0b667ac90b0bf1697be5fbc7e3366" kube_version_operator = "quay.io/coreos/kube-version-operator:v1.8.4-kvo.5" tectonic_channel_operator = "quay.io/coreos/tectonic-channel-operator:0.6.2" tectonic_etcd_operator = "quay.io/coreos/tectonic-etcd-operator:v0.0.2" diff --git a/modules/ignition/resources/services/kubelet.service b/modules/ignition/resources/services/kubelet.service index 762e04ac38..0950a4d3ce 100644 --- a/modules/ignition/resources/services/kubelet.service +++ b/modules/ignition/resources/services/kubelet.service @@ -8,6 +8,8 @@ Environment="RKT_RUN_ARGS=--uuid-file-save=/var/cache/kubelet-pod.uuid \ --mount volume=resolv,target=/etc/resolv.conf \ --volume var-lib-cni,kind=host,source=/var/lib/cni \ --mount volume=var-lib-cni,target=/var/lib/cni \ + --volume var-lib-kubelet,kind=host,source=/var/lib/kubelet \ + --mount volume=var-lib-kubelet,target=/var/lib/kubelet \ --volume var-log,kind=host,source=/var/log \ --mount volume=var-log,target=/var/log" @@ -16,30 +18,33 @@ ExecStartPre=/bin/mkdir -p /srv/kubernetes/manifests ExecStartPre=/bin/mkdir -p /etc/kubernetes/checkpoint-secrets ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d ExecStartPre=/bin/mkdir -p /var/lib/cni +ExecStartPre=/bin/mkdir -p /var/lib/kubelet/pki ${kubeconfig_fetch_cmd} ExecStartPre=/usr/bin/bash -c "grep 'certificate-authority-data' /etc/kubernetes/kubeconfig | awk '{print $2}' | base64 -d > /etc/kubernetes/ca.crt" ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/cache/kubelet-pod.uuid ExecStart=/usr/lib/coreos/kubelet-wrapper \ - --kubeconfig=/etc/kubernetes/kubeconfig \ - --require-kubeconfig \ - --cni-conf-dir=/etc/kubernetes/cni/net.d \ - --cni-bin-dir=/var/lib/cni/bin \ - --network-plugin=cni \ - --lock-file=/var/run/lock/kubelet.lock \ - --exit-on-lock-contention \ - --pod-manifest-path=/etc/kubernetes/manifests \ --allow-privileged \ - --node-labels=${node_label} \ - ${node_taints_param} \ - --minimum-container-ttl-duration=6m0s \ - --cluster-dns=${cluster_dns_ip} \ - --cluster-domain=cluster.local \ + --anonymous-auth=false \ + --cert-dir=/var/lib/kubelet/pki \ --client-ca-file=/etc/kubernetes/ca.crt \ --cloud-provider=${cloud_provider} \ + --cluster-dns=${cluster_dns_ip} \ + --cluster-domain=cluster.local \ + --cni-bin-dir=/var/lib/cni/bin \ + --cni-conf-dir=/etc/kubernetes/cni/net.d \ + --exit-on-lock-contention \ + --kubeconfig=/etc/kubernetes/kubeconfig \ + --lock-file=/var/run/lock/kubelet.lock \ + --minimum-container-ttl-duration=6m0s \ + --network-plugin=cni \ + --node-labels=${node_label} \ + --pod-manifest-path=/etc/kubernetes/manifests \ + --require-kubeconfig \ + --rotate-certificates \ ${cloud_provider_config} \ ${debug_config} \ - --anonymous-auth=false + ${node_taints_param} ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid diff --git a/platforms/aws/s3.tf b/platforms/aws/s3.tf index 9fa6d7c154..59d213c8ef 100644 --- a/platforms/aws/s3.tf +++ b/platforms/aws/s3.tf @@ -48,7 +48,7 @@ resource "aws_s3_bucket_object" "tectonic_assets" { resource "aws_s3_bucket_object" "kubeconfig" { bucket = "${aws_s3_bucket.tectonic.bucket}" key = "kubeconfig" - content = "${module.bootkube.kubeconfig}" + content = "${module.bootkube.kubeconfig-kubelet}" acl = "private" # The current Tectonic installer stores bits of the kubeconfig in KMS. As we diff --git a/platforms/aws/tectonic.tf b/platforms/aws/tectonic.tf index cd661af1c6..1953dd107a 100644 --- a/platforms/aws/tectonic.tf +++ b/platforms/aws/tectonic.tf @@ -38,8 +38,9 @@ module "bootkube" { etcd_server_cert_pem = "${module.etcd_certs.etcd_server_crt_pem}" etcd_server_key_pem = "${module.etcd_certs.etcd_server_key_pem}" kube_ca_cert_pem = "${module.kube_certs.ca_cert_pem}" - kubelet_cert_pem = "${module.kube_certs.kubelet_cert_pem}" - kubelet_key_pem = "${module.kube_certs.kubelet_key_pem}" + kube_ca_key_pem = "${module.kube_certs.ca_key_pem}" + admin_cert_pem = "${module.kube_certs.admin_cert_pem}" + admin_key_pem = "${module.kube_certs.admin_key_pem}" etcd_endpoints = "${module.dns.etcd_endpoints}" master_count = "${var.tectonic_master_count}" diff --git a/platforms/azure/main.tf b/platforms/azure/main.tf index 3df61cc1ec..26420c2288 100644 --- a/platforms/azure/main.tf +++ b/platforms/azure/main.tf @@ -162,7 +162,7 @@ module "masters" { ign_tectonic_service_id = "${module.tectonic.systemd_service_id}" ign_tx_off_service_id = "${module.ignition_masters.tx_off_service_id}" ign_update_ca_certificates_dropin_id = "${module.ignition_masters.update_ca_certificates_dropin_id}" - kubeconfig_content = "${module.bootkube.kubeconfig}" + kubeconfig_content = "${module.bootkube.kubeconfig-kubelet}" location = "${var.tectonic_azure_location}" master_count = "${var.tectonic_master_count}" network_interface_ids = "${module.vnet.master_network_interface_ids}" @@ -219,7 +219,7 @@ module "workers" { ign_systemd_default_env_id = "${local.tectonic_http_proxy_enabled ? module.ignition_workers.systemd_default_env_id : ""}" ign_tx_off_service_id = "${module.ignition_workers.tx_off_service_id}" ign_update_ca_certificates_dropin_id = "${module.ignition_workers.update_ca_certificates_dropin_id}" - kubeconfig_content = "${module.bootkube.kubeconfig}" + kubeconfig_content = "${module.bootkube.kubeconfig-kubelet}" location = "${var.tectonic_azure_location}" network_interface_ids = "${module.vnet.worker_network_interface_ids}" public_ssh_key = "${var.tectonic_azure_ssh_key}" diff --git a/platforms/azure/tectonic.tf b/platforms/azure/tectonic.tf index a863e218b3..e92ec66d0f 100644 --- a/platforms/azure/tectonic.tf +++ b/platforms/azure/tectonic.tf @@ -42,8 +42,9 @@ module "bootkube" { etcd_server_cert_pem = "${module.etcd_certs.etcd_server_crt_pem}" etcd_server_key_pem = "${module.etcd_certs.etcd_server_key_pem}" kube_ca_cert_pem = "${module.kube_certs.ca_cert_pem}" - kubelet_cert_pem = "${module.kube_certs.kubelet_cert_pem}" - kubelet_key_pem = "${module.kube_certs.kubelet_key_pem}" + kube_ca_key_pem = "${module.kube_certs.ca_key_pem}" + admin_cert_pem = "${module.kube_certs.admin_cert_pem}" + admin_key_pem = "${module.kube_certs.admin_key_pem}" etcd_endpoints = "${data.template_file.etcd_hostname_list.*.rendered}" diff --git a/platforms/gcp/main.tf b/platforms/gcp/main.tf index 3da4ee7430..12731aa7f4 100644 --- a/platforms/gcp/main.tf +++ b/platforms/gcp/main.tf @@ -71,12 +71,11 @@ module "masters" { disk_size = "${var.tectonic_gcp_master_disk_size}" disk_type = "${var.tectonic_gcp_master_disktype}" - region = "${var.tectonic_gcp_region}" - instance_count = "${var.tectonic_master_count}" - machine_type = "${var.tectonic_gcp_master_gce_type}" - cluster_name = "${var.tectonic_cluster_name}" - public_ssh_key = "${var.tectonic_gcp_ssh_key}" - kubeconfig_content = "${module.bootkube.kubeconfig}" + region = "${var.tectonic_gcp_region}" + instance_count = "${var.tectonic_master_count}" + machine_type = "${var.tectonic_gcp_master_gce_type}" + cluster_name = "${var.tectonic_cluster_name}" + public_ssh_key = "${var.tectonic_gcp_ssh_key}" master_subnetwork_name = "${module.network.master_subnetwork_name}" master_targetpool_self_link = "${module.network.master_targetpool_self_link}" @@ -104,7 +103,7 @@ module "masters" { ign_tectonic_service_id = "${module.tectonic.systemd_service_id}" image_re = "${var.tectonic_image_re}" instance_count = "${var.tectonic_master_count}" - kubeconfig_content = "${module.bootkube.kubeconfig}" + kubeconfig_content = "${module.bootkube.kubeconfig-kubelet}" machine_type = "${var.tectonic_gcp_master_gce_type}" master_subnetwork_name = "${module.network.master_subnetwork_name}" master_targetpool_self_link = "${module.network.master_targetpool_self_link}" @@ -133,7 +132,7 @@ module "workers" { ign_profile_env_id = "${local.tectonic_http_proxy_enabled ? module.ignition_workers.profile_env_id : ""}" ign_systemd_default_env_id = "${local.tectonic_http_proxy_enabled ? module.ignition_workers.systemd_default_env_id : ""}" instance_count = "${var.tectonic_worker_count}" - kubeconfig_content = "${module.bootkube.kubeconfig}" + kubeconfig_content = "${module.bootkube.kubeconfig-kubelet}" machine_type = "${var.tectonic_gcp_worker_gce_type}" public_ssh_key = "${var.tectonic_gcp_ssh_key}" region = "${var.tectonic_gcp_region}" diff --git a/platforms/gcp/tectonic.tf b/platforms/gcp/tectonic.tf index 2de926b8fc..282f7b1438 100644 --- a/platforms/gcp/tectonic.tf +++ b/platforms/gcp/tectonic.tf @@ -50,8 +50,9 @@ module "bootkube" { etcd_server_cert_pem = "${module.etcd_certs.etcd_server_crt_pem}" etcd_server_key_pem = "${module.etcd_certs.etcd_server_key_pem}" kube_ca_cert_pem = "${module.kube_certs.ca_cert_pem}" - kubelet_cert_pem = "${module.kube_certs.kubelet_cert_pem}" - kubelet_key_pem = "${module.kube_certs.kubelet_key_pem}" + kube_ca_key_pem = "${module.kube_certs.ca_key_pem}" + admin_cert_pem = "${module.kube_certs.admin_cert_pem}" + admin_key_pem = "${module.kube_certs.admin_key_pem}" cloud_config_path = "" etcd_endpoints = "${data.template_file.etcd_hostname_list.*.rendered}" diff --git a/platforms/govcloud/s3.tf b/platforms/govcloud/s3.tf index 67c163bb77..f3d8c3c895 100644 --- a/platforms/govcloud/s3.tf +++ b/platforms/govcloud/s3.tf @@ -48,7 +48,7 @@ resource "aws_s3_bucket_object" "tectonic_assets" { resource "aws_s3_bucket_object" "kubeconfig" { bucket = "${aws_s3_bucket.tectonic.bucket}" key = "kubeconfig" - content = "${module.bootkube.kubeconfig}" + content = "${module.bootkube.kubeconfig-kubelet}" acl = "private" # The current Tectonic installer stores bits of the kubeconfig in KMS. As we diff --git a/platforms/govcloud/tectonic.tf b/platforms/govcloud/tectonic.tf index 85f9ce6635..8462550f21 100644 --- a/platforms/govcloud/tectonic.tf +++ b/platforms/govcloud/tectonic.tf @@ -39,8 +39,9 @@ module "bootkube" { etcd_server_cert_pem = "${module.etcd_certs.etcd_server_crt_pem}" etcd_server_key_pem = "${module.etcd_certs.etcd_server_key_pem}" kube_ca_cert_pem = "${module.kube_certs.ca_cert_pem}" - kubelet_cert_pem = "${module.kube_certs.kubelet_cert_pem}" - kubelet_key_pem = "${module.kube_certs.kubelet_key_pem}" + kube_ca_key_pem = "${module.kube_certs.ca_key_pem}" + admin_cert_pem = "${module.kube_certs.admin_cert_pem}" + admin_key_pem = "${module.kube_certs.admin_key_pem}" etcd_endpoints = "${module.dns.etcd_endpoints}" master_count = "${var.tectonic_master_count}" diff --git a/platforms/metal/remote.tf b/platforms/metal/remote.tf index b4a075cff4..601101fccd 100644 --- a/platforms/metal/remote.tf +++ b/platforms/metal/remote.tf @@ -62,7 +62,7 @@ resource "null_resource" "kubeconfig" { } provisioner "file" { - content = "${module.bootkube.kubeconfig}" + content = "${module.bootkube.kubeconfig-kubelet}" destination = "$HOME/kubeconfig" } diff --git a/platforms/metal/tectonic.tf b/platforms/metal/tectonic.tf index efce8d8fb7..d988039248 100644 --- a/platforms/metal/tectonic.tf +++ b/platforms/metal/tectonic.tf @@ -35,8 +35,9 @@ module "bootkube" { etcd_server_cert_pem = "${module.etcd_certs.etcd_server_crt_pem}" etcd_server_key_pem = "${module.etcd_certs.etcd_server_key_pem}" kube_ca_cert_pem = "${module.kube_certs.ca_cert_pem}" - kubelet_cert_pem = "${module.kube_certs.kubelet_cert_pem}" - kubelet_key_pem = "${module.kube_certs.kubelet_key_pem}" + kube_ca_key_pem = "${module.kube_certs.ca_key_pem}" + admin_cert_pem = "${module.kube_certs.admin_cert_pem}" + admin_key_pem = "${module.kube_certs.admin_key_pem}" etcd_endpoints = "${split(",", length(compact(var.tectonic_etcd_servers)) == 0 diff --git a/platforms/openstack/neutron/main.tf b/platforms/openstack/neutron/main.tf index c8a381849f..ada98bb288 100644 --- a/platforms/openstack/neutron/main.tf +++ b/platforms/openstack/neutron/main.tf @@ -83,8 +83,9 @@ module "bootkube" { etcd_server_cert_pem = "${module.etcd_certs.etcd_server_crt_pem}" etcd_server_key_pem = "${module.etcd_certs.etcd_server_key_pem}" kube_ca_cert_pem = "${module.kube_certs.ca_cert_pem}" - kubelet_cert_pem = "${module.kube_certs.kubelet_cert_pem}" - kubelet_key_pem = "${module.kube_certs.kubelet_key_pem}" + kube_ca_key_pem = "${module.kube_certs.ca_key_pem}" + admin_cert_pem = "${module.kube_certs.admin_cert_pem}" + admin_key_pem = "${module.kube_certs.admin_key_pem}" etcd_endpoints = "${module.dns.etcd_a_nodes}" @@ -224,7 +225,7 @@ EOF ign_tectonic_service_id = "${module.tectonic.systemd_service_id}" ign_update_ca_certificates_dropin_id = "${module.ignition_masters.update_ca_certificates_dropin_id}" instance_count = "${var.tectonic_master_count}" - kubeconfig_content = "${module.bootkube.kubeconfig}" + kubeconfig_content = "${module.bootkube.kubeconfig-kubelet}" } module "ignition_workers" { @@ -271,7 +272,7 @@ EOF ign_systemd_default_env_id = "${local.tectonic_http_proxy_enabled ? module.ignition_workers.systemd_default_env_id : ""}" ign_update_ca_certificates_dropin_id = "${module.ignition_workers.update_ca_certificates_dropin_id}" instance_count = "${var.tectonic_worker_count}" - kubeconfig_content = "${module.bootkube.kubeconfig}" + kubeconfig_content = "${module.bootkube.kubeconfig-kubelet}" } module "secrets" { diff --git a/platforms/vmware/main.tf b/platforms/vmware/main.tf index 95ad272ce1..50112ed423 100644 --- a/platforms/vmware/main.tf +++ b/platforms/vmware/main.tf @@ -92,7 +92,7 @@ module "masters" { image_re = "${var.tectonic_image_re}" instance_count = "${var.tectonic_master_count}" ip_address = "${var.tectonic_vmware_master_ip}" - kubeconfig = "${module.bootkube.kubeconfig}" + kubeconfig = "${module.bootkube.kubeconfig-kubelet}" private_key = "${var.tectonic_vmware_ssh_private_key_path}" vm_disk_datastores = "${var.tectonic_vmware_master_datastores}" vm_disk_template = "${var.tectonic_vmware_vm_template}" @@ -150,7 +150,7 @@ module "workers" { image_re = "${var.tectonic_image_re}" instance_count = "${var.tectonic_worker_count}" ip_address = "${var.tectonic_vmware_worker_ip}" - kubeconfig = "${module.bootkube.kubeconfig}" + kubeconfig = "${module.bootkube.kubeconfig-kubelet}" private_key = "${var.tectonic_vmware_ssh_private_key_path}" vm_disk_datastores = "${var.tectonic_vmware_worker_datastores}" vm_disk_template = "${var.tectonic_vmware_vm_template}" diff --git a/platforms/vmware/tectonic.tf b/platforms/vmware/tectonic.tf index 20ca144c20..81c9204fd3 100644 --- a/platforms/vmware/tectonic.tf +++ b/platforms/vmware/tectonic.tf @@ -78,8 +78,9 @@ module "bootkube" { etcd_server_cert_pem = "${module.etcd_certs.etcd_server_crt_pem}" etcd_server_key_pem = "${module.etcd_certs.etcd_server_key_pem}" kube_ca_cert_pem = "${module.kube_certs.ca_cert_pem}" - kubelet_cert_pem = "${module.kube_certs.kubelet_cert_pem}" - kubelet_key_pem = "${module.kube_certs.kubelet_key_pem}" + kube_ca_key_pem = "${module.kube_certs.ca_key_pem}" + admin_cert_pem = "${module.kube_certs.admin_cert_pem}" + admin_key_pem = "${module.kube_certs.admin_key_pem}" etcd_endpoints = "${formatlist("%s.%s", values(var.tectonic_vmware_etcd_hostnames), var.tectonic_base_domain)}"