Adds support for tectonic_etcd_scheme

Documentation/variables/config.md

@@ -30,6 +30,7 @@ This document gives an overview of variables used in all platforms of the Tecton
 | tectonic_etcd_client_cert_path | (optional) The path of the file containing the client certificate for TLS communication with etcd.<br><br>Note: This works only when used in conjunction with an external etcd cluster. If set, the variables `tectonic_etcd_servers`, `tectonic_etcd_ca_cert_path`, and `tectonic_etcd_client_key_path` must also be set. | string | `/dev/null` |
 | tectonic_etcd_client_key_path | (optional) The path of the file containing the client key for TLS communication with etcd.<br><br>Note: This works only when used in conjunction with an external etcd cluster. If set, the variables `tectonic_etcd_servers`, `tectonic_etcd_ca_cert_path`, and `tectonic_etcd_client_cert_path` must also be set. | string | `/dev/null` |
 | tectonic_etcd_count | The number of etcd nodes to be created. If set to zero, the count of etcd nodes will be determined automatically.<br><br>Note: This is not supported on bare metal. | string | `0` |
+| tectonic_etcd_scheme | (optional) Can be either "http" or "https". When set, this scheme will be used for all provided etcd endpoints. | string | `https` |
 | tectonic_etcd_servers | (optional) List of external etcd v3 servers to connect with (hostnames/IPs only). Needs to be set if using an external etcd cluster.<br><br>Example: `["etcd1", "etcd2", "etcd3"]` | list | `<list>` |
 | tectonic_etcd_tls_enabled | (optional) If set to `true`, TLS secure communication for self-provisioned etcd. will be used.<br><br>Note: If `tectonic_experimental` is set to `true` this variable has no effect, because the experimental self-hosted etcd always uses TLS. | string | `true` |
 | tectonic_image_re | (internal) Regular expression used to extract repo and tag components | string | `/^([^/]+/[^/]+/[^/]+):(.*)$/` |

config.tf

@@ -184,6 +184,15 @@ EOF
   default = []
 }
 
+variable "tectonic_etcd_scheme" {
+  type    = "string"
+  default = "https"
+
+  description = <<EOF
+(optional) Can be either "http" or "https". When set, this scheme will be used for all provided etcd endpoints.
+EOF
+}
+
 variable "tectonic_etcd_tls_enabled" {
   default = true
 

examples/terraform.tfvars.aws

@@ -257,6 +257,9 @@ tectonic_container_linux_version = "latest"
 // Note: This is not supported on bare metal.
 tectonic_etcd_count = "0"
 
+// (optional) Can be either "http" or "https". When set, this scheme will be used for all provided etcd endpoints.
+// tectonic_etcd_scheme = "https"
+
 // (optional) List of external etcd v3 servers to connect with (hostnames/IPs only).
 // Needs to be set if using an external etcd cluster.
 // 

examples/terraform.tfvars.azure

@@ -226,6 +226,9 @@ tectonic_container_linux_version = "latest"
 // Note: This is not supported on bare metal.
 tectonic_etcd_count = "0"
 
+// (optional) Can be either "http" or "https". When set, this scheme will be used for all provided etcd endpoints.
+// tectonic_etcd_scheme = "https"
+
 // (optional) List of external etcd v3 servers to connect with (hostnames/IPs only).
 // Needs to be set if using an external etcd cluster.
 // 

examples/terraform.tfvars.gcp

@@ -109,6 +109,9 @@ tectonic_container_linux_version = "latest"
 // Note: This is not supported on bare metal.
 tectonic_etcd_count = "0"
 
+// (optional) Can be either "http" or "https". When set, this scheme will be used for all provided etcd endpoints.
+// tectonic_etcd_scheme = "https"
+
 // (optional) List of external etcd v3 servers to connect with (hostnames/IPs only).
 // Needs to be set if using an external etcd cluster.
 // 

examples/terraform.tfvars.metal

@@ -109,6 +109,9 @@ tectonic_container_linux_version = "latest"
 // Note: This is not supported on bare metal.
 tectonic_etcd_count = "0"
 
+// (optional) Can be either "http" or "https". When set, this scheme will be used for all provided etcd endpoints.
+// tectonic_etcd_scheme = "https"
+
 // (optional) List of external etcd v3 servers to connect with (hostnames/IPs only).
 // Needs to be set if using an external etcd cluster.
 // 

examples/terraform.tfvars.openstack-neutron

@@ -109,6 +109,9 @@ tectonic_container_linux_version = "latest"
 // Note: This is not supported on bare metal.
 tectonic_etcd_count = "0"
 
+// (optional) Can be either "http" or "https". When set, this scheme will be used for all provided etcd endpoints.
+// tectonic_etcd_scheme = "https"
+
 // (optional) List of external etcd v3 servers to connect with (hostnames/IPs only).
 // Needs to be set if using an external etcd cluster.
 // 

examples/terraform.tfvars.vmware

@@ -109,6 +109,9 @@ tectonic_container_linux_version = "latest"
 // Note: This is not supported on bare metal.
 tectonic_etcd_count = "0"
 
+// (optional) Can be either "http" or "https". When set, this scheme will be used for all provided etcd endpoints.
+// tectonic_etcd_scheme = "https"
+
 // (optional) List of external etcd v3 servers to connect with (hostnames/IPs only).
 // Needs to be set if using an external etcd cluster.
 // 

modules/aws/etcd/variables.tf

@@ -79,6 +79,11 @@ variable "dns_enabled" {
   default     = "false"
 }
 
+variable "etcd_scheme" {
+  type    = "string"
+  default = "https"
+}
+
 variable "tls_enabled" {
   default = false
 }

modules/bootkube/assets.tf

@@ -13,14 +13,13 @@ resource "template_dir" "bootkube" {
     # Choose the etcd endpoints to use.
     # 1. If self-hosted etcd is enabled, then use
     # var.etcd_service_ip.
-    # 2. Else if no etcd TLS certificates are provided, i.e. we bootstrap etcd
-    # nodes ourselves (using http), then use insecure http var.etcd_endpoints.
-    # 3. Else (if etcd TLS certific are provided), then use the secure https
+    # 2. Else if var.tectonic_etcd_scheme is http? Then use that scheme.
+    # 3. Else use the secure https
     # var.etcd_endpoints.
     etcd_servers = "${
       var.self_hosted_etcd != ""
         ? format("https://%s:2379", cidrhost(var.service_cidr, 15))
-        : var.etcd_ca_cert_pem == ""
+        : var.etcd_scheme == "http"
           ? join(",", formatlist("http://%s:2379", var.etcd_endpoints))
           : join(",", formatlist("https://%s:2379", var.etcd_endpoints))
       }"
@@ -81,14 +80,13 @@ resource "template_dir" "bootkube_bootstrap" {
     # Choose the etcd endpoints to use.
     # 1. If self-hosted etcd mode is enabled, then use
     # var.etcd_service_ip.
-    # 2. Else if no etcd TLS certificates are provided, i.e. we bootstrap etcd
-    # nodes ourselves (using http), then use insecure http var.etcd_endpoints.
-    # 3. Else (if etcd TLS certific are provided), then use the secure https
+    # 2. Else if var.tectonic_etcd_scheme is http? Then use that scheme.
+    # 3. Else use the secure https
     # var.etcd_endpoints.
     etcd_servers = "${
       var.self_hosted_etcd != ""
         ? format("https://%s:2379,https://127.0.0.1:12379", cidrhost(var.service_cidr, 15))
-        : var.etcd_ca_cert_pem == ""
+        : var.etcd_scheme == "http"
           ? join(",", formatlist("http://%s:2379", var.etcd_endpoints))
           : join(",", formatlist("https://%s:2379", var.etcd_endpoints))
       }"

modules/bootkube/variables.tf

@@ -63,6 +63,12 @@ variable "etcd_endpoints" {
   type        = "list"
 }
 
+variable "etcd_scheme" {
+  description = "scheme either http or https"
+  type        = "string"
+  default     = "https"
+}
+
 variable "etcd_peer_cert_pem" {
   type        = "string"
   description = "The etcd peer certificate in PEM format."

modules/gcp/etcd/variables.tf

@@ -68,6 +68,11 @@ variable "tls_enabled" {
   default = false
 }
 
+variable "etcd_scheme" {
+  type    = "string"
+  default = "https"
+}
+
 variable "tls_ca_crt_pem" {
   default = ""
 }

modules/ignition/etcd.tf

@@ -27,17 +27,17 @@ data "template_file" "etcd_names" {
 
 data "template_file" "advertise_client_urls" {
   count    = "${var.etcd_count}"
-  template = "${local.scheme}://${var.etcd_advertise_name_list[count.index]}:2379"
+  template = "${var.etcd_scheme}://${var.etcd_advertise_name_list[count.index]}:2379"
 }
 
 data "template_file" "initial_advertise_peer_urls" {
   count    = "${var.etcd_count}"
-  template = "${local.scheme}://${var.etcd_advertise_name_list[count.index]}:2380"
+  template = "${var.etcd_scheme}://${var.etcd_advertise_name_list[count.index]}:2380"
 }
 
 data "template_file" "initial_cluster" {
   count    = "${length(var.etcd_initial_cluster_list) > 0 ? var.etcd_count : 0}"
-  template = "${data.template_file.etcd_names.*.rendered[count.index]}=${local.scheme}://${local.etcd_initial_cluster_list[count.index]}:2380"
+  template = "${data.template_file.etcd_names.*.rendered[count.index]}=${var.etcd_scheme}://${local.etcd_initial_cluster_list[count.index]}:2380"
 }
 
 data "template_file" "etcd" {
@@ -53,7 +53,7 @@ data "template_file" "etcd" {
     metadata_deps               = "${var.use_metadata ? local.metadata_deps : ""}"
     metadata_env                = "${var.use_metadata ? local.metadata_env : ""}"
     name                        = "${data.template_file.etcd_names.*.rendered[count.index]}"
-    scheme                      = "${local.scheme}"
+    scheme                      = "${var.etcd_scheme}"
   }
 }
 

modules/ignition/variables.tf

@@ -83,6 +83,11 @@ variable "etcd_tls_enabled" {
   default = true
 }
 
+variable "etcd_scheme" {
+  type    = "string"
+  default = "https"
+}
+
 variable "etcd_advertise_name_list" {
   type    = "list"
   default = []

modules/vmware/etcd/variables.tf

@@ -123,6 +123,11 @@ variable "tls_peer_crt_pem" {
   default = ""
 }
 
+variable "etcd_scheme" {
+  default = "https"
+  type    = "string"
+}
+
 variable "ign_etcd_dropin_id_list" {
   type = "list"
 }

platforms/aws/main.tf

@@ -71,6 +71,7 @@ module "etcd" {
   dns_enabled             = "${var.tectonic_self_hosted_etcd == "" && length(compact(var.tectonic_etcd_servers)) == 0}"
   dns_zone_id             = "${var.tectonic_aws_private_endpoints ? data.null_data_source.zones.inputs["private"] : data.null_data_source.zones.inputs["public"]}"
   ec2_type                = "${var.tectonic_aws_etcd_ec2_type}"
+  etcd_scheme             = "${var.tectonic_etcd_scheme}"
   external_endpoints      = "${compact(var.tectonic_etcd_servers)}"
   extra_tags              = "${var.tectonic_aws_extra_tags}"
   instance_count          = "${length(data.template_file.etcd_hostname_list.*.id)}"
@@ -97,6 +98,7 @@ module "ignition_masters" {
   etcd_advertise_name_list  = "${data.template_file.etcd_hostname_list.*.rendered}"
   etcd_count                = "${length(data.template_file.etcd_hostname_list.*.id)}"
   etcd_initial_cluster_list = "${data.template_file.etcd_hostname_list.*.rendered}"
+  etcd_scheme               = "${var.tectonic_etcd_scheme}"
   etcd_tls_enabled          = "${var.tectonic_etcd_tls_enabled}"
   image_re                  = "${var.tectonic_image_re}"
   kube_dns_service_ip       = "${module.bootkube.kube_dns_service_ip}"

platforms/azure/main.tf

@@ -118,6 +118,7 @@ module "ignition_masters" {
   etcd_advertise_name_list  = "${data.template_file.etcd_advertise_name_list.*.rendered}"
   etcd_count                = "${local.etcd_count}"
   etcd_initial_cluster_list = "${data.template_file.etcd_hostname_list.*.rendered}"
+  etcd_scheme               = "${var.tectonic_etcd_scheme}"
   etcd_tls_enabled          = "${var.tectonic_etcd_tls_enabled}"
   image_re                  = "${var.tectonic_image_re}"
   kube_dns_service_ip       = "${module.bootkube.kube_dns_service_ip}"

platforms/gcp/main.tf

@@ -61,6 +61,8 @@ module "etcd" {
   master_subnetwork_name = "${module.network.master_subnetwork_name}"
   external_endpoints     = ["${compact(var.tectonic_etcd_servers)}"]
 
+  etcd_scheme = "${var.tectonic_etcd_scheme}"
+
   tls_enabled             = "${var.tectonic_etcd_tls_enabled}"
   tls_ca_crt_pem          = "${module.etcd_certs.etcd_ca_crt_pem}"
   tls_server_crt_pem      = "${module.etcd_certs.etcd_server_crt_pem}"
@@ -148,6 +150,7 @@ module "ignition_masters" {
   etcd_advertise_name_list  = "${data.template_file.etcd_hostname_list.*.rendered}"
   etcd_count                = "${length(data.template_file.etcd_hostname_list.*.id)}"
   etcd_initial_cluster_list = "${data.template_file.etcd_hostname_list.*.rendered}"
+  etcd_scheme               = "${var.tectonic_etcd_scheme}"
   etcd_tls_enabled          = "${var.tectonic_etcd_tls_enabled}"
 }
 

platforms/metal/tectonic.tf

@@ -82,6 +82,7 @@ module "bootkube" {
       : join(",", var.tectonic_etcd_servers)
     )}"
 
+  etcd_scheme               = "${var.tectonic_etcd_scheme}"
   etcd_backup_size          = "${var.tectonic_etcd_backup_size}"
   etcd_backup_storage_class = "${var.tectonic_etcd_backup_storage_class}"
   self_hosted_etcd          = "${var.tectonic_self_hosted_etcd}"

platforms/vmware/main.tf

@@ -7,6 +7,7 @@ module "etcd" {
   container_image    = "${var.tectonic_container_images["etcd"]}"
   base_domain        = "${var.tectonic_base_domain}"
   external_endpoints = ["${compact(var.tectonic_etcd_servers)}"]
+  etcd_scheme        = "${var.tectonic_etcd_scheme}"
 
   tls_ca_crt_pem     = "${module.etcd_certs.etcd_ca_crt_pem}"
   tls_server_crt_pem = "${module.etcd_certs.etcd_server_crt_pem}"
@@ -48,6 +49,7 @@ module "ignition_masters" {
   cluster_name             = "${var.tectonic_cluster_name}"
   container_images         = "${var.tectonic_container_images}"
   etcd_advertise_name_list = "${data.template_file.etcd_hostname_list.*.rendered}"
+  etcd_scheme              = "${var.tectonic_etcd_scheme}"
   image_re                 = "${var.tectonic_image_re}"
   kube_dns_service_ip      = "${module.bootkube.kube_dns_service_ip}"
   kubelet_cni_bin_dir      = "${var.tectonic_networking == "calico" || var.tectonic_networking == "canal" ? "/var/lib/cni/bin" : "" }"