From 447af6d1b69a1ea84d1b7f6a423c277dd2924378 Mon Sep 17 00:00:00 2001 From: Sergiusz Urbaniak Date: Fri, 10 Nov 2017 16:39:56 +0100 Subject: [PATCH 1/9] modules/*: trust CA certificates on the nodes This also bumps the ignition provider to 1.0.0 to support S3 downloads via ignition. Fixes #INST-67 --- config.tf | 19 +- modules/aws/etcd/ignition.tf | 8 +- modules/aws/master-asg/ignition.tf | 17 ++ modules/aws/master-asg/variables.tf | 15 ++ modules/aws/worker-asg/ignition.tf | 17 ++ modules/aws/worker-asg/variables.tf | 15 ++ modules/azure/etcd/ignition.tf | 4 +- modules/azure/master-as/ignition-master.tf | 2 + modules/azure/master-as/variables.tf | 5 + modules/azure/worker-as/ignition-worker.tf | 2 + modules/azure/worker-as/variables.tf | 5 + modules/bootkube/assets.tf | 4 +- modules/gcp/etcd/ignition.tf | 4 +- modules/gcp/master-igm/ignition.tf | 2 + modules/gcp/master-igm/variables.tf | 5 + modules/gcp/worker-igm/ignition.tf | 2 + modules/gcp/worker-igm/variables.tf | 5 + modules/ignition/assets.tf | 20 +-- modules/ignition/certs.tf | 65 +++++++ modules/ignition/etcd.tf | 6 +- modules/ignition/outputs.import | 4 + modules/ignition/outputs.tf | 26 +++ .../10-always-update-ca-certificates.conf | 6 + modules/ignition/variables.tf | 20 +++ modules/openstack/etcd/ignition.tf | 4 +- modules/openstack/nodes/ignition.tf | 2 + modules/openstack/nodes/variables.tf | 5 + modules/tectonic/assets.tf | 4 +- modules/vmware/etcd/ignition.tf | 4 +- modules/vmware/node/ignition.tf | 2 + modules/vmware/node/variables.tf | 5 + platforms/aws/main.tf | 162 ++++++++++-------- platforms/aws/s3.tf | 24 +++ platforms/azure/main.tf | 144 +++++++++------- .../metal/cl/bootkube-controller.yaml.tmpl | 10 ++ platforms/metal/cl/bootkube-worker.yaml.tmpl | 10 ++ platforms/metal/matchers.tf | 64 ++++--- platforms/openstack/neutron/main.tf | 86 ++++++---- platforms/vmware/main.tf | 150 ++++++++-------- 39 files changed, 653 insertions(+), 301 deletions(-) create mode 100644 modules/ignition/certs.tf create mode 100644 modules/ignition/resources/dropins/10-always-update-ca-certificates.conf diff --git a/config.tf b/config.tf index 300c75f5bb..b8b0ab56b0 100644 --- a/config.tf +++ b/config.tf @@ -11,7 +11,7 @@ provider "external" { } provider "ignition" { - version = "0.1.0" + version = "1.0.0" } provider "local" { @@ -34,6 +34,14 @@ provider "tls" { version = "1.0.0" } +locals { + // The total amount of public CA certificates present in Tectonic. + // That is all custom CAs + kube CA + etcd CA + ingress CA + // This is a local constant, which needs to be dependency inject because TF cannot handle length() on computed values, + // see https://github.com/hashicorp/terraform/issues/10857#issuecomment-268289775. + tectonic_ca_count = "${length(var.tectonic_custom_ca_pem_list) + 3}" +} + variable "tectonic_config_version" { description = < Date: Tue, 21 Nov 2017 12:11:51 +0100 Subject: [PATCH 2/9] modules/ignition: unify etcd certificate generation Currently etcd certificate ignition files are created in their respective platform module. This unifies it by declaring the ignition file units centrally in the ignition module. --- modules/ignition/{certs.tf => ca_certs.tf} | 0 modules/ignition/etcd.tf | 94 ++++++++++++++++++++++ modules/ignition/outputs.import | 5 ++ modules/ignition/outputs.tf | 12 +++ modules/ignition/variables.tf | 24 ++++++ 5 files changed, 135 insertions(+) rename modules/ignition/{certs.tf => ca_certs.tf} (100%) diff --git a/modules/ignition/certs.tf b/modules/ignition/ca_certs.tf similarity index 100% rename from modules/ignition/certs.tf rename to modules/ignition/ca_certs.tf diff --git a/modules/ignition/etcd.tf b/modules/ignition/etcd.tf index 605a95541b..f5596e440c 100644 --- a/modules/ignition/etcd.tf +++ b/modules/ignition/etcd.tf @@ -69,3 +69,97 @@ data "ignition_systemd_unit" "etcd" { }, ] } + +data "ignition_file" "etcd_ca" { + count = "${var.etcd_count > 0 ? 1 : 0}" + + path = "/etc/ssl/etcd/ca.crt" + mode = 0644 + uid = 232 + gid = 232 + filesystem = "root" + + content { + content = "${var.etcd_ca_cert_pem}" + } +} + +data "ignition_file" "etcd_client_key" { + path = "/etc/ssl/etcd/client.key" + mode = 0400 + uid = 0 + gid = 0 + filesystem = "root" + + content { + content = "${var.etcd_client_key_pem}" + } +} + +data "ignition_file" "etcd_client_crt" { + path = "/etc/ssl/etcd/client.crt" + mode = 0400 + uid = 0 + gid = 0 + filesystem = "root" + + content { + content = "${var.etcd_client_crt_pem}" + } +} + +data "ignition_file" "etcd_server_key" { + count = "${var.etcd_count > 0 ? 1 : 0}" + + path = "/etc/ssl/etcd/server.key" + mode = 0400 + uid = 232 + gid = 232 + filesystem = "root" + + content { + content = "${var.etcd_server_key_pem}" + } +} + +data "ignition_file" "etcd_server_crt" { + count = "${var.etcd_count > 0 ? 1 : 0}" + + path = "/etc/ssl/etcd/server.crt" + mode = 0400 + uid = 232 + gid = 232 + filesystem = "root" + + content { + content = "${var.etcd_server_crt_pem}" + } +} + +data "ignition_file" "etcd_peer_key" { + count = "${var.etcd_count > 0 ? 1 : 0}" + + path = "/etc/ssl/etcd/peer.key" + mode = 0400 + uid = 232 + gid = 232 + filesystem = "root" + + content { + content = "${var.etcd_peer_key_pem}" + } +} + +data "ignition_file" "etcd_peer_crt" { + count = "${var.etcd_count > 0 ? 1 : 0}" + + path = "/etc/ssl/etcd/peer.crt" + mode = 0400 + uid = 232 + gid = 232 + filesystem = "root" + + content { + content = "${var.etcd_peer_crt_pem}" + } +} diff --git a/modules/ignition/outputs.import b/modules/ignition/outputs.import index 4db4bb9401..80ca72dd8f 100644 --- a/modules/ignition/outputs.import +++ b/modules/ignition/outputs.import @@ -31,3 +31,8 @@ variable "ign_k8s_node_bootstrap_service_id" { variable "ign_update_ca_certificates_dropin_id" { type = "string" } + +variable "ign_ca_cert_id_list" { + type = "list" + description = "The list of public CA certificate ignition file IDs." +} diff --git a/modules/ignition/outputs.tf b/modules/ignition/outputs.tf index 73e1ee853d..c7fc62e174 100644 --- a/modules/ignition/outputs.tf +++ b/modules/ignition/outputs.tf @@ -131,3 +131,15 @@ output "ca_cert_pem_list" { "${var.custom_ca_cert_pem_list}", ] } + +output "etcd_crt_id_list" { + value = [ + "${data.ignition_file.etcd_ca.*.id}", + "${data.ignition_file.etcd_client_key.*.id}", + "${data.ignition_file.etcd_client_crt.*.id}", + "${data.ignition_file.etcd_server_key.*.id}", + "${data.ignition_file.etcd_server_crt.*.id}", + "${data.ignition_file.etcd_peer_key.*.id}", + "${data.ignition_file.etcd_peer_crt.*.id}", + ] +} diff --git a/modules/ignition/variables.tf b/modules/ignition/variables.tf index e0e70e2da2..98d3c01852 100644 --- a/modules/ignition/variables.tf +++ b/modules/ignition/variables.tf @@ -133,6 +133,30 @@ variable "etcd_ca_cert_pem" { description = "The etcd kube CA certificate in PEM format." } +variable "etcd_client_key_pem" { + default = "" +} + +variable "etcd_client_crt_pem" { + default = "" +} + +variable "etcd_server_key_pem" { + default = "" +} + +variable "etcd_server_crt_pem" { + default = "" +} + +variable "etcd_peer_key_pem" { + default = "" +} + +variable "etcd_peer_crt_pem" { + default = "" +} + variable "custom_ca_cert_pem_list" { type = "list" description = "(optional) A list of custom CAs in PEM format." From 9c133abe70553500c7ad44fa75d7910b752f7e2d Mon Sep 17 00:00:00 2001 From: Sergiusz Urbaniak Date: Tue, 21 Nov 2017 12:13:08 +0100 Subject: [PATCH 3/9] modules/tls/etcd: remove zip generation Currently the etcd TLS module also generates a zip file which is only used on AWS to reduce the userdata size to be <20k (hard limit on AWS). Since the etcd TLS assets will be provisioned via S3 this optimization/hack is not needed any more. --- modules/tls/etcd/signed/outputs.tf | 7 ---- modules/tls/etcd/signed/zip.tf | 40 ----------------------- modules/tls/etcd/user-provided/outputs.tf | 7 ---- modules/tls/etcd/user-provided/zip.tf | 40 ----------------------- 4 files changed, 94 deletions(-) delete mode 100644 modules/tls/etcd/signed/zip.tf delete mode 100644 modules/tls/etcd/user-provided/zip.tf diff --git a/modules/tls/etcd/signed/outputs.tf b/modules/tls/etcd/signed/outputs.tf index f883c7371b..436d803830 100644 --- a/modules/tls/etcd/signed/outputs.tf +++ b/modules/tls/etcd/signed/outputs.tf @@ -26,15 +26,8 @@ output "etcd_server_key_pem" { value = "${join("", tls_private_key.etcd_server.*.private_key_pem)}" } -// The data.archive_file.etcd_tls_zip.id != "" assertion forces the etcd_tls_zip datasource to be run, -// hence ./.terraform/etcd_tls.zip must be generated and present. -output "etcd_tls_zip" { - value = "${data.archive_file.etcd_tls_zip.id != "" ? file("./.terraform/etcd_tls.zip") : ""}" -} - output "id" { value = "${sha1(" - ${data.archive_file.etcd_tls_zip.id}, ${join(" ", local_file.etcd_ca_crt.*.id, local_file.etcd_server_crt.*.id, diff --git a/modules/tls/etcd/signed/zip.tf b/modules/tls/etcd/signed/zip.tf deleted file mode 100644 index 247c2c9a99..0000000000 --- a/modules/tls/etcd/signed/zip.tf +++ /dev/null @@ -1,40 +0,0 @@ -data "archive_file" "etcd_tls_zip" { - type = "zip" - - output_path = "./.terraform/etcd_tls.zip" - - source { - filename = "ca.crt" - content = "${data.template_file.etcd_ca_cert_pem.rendered}" - } - - source { - filename = "server.crt" - content = "${join("", tls_locally_signed_cert.etcd_server.*.cert_pem)}" - } - - source { - filename = "server.key" - content = "${join("", tls_private_key.etcd_server.*.private_key_pem)}" - } - - source { - filename = "peer.crt" - content = "${join("", tls_locally_signed_cert.etcd_peer.*.cert_pem)}" - } - - source { - filename = "peer.key" - content = "${join("", tls_private_key.etcd_peer.*.private_key_pem)}" - } - - source { - filename = "client.crt" - content = "${data.template_file.etcd_client_crt.rendered}" - } - - source { - filename = "client.key" - content = "${data.template_file.etcd_client_key.rendered}" - } -} diff --git a/modules/tls/etcd/user-provided/outputs.tf b/modules/tls/etcd/user-provided/outputs.tf index ed8c9fbeb5..52aae973ad 100644 --- a/modules/tls/etcd/user-provided/outputs.tf +++ b/modules/tls/etcd/user-provided/outputs.tf @@ -26,15 +26,8 @@ output "etcd_server_key_pem" { value = "${file(var.etcd_server_key_pem_path)}" } -// The data.archive_file.etcd_tls_zip.id != "" assertion forces the etcd_tls_zip datasource to be run, -// hence ./.terraform/etcd_tls.zip must be generated and present. -output "etcd_tls_zip" { - value = "${data.archive_file.etcd_tls_zip.id != "" ? file("./.terraform/etcd_tls.zip") : ""}" -} - output "id" { value = "${sha1(" - ${data.archive_file.etcd_tls_zip.id}, ${join(" ", local_file.etcd_ca_crt.*.id, local_file.etcd_server_crt.*.id, diff --git a/modules/tls/etcd/user-provided/zip.tf b/modules/tls/etcd/user-provided/zip.tf deleted file mode 100644 index 357126114b..0000000000 --- a/modules/tls/etcd/user-provided/zip.tf +++ /dev/null @@ -1,40 +0,0 @@ -data "archive_file" "etcd_tls_zip" { - type = "zip" - - output_path = "./.terraform/etcd_tls.zip" - - source { - filename = "ca.crt" - content = "${file(var.etcd_ca_crt_pem_path)}" - } - - source { - filename = "server.crt" - content = "${file(var.etcd_server_crt_pem_path)}" - } - - source { - filename = "server.key" - content = "${file(var.etcd_server_key_pem_path)}" - } - - source { - filename = "peer.crt" - content = "${file(var.etcd_peer_crt_pem_path)}" - } - - source { - filename = "peer.key" - content = "${file(var.etcd_peer_key_pem_path)}" - } - - source { - filename = "client.crt" - content = "${file(var.etcd_client_crt_pem_path)}" - } - - source { - filename = "client.key" - content = "${file(var.etcd_client_key_pem_path)}" - } -} From fa0f3bd1c33706732b228267128aeace97c1d417 Mon Sep 17 00:00:00 2001 From: Sergiusz Urbaniak Date: Tue, 21 Nov 2017 12:14:51 +0100 Subject: [PATCH 4/9] */aws: use S3 for ignition provisioning We hit the limits of the AWS userdata limit (20k) constantly. This fixes it by provisioning a minimal ignition configuration only which points to a replacement ignition configuration hosted on S3. This also removes workarounds/hacks to keep the userdata size small, especially for provisioning TLS assets on etcd nodes. --- modules/aws/etcd/ignition.tf | 48 +---------------- modules/aws/etcd/ignition_s3.tf | 25 +++++++++ modules/aws/etcd/nodes.tf | 78 ++++++++++++++++++++++++++- modules/aws/etcd/variables.tf | 8 ++- modules/aws/master-asg/ignition.tf | 17 +----- modules/aws/master-asg/ignition_s3.tf | 21 ++++++++ modules/aws/master-asg/master.tf | 2 +- modules/aws/master-asg/variables.tf | 15 +----- modules/aws/worker-asg/ignition.tf | 17 +----- modules/aws/worker-asg/ignition_s3.tf | 21 ++++++++ modules/aws/worker-asg/variables.tf | 15 +----- modules/aws/worker-asg/worker.tf | 2 +- platforms/aws/main.tf | 21 +++++--- platforms/aws/s3.tf | 24 --------- 14 files changed, 171 insertions(+), 143 deletions(-) create mode 100644 modules/aws/etcd/ignition_s3.tf create mode 100644 modules/aws/master-asg/ignition_s3.tf create mode 100644 modules/aws/worker-asg/ignition_s3.tf diff --git a/modules/aws/etcd/ignition.tf b/modules/aws/etcd/ignition.tf index 8710f66f84..bb29af7749 100644 --- a/modules/aws/etcd/ignition.tf +++ b/modules/aws/etcd/ignition.tf @@ -4,59 +4,13 @@ data "ignition_config" "etcd" { systemd = [ "${data.ignition_systemd_unit.locksmithd.*.id[count.index]}", "${var.ign_etcd_dropin_id_list[count.index]}", - "${data.ignition_systemd_unit.etcd_unzip_tls.id}", ] files = [ - "${data.ignition_file.node_hostname.*.id[count.index]}", - "${data.ignition_file.etcd_tls_zip.id}", + "${var.ign_etcd_crt_id_list}", ] } -data "ignition_file" "node_hostname" { - count = "${length(var.external_endpoints) == 0 ? var.instance_count : 0}" - path = "/etc/hostname" - mode = 0644 - filesystem = "root" - - content { - content = "${var.cluster_name}-etcd-${count.index}.${var.base_domain}" - } -} - -data "ignition_file" "etcd_tls_zip" { - path = "/etc/ssl/etcd/tls.zip" - mode = 0400 - uid = 0 - gid = 0 - filesystem = "root" - - content { - mime = "application/octet-stream" - content = "${var.tls_zip}" - } -} - -data "ignition_systemd_unit" "etcd_unzip_tls" { - name = "etcd-unzip-tls.service" - enabled = true - - content = < Date: Tue, 21 Nov 2017 12:18:00 +0100 Subject: [PATCH 5/9] */azure: use unified etcd TLS ignition files --- modules/azure/etcd/ignition.tf | 102 +-------------------------- modules/azure/etcd/variables.tf | 32 ++------- modules/azure/master-as/variables.tf | 5 -- modules/azure/worker-as/variables.tf | 5 -- platforms/azure/main.tf | 19 +++-- 5 files changed, 14 insertions(+), 149 deletions(-) diff --git a/modules/azure/etcd/ignition.tf b/modules/azure/etcd/ignition.tf index 5a07f2ab7f..2a6fb1e848 100644 --- a/modules/azure/etcd/ignition.tf +++ b/modules/azure/etcd/ignition.tf @@ -11,110 +11,10 @@ data "ignition_config" "etcd" { ] files = [ - "${data.ignition_file.etcd_ca.id}", - "${data.ignition_file.etcd_server_crt.id}", - "${data.ignition_file.etcd_server_key.id}", - "${data.ignition_file.etcd_client_crt.id}", - "${data.ignition_file.etcd_client_key.id}", - "${data.ignition_file.etcd_peer_crt.id}", - "${data.ignition_file.etcd_peer_key.id}", + "${var.ign_etcd_crt_id_list}", ] } -data "ignition_file" "etcd_ca" { - count = "${var.etcd_count > 0 ? 1 : 0}" - - path = "/etc/ssl/etcd/ca.crt" - mode = 0644 - uid = 232 - gid = 232 - filesystem = "root" - - content { - content = "${var.tls_ca_crt_pem}" - } -} - -data "ignition_file" "etcd_client_key" { - path = "/etc/ssl/etcd/client.key" - mode = 0400 - uid = 0 - gid = 0 - filesystem = "root" - - content { - content = "${var.tls_client_key_pem}" - } -} - -data "ignition_file" "etcd_client_crt" { - path = "/etc/ssl/etcd/client.crt" - mode = 0400 - uid = 0 - gid = 0 - filesystem = "root" - - content { - content = "${var.tls_client_crt_pem}" - } -} - -data "ignition_file" "etcd_server_key" { - count = "${var.etcd_count > 0 ? 1 : 0}" - - path = "/etc/ssl/etcd/server.key" - mode = 0400 - uid = 232 - gid = 232 - filesystem = "root" - - content { - content = "${var.tls_server_key_pem}" - } -} - -data "ignition_file" "etcd_server_crt" { - count = "${var.etcd_count > 0 ? 1 : 0}" - - path = "/etc/ssl/etcd/server.crt" - mode = 0400 - uid = 232 - gid = 232 - filesystem = "root" - - content { - content = "${var.tls_server_crt_pem}" - } -} - -data "ignition_file" "etcd_peer_key" { - count = "${var.etcd_count > 0 ? 1 : 0}" - - path = "/etc/ssl/etcd/peer.key" - mode = 0400 - uid = 232 - gid = 232 - filesystem = "root" - - content { - content = "${var.tls_peer_key_pem}" - } -} - -data "ignition_file" "etcd_peer_crt" { - count = "${var.etcd_count > 0 ? 1 : 0}" - - path = "/etc/ssl/etcd/peer.crt" - mode = 0400 - uid = 232 - gid = 232 - filesystem = "root" - - content { - content = "${var.tls_peer_crt_pem}" - } -} - data "ignition_user" "core" { count = "${var.etcd_count > 0 ? 1 : 0}" diff --git a/modules/azure/etcd/variables.tf b/modules/azure/etcd/variables.tf index 9a683f6493..d9298361b3 100644 --- a/modules/azure/etcd/variables.tf +++ b/modules/azure/etcd/variables.tf @@ -72,34 +72,6 @@ variable "tls_enabled" { default = false } -variable "tls_ca_crt_pem" { - default = "" -} - -variable "tls_client_key_pem" { - default = "" -} - -variable "tls_client_crt_pem" { - default = "" -} - -variable "tls_server_key_pem" { - default = "" -} - -variable "tls_server_crt_pem" { - default = "" -} - -variable "tls_peer_key_pem" { - default = "" -} - -variable "tls_peer_crt_pem" { - default = "" -} - variable "container_image" { type = "string" } @@ -115,3 +87,7 @@ variable "ign_etcd_dropin_id_list" { variable "fault_domains" { type = "string" } + +variable "ign_etcd_crt_id_list" { + type = "list" +} diff --git a/modules/azure/master-as/variables.tf b/modules/azure/master-as/variables.tf index b22040ea80..f221f985a5 100644 --- a/modules/azure/master-as/variables.tf +++ b/modules/azure/master-as/variables.tf @@ -93,8 +93,3 @@ variable "ign_tectonic_path_unit_id" { variable "fault_domains" { type = "string" } - -variable "ign_ca_cert_id_list" { - type = "list" - description = "The list of public CA certificate ignition file IDs." -} diff --git a/modules/azure/worker-as/variables.tf b/modules/azure/worker-as/variables.tf index eb84009c9e..9fa821ca24 100644 --- a/modules/azure/worker-as/variables.tf +++ b/modules/azure/worker-as/variables.tf @@ -86,8 +86,3 @@ variable "worker_count" { variable "fault_domains" { type = "string" } - -variable "ign_ca_cert_id_list" { - type = "list" - description = "The list of public CA certificate ignition file IDs." -} diff --git a/platforms/azure/main.tf b/platforms/azure/main.tf index dc5d1e0ca0..8d72997e8c 100644 --- a/platforms/azure/main.tf +++ b/platforms/azure/main.tf @@ -64,25 +64,18 @@ module "etcd" { container_linux_version = "${module.container_linux.version}" etcd_count = "${local.etcd_count}" extra_tags = "${var.tectonic_azure_extra_tags}" + fault_domains = "${var.tectonic_azure_location_fault_domains["${var.tectonic_azure_location}"]}" + ign_etcd_crt_id_list = "${module.ignition_masters.etcd_crt_id_list}" + ign_etcd_dropin_id_list = "${module.ignition_masters.etcd_dropin_id_list}" location = "${var.tectonic_azure_location}" network_interface_ids = "${module.vnet.etcd_network_interface_ids}" public_ssh_key = "${var.tectonic_azure_ssh_key}" resource_group_name = "${module.resource_group.name}" storage_id = "${module.resource_group.storage_id}" storage_type = "${var.tectonic_azure_etcd_storage_type}" - tls_ca_crt_pem = "${module.etcd_certs.etcd_ca_crt_pem}" - tls_client_crt_pem = "${module.etcd_certs.etcd_client_crt_pem}" - tls_client_key_pem = "${module.etcd_certs.etcd_client_key_pem}" tls_enabled = "${var.tectonic_etcd_tls_enabled}" - tls_peer_crt_pem = "${module.etcd_certs.etcd_peer_crt_pem}" - tls_peer_key_pem = "${module.etcd_certs.etcd_peer_key_pem}" - tls_server_crt_pem = "${module.etcd_certs.etcd_server_crt_pem}" - tls_server_key_pem = "${module.etcd_certs.etcd_server_key_pem}" versions = "${var.tectonic_versions}" vm_size = "${var.tectonic_azure_etcd_vm_size}" - fault_domains = "${var.tectonic_azure_location_fault_domains["${var.tectonic_azure_location}"]}" - - ign_etcd_dropin_id_list = "${module.ignition_masters.etcd_dropin_id_list}" } # Workaround for https://github.com/hashicorp/terraform/issues/4084 @@ -119,8 +112,14 @@ module "ignition_masters" { custom_ca_cert_pem_list = "${var.tectonic_custom_ca_pem_list}" etcd_advertise_name_list = "${data.template_file.etcd_advertise_name_list.*.rendered}" etcd_ca_cert_pem = "${module.etcd_certs.etcd_ca_crt_pem}" + etcd_client_crt_pem = "${module.etcd_certs.etcd_client_crt_pem}" + etcd_client_key_pem = "${module.etcd_certs.etcd_client_key_pem}" etcd_count = "${local.etcd_count}" etcd_initial_cluster_list = "${data.template_file.etcd_hostname_list.*.rendered}" + etcd_peer_crt_pem = "${module.etcd_certs.etcd_peer_crt_pem}" + etcd_peer_key_pem = "${module.etcd_certs.etcd_peer_key_pem}" + etcd_server_crt_pem = "${module.etcd_certs.etcd_server_crt_pem}" + etcd_server_key_pem = "${module.etcd_certs.etcd_server_key_pem}" etcd_tls_enabled = "${var.tectonic_etcd_tls_enabled}" image_re = "${var.tectonic_image_re}" ingress_ca_cert_pem = "${module.ingress_certs.ca_cert_pem}" From 532ff5b4ad524963623dfb9932ec1122ee3b6147 Mon Sep 17 00:00:00 2001 From: Sergiusz Urbaniak Date: Tue, 21 Nov 2017 12:19:14 +0100 Subject: [PATCH 6/9] */gcp: use unified etcd TLS ignition files --- modules/gcp/etcd/ignition.tf | 102 +--------------------------- modules/gcp/etcd/variables.tf | 32 ++------- modules/gcp/master-igm/variables.tf | 5 -- modules/gcp/worker-igm/variables.tf | 5 -- platforms/gcp/main.tf | 31 ++++----- 5 files changed, 20 insertions(+), 155 deletions(-) diff --git a/modules/gcp/etcd/ignition.tf b/modules/gcp/etcd/ignition.tf index 95d267647f..9149f86a91 100644 --- a/modules/gcp/etcd/ignition.tf +++ b/modules/gcp/etcd/ignition.tf @@ -8,13 +8,7 @@ data "ignition_config" "etcd" { files = [ "${data.ignition_file.node_hostname.*.id[count.index]}", - "${data.ignition_file.etcd_ca.id}", - "${data.ignition_file.etcd_server_crt.id}", - "${data.ignition_file.etcd_server_key.id}", - "${data.ignition_file.etcd_client_crt.id}", - "${data.ignition_file.etcd_client_key.id}", - "${data.ignition_file.etcd_peer_crt.id}", - "${data.ignition_file.etcd_peer_key.id}", + "${var.ign_etcd_crt_id_list}", ] } @@ -29,100 +23,6 @@ data "ignition_file" "node_hostname" { } } -data "ignition_file" "etcd_ca" { - count = "${length(var.external_endpoints) == 0 ? var.instance_count > 0 ? 1 : 0 : 0}" - - path = "/etc/ssl/etcd/ca.crt" - mode = 0644 - uid = 232 - gid = 232 - filesystem = "root" - - content { - content = "${var.tls_ca_crt_pem}" - } -} - -data "ignition_file" "etcd_client_key" { - path = "/etc/ssl/etcd/client.key" - mode = 0400 - uid = 0 - gid = 0 - filesystem = "root" - - content { - content = "${var.tls_client_key_pem}" - } -} - -data "ignition_file" "etcd_client_crt" { - path = "/etc/ssl/etcd/client.crt" - mode = 0400 - uid = 0 - gid = 0 - filesystem = "root" - - content { - content = "${var.tls_client_crt_pem}" - } -} - -data "ignition_file" "etcd_server_key" { - count = "${length(var.external_endpoints) == 0 ? var.instance_count > 0 ? 1 : 0 : 0}" - - path = "/etc/ssl/etcd/server.key" - mode = 0400 - uid = 232 - gid = 232 - filesystem = "root" - - content { - content = "${var.tls_server_key_pem}" - } -} - -data "ignition_file" "etcd_server_crt" { - count = "${length(var.external_endpoints) == 0 ? var.instance_count > 0 ? 1 : 0 : 0}" - - path = "/etc/ssl/etcd/server.crt" - mode = 0400 - uid = 232 - gid = 232 - filesystem = "root" - - content { - content = "${var.tls_server_crt_pem}" - } -} - -data "ignition_file" "etcd_peer_key" { - count = "${length(var.external_endpoints) == 0 ? var.instance_count > 0 ? 1 : 0 : 0}" - - path = "/etc/ssl/etcd/peer.key" - mode = 0400 - uid = 232 - gid = 232 - filesystem = "root" - - content { - content = "${var.tls_peer_key_pem}" - } -} - -data "ignition_file" "etcd_peer_crt" { - count = "${length(var.external_endpoints) == 0 ? var.instance_count > 0 ? 1 : 0 : 0}" - - path = "/etc/ssl/etcd/peer.crt" - mode = 0400 - uid = 232 - gid = 232 - filesystem = "root" - - content { - content = "${var.tls_peer_crt_pem}" - } -} - data "ignition_systemd_unit" "locksmithd" { count = "${length(var.external_endpoints) == 0 ? var.instance_count : 0}" diff --git a/modules/gcp/etcd/variables.tf b/modules/gcp/etcd/variables.tf index 78cdc1a51e..fb142c6e0b 100644 --- a/modules/gcp/etcd/variables.tf +++ b/modules/gcp/etcd/variables.tf @@ -68,34 +68,6 @@ variable "tls_enabled" { default = false } -variable "tls_ca_crt_pem" { - default = "" -} - -variable "tls_client_key_pem" { - default = "" -} - -variable "tls_client_crt_pem" { - default = "" -} - -variable "tls_server_key_pem" { - default = "" -} - -variable "tls_server_crt_pem" { - default = "" -} - -variable "tls_peer_key_pem" { - default = "" -} - -variable "tls_peer_crt_pem" { - default = "" -} - variable "ign_etcd_dropin_id_list" { type = "list" } @@ -103,3 +75,7 @@ variable "ign_etcd_dropin_id_list" { variable "public_ssh_key" { default = "" } + +variable "ign_etcd_crt_id_list" { + type = "list" +} diff --git a/modules/gcp/master-igm/variables.tf b/modules/gcp/master-igm/variables.tf index 66704141e8..232f01f647 100644 --- a/modules/gcp/master-igm/variables.tf +++ b/modules/gcp/master-igm/variables.tf @@ -100,8 +100,3 @@ variable "assets_gcs_location" { type = "string" description = "Location on gcs of the Bootkube/Tectonic assets to use (bucket/key)" } - -variable "ign_ca_cert_id_list" { - type = "list" - description = "The list of public CA certificate ignition file IDs." -} diff --git a/modules/gcp/worker-igm/variables.tf b/modules/gcp/worker-igm/variables.tf index 193bb4c1bf..e3de1ff321 100644 --- a/modules/gcp/worker-igm/variables.tf +++ b/modules/gcp/worker-igm/variables.tf @@ -59,8 +59,3 @@ variable "public_ssh_key" { variable "kubeconfig_content" { type = "string" } - -variable "ign_ca_cert_id_list" { - type = "list" - description = "The list of public CA certificate ignition file IDs." -} diff --git a/platforms/gcp/main.tf b/platforms/gcp/main.tf index f6dc61e57e..2964c006d8 100644 --- a/platforms/gcp/main.tf +++ b/platforms/gcp/main.tf @@ -50,20 +50,14 @@ module "etcd" { disk_size = "${var.tectonic_gcp_etcd_disk_size}" disk_type = "${var.tectonic_gcp_etcd_disktype}" external_endpoints = ["${compact(var.tectonic_etcd_servers)}"] + ign_etcd_crt_id_list = "${module.ignition_masters.etcd_crt_id_list}" ign_etcd_dropin_id_list = "${module.ignition_masters.etcd_dropin_id_list}" instance_count = "${var.tectonic_self_hosted_etcd != "" ? 0 : var.tectonic_etcd_count > 0 ? var.tectonic_etcd_count : length(data.google_compute_zones.available.names) == 5 ? 5 : 3}" machine_type = "${var.tectonic_gcp_etcd_gce_type}" managed_zone_name = "${var.tectonic_gcp_ext_google_managedzone_name}" master_subnetwork_name = "${module.network.master_subnetwork_name}" public_ssh_key = "${var.tectonic_gcp_ssh_key}" - tls_ca_crt_pem = "${module.etcd_certs.etcd_ca_crt_pem}" - tls_client_crt_pem = "${module.etcd_certs.etcd_client_crt_pem}" - tls_client_key_pem = "${module.etcd_certs.etcd_client_key_pem}" tls_enabled = "${var.tectonic_etcd_tls_enabled}" - tls_peer_crt_pem = "${module.etcd_certs.etcd_peer_crt_pem}" - tls_peer_key_pem = "${module.etcd_certs.etcd_peer_key_pem}" - tls_server_crt_pem = "${module.etcd_certs.etcd_server_crt_pem}" - tls_server_key_pem = "${module.etcd_certs.etcd_server_key_pem}" zone_list = "${data.google_compute_zones.available.names}" } @@ -138,22 +132,27 @@ module "workers" { module "ignition_masters" { source = "../../modules/ignition" + assets_location = "${google_storage_bucket.assets_storage_bucket.name}/${google_storage_bucket_object.tectonic-assets.name}" bootstrap_upgrade_cl = "${var.tectonic_bootstrap_upgrade_cl}" cluster_name = "${var.tectonic_cluster_name}" container_images = "${var.tectonic_container_images}" etcd_advertise_name_list = "${data.template_file.etcd_hostname_list.*.rendered}" + etcd_client_crt_pem = "${module.etcd_certs.etcd_client_crt_pem}" + etcd_client_key_pem = "${module.etcd_certs.etcd_client_key_pem}" etcd_count = "${length(data.template_file.etcd_hostname_list.*.id)}" etcd_initial_cluster_list = "${data.template_file.etcd_hostname_list.*.rendered}" + etcd_peer_crt_pem = "${module.etcd_certs.etcd_peer_crt_pem}" + etcd_peer_key_pem = "${module.etcd_certs.etcd_peer_key_pem}" + etcd_server_crt_pem = "${module.etcd_certs.etcd_server_crt_pem}" + etcd_server_key_pem = "${module.etcd_certs.etcd_server_key_pem}" etcd_tls_enabled = "${var.tectonic_etcd_tls_enabled}" - - image_re = "${var.tectonic_image_re}" - kube_dns_service_ip = "${module.bootkube.kube_dns_service_ip}" - kubelet_cni_bin_dir = "${var.tectonic_networking == "calico" || var.tectonic_networking == "canal" ? "/var/lib/cni/bin" : "" }" - kubelet_debug_config = "${var.tectonic_kubelet_debug_config}" - kubelet_node_label = "node-role.kubernetes.io/master" - kubelet_node_taints = "node-role.kubernetes.io/master=:NoSchedule" - tectonic_vanilla_k8s = "${var.tectonic_vanilla_k8s}" - assets_location = "${google_storage_bucket.assets_storage_bucket.name}/${google_storage_bucket_object.tectonic-assets.name}" + image_re = "${var.tectonic_image_re}" + kube_dns_service_ip = "${module.bootkube.kube_dns_service_ip}" + kubelet_cni_bin_dir = "${var.tectonic_networking == "calico" || var.tectonic_networking == "canal" ? "/var/lib/cni/bin" : "" }" + kubelet_debug_config = "${var.tectonic_kubelet_debug_config}" + kubelet_node_label = "node-role.kubernetes.io/master" + kubelet_node_taints = "node-role.kubernetes.io/master=:NoSchedule" + tectonic_vanilla_k8s = "${var.tectonic_vanilla_k8s}" } module "ignition_workers" { From f328eb95903ba882d22306f02f52c349592094a8 Mon Sep 17 00:00:00 2001 From: Sergiusz Urbaniak Date: Tue, 21 Nov 2017 12:19:49 +0100 Subject: [PATCH 7/9] */openstack: use unified etcd TLS ignition files --- modules/openstack/etcd/ignition.tf | 90 +--------------------------- modules/openstack/etcd/variables.tf | 32 ++-------- modules/openstack/nodes/variables.tf | 5 -- platforms/openstack/neutron/main.tf | 14 ++--- 4 files changed, 12 insertions(+), 129 deletions(-) diff --git a/modules/openstack/etcd/ignition.tf b/modules/openstack/etcd/ignition.tf index b6d3af9f2c..b7532aa6fa 100644 --- a/modules/openstack/etcd/ignition.tf +++ b/modules/openstack/etcd/ignition.tf @@ -7,13 +7,7 @@ data "ignition_config" "etcd" { files = [ "${data.ignition_file.resolv_conf.id}", - "${data.ignition_file.etcd_ca.id}", - "${data.ignition_file.etcd_server_crt.id}", - "${data.ignition_file.etcd_server_key.id}", - "${data.ignition_file.etcd_client_crt.id}", - "${data.ignition_file.etcd_client_key.id}", - "${data.ignition_file.etcd_peer_crt.id}", - "${data.ignition_file.etcd_peer_key.id}", + "${var.ign_etcd_crt_id_list}", ] systemd = [ @@ -23,88 +17,6 @@ data "ignition_config" "etcd" { ] } -data "ignition_file" "etcd_ca" { - path = "/etc/ssl/etcd/ca.crt" - mode = 0644 - filesystem = "root" - - content { - content = "${var.tls_ca_crt_pem}" - } -} - -data "ignition_file" "etcd_client_key" { - path = "/etc/ssl/etcd/client.key" - mode = 0400 - uid = 0 - gid = 0 - filesystem = "root" - - content { - content = "${var.tls_client_key_pem}" - } -} - -data "ignition_file" "etcd_client_crt" { - path = "/etc/ssl/etcd/client.crt" - mode = 0400 - uid = 0 - gid = 0 - filesystem = "root" - - content { - content = "${var.tls_client_crt_pem}" - } -} - -data "ignition_file" "etcd_server_key" { - path = "/etc/ssl/etcd/server.key" - mode = 0400 - uid = 232 - gid = 232 - filesystem = "root" - - content { - content = "${var.tls_server_key_pem}" - } -} - -data "ignition_file" "etcd_server_crt" { - path = "/etc/ssl/etcd/server.crt" - mode = 0400 - uid = 232 - gid = 232 - filesystem = "root" - - content { - content = "${var.tls_server_crt_pem}" - } -} - -data "ignition_file" "etcd_peer_key" { - path = "/etc/ssl/etcd/peer.key" - mode = 0400 - uid = 232 - gid = 232 - filesystem = "root" - - content { - content = "${var.tls_peer_key_pem}" - } -} - -data "ignition_file" "etcd_peer_crt" { - path = "/etc/ssl/etcd/peer.crt" - mode = 0400 - uid = 232 - gid = 232 - filesystem = "root" - - content { - content = "${var.tls_peer_crt_pem}" - } -} - data "ignition_file" "resolv_conf" { path = "/etc/resolv.conf" mode = 0644 diff --git a/modules/openstack/etcd/variables.tf b/modules/openstack/etcd/variables.tf index 95638e1519..bf80210d2a 100644 --- a/modules/openstack/etcd/variables.tf +++ b/modules/openstack/etcd/variables.tf @@ -32,34 +32,6 @@ variable "tls_enabled" { default = false } -variable "tls_ca_crt_pem" { - default = "" -} - -variable "tls_server_key_pem" { - default = "" -} - -variable "tls_server_crt_pem" { - default = "" -} - -variable "tls_client_key_pem" { - default = "" -} - -variable "tls_client_crt_pem" { - default = "" -} - -variable "tls_peer_key_pem" { - default = "" -} - -variable "tls_peer_crt_pem" { - default = "" -} - variable "ign_etcd_dropin_id_list" { type = "list" } @@ -67,3 +39,7 @@ variable "ign_etcd_dropin_id_list" { variable "ign_coreos_metadata_dropin_id" { type = "string" } + +variable "ign_etcd_crt_id_list" { + type = "list" +} diff --git a/modules/openstack/nodes/variables.tf b/modules/openstack/nodes/variables.tf index 82ff3f3cc1..55151b8e00 100644 --- a/modules/openstack/nodes/variables.tf +++ b/modules/openstack/nodes/variables.tf @@ -47,8 +47,3 @@ variable "ign_tectonic_path_unit_id" { type = "string" default = "" } - -variable "ign_ca_cert_id_list" - type = "list" - description = "The list of public CA certificate ignition file IDs." -} diff --git a/platforms/openstack/neutron/main.tf b/platforms/openstack/neutron/main.tf index f544995aa9..48bce1ef59 100644 --- a/platforms/openstack/neutron/main.tf +++ b/platforms/openstack/neutron/main.tf @@ -157,17 +157,11 @@ EOF container_image = "${var.tectonic_container_images["etcd"]}" core_public_keys = ["${module.secrets.core_public_key_openssh}"] ign_coreos_metadata_dropin_id = "${module.ignition_masters.coreos_metadata_dropin_id}" + ign_etcd_crt_id_list = "${module.ignition_masters.etcd_crt_id_list}" ign_etcd_dropin_id_list = "${module.ignition_masters.etcd_dropin_id_list}" instance_count = "${var.tectonic_etcd_count}" self_hosted_etcd = "${var.tectonic_self_hosted_etcd}" - tls_ca_crt_pem = "${module.etcd_certs.etcd_ca_crt_pem}" - tls_client_crt_pem = "${module.etcd_certs.etcd_client_crt_pem}" - tls_client_key_pem = "${module.etcd_certs.etcd_client_key_pem}" tls_enabled = "${var.tectonic_etcd_tls_enabled}" - tls_peer_crt_pem = "${module.etcd_certs.etcd_peer_crt_pem}" - tls_peer_key_pem = "${module.etcd_certs.etcd_peer_key_pem}" - tls_server_crt_pem = "${module.etcd_certs.etcd_server_crt_pem}" - tls_server_key_pem = "${module.etcd_certs.etcd_server_key_pem}" } module "ignition_masters" { @@ -180,8 +174,14 @@ module "ignition_masters" { custom_ca_cert_pem_list = "${var.tectonic_custom_ca_pem_list}" etcd_advertise_name_list = "${data.template_file.etcd_hostname_list.*.rendered}" etcd_ca_cert_pem = "${module.etcd_certs.etcd_ca_crt_pem}" + etcd_client_crt_pem = "${module.etcd_certs.etcd_client_crt_pem}" + etcd_client_key_pem = "${module.etcd_certs.etcd_client_key_pem}" etcd_count = "${var.tectonic_etcd_count}" etcd_initial_cluster_list = "${data.template_file.etcd_hostname_list.*.rendered}" + etcd_peer_crt_pem = "${module.etcd_certs.etcd_peer_crt_pem}" + etcd_peer_key_pem = "${module.etcd_certs.etcd_peer_key_pem}" + etcd_server_crt_pem = "${module.etcd_certs.etcd_server_crt_pem}" + etcd_server_key_pem = "${module.etcd_certs.etcd_server_key_pem}" etcd_tls_enabled = "${var.tectonic_etcd_tls_enabled}" image_re = "${var.tectonic_image_re}" ingress_ca_cert_pem = "${module.ingress_certs.ca_cert_pem}" From dd2e0fdced967d7d80f781db68ca48b95514680a Mon Sep 17 00:00:00 2001 From: Sergiusz Urbaniak Date: Tue, 21 Nov 2017 12:20:03 +0100 Subject: [PATCH 8/9] */vmware: use unified etcd TLS ignition files --- modules/vmware/etcd/ignition.tf | 92 +------------------------------- modules/vmware/etcd/variables.tf | 30 ++--------- modules/vmware/node/variables.tf | 5 -- platforms/vmware/main.tf | 14 ++--- 4 files changed, 11 insertions(+), 130 deletions(-) diff --git a/modules/vmware/etcd/ignition.tf b/modules/vmware/etcd/ignition.tf index d55a700250..105d0845a5 100644 --- a/modules/vmware/etcd/ignition.tf +++ b/modules/vmware/etcd/ignition.tf @@ -7,13 +7,7 @@ data "ignition_config" "etcd" { files = [ "${data.ignition_file.node_hostname.*.id[count.index]}", - "${data.ignition_file.etcd_ca.id}", - "${data.ignition_file.etcd_server_crt.id}", - "${data.ignition_file.etcd_server_key.id}", - "${data.ignition_file.etcd_client_crt.id}", - "${data.ignition_file.etcd_client_key.id}", - "${data.ignition_file.etcd_peer_crt.id}", - "${data.ignition_file.etcd_peer_key.id}", + "${var.ign_etcd_crt_id_list}", ] systemd = [ @@ -31,90 +25,6 @@ data "ignition_user" "core" { ssh_authorized_keys = ["${var.core_public_keys}"] } -data "ignition_file" "etcd_ca" { - path = "/etc/ssl/etcd/ca.crt" - mode = 0644 - uid = 232 - gid = 232 - filesystem = "root" - - content { - content = "${var.tls_ca_crt_pem}" - } -} - -data "ignition_file" "etcd_client_key" { - path = "/etc/ssl/etcd/client.key" - mode = 0400 - uid = 0 - gid = 0 - filesystem = "root" - - content { - content = "${var.tls_client_key_pem}" - } -} - -data "ignition_file" "etcd_client_crt" { - path = "/etc/ssl/etcd/client.crt" - mode = 0400 - uid = 0 - gid = 0 - filesystem = "root" - - content { - content = "${var.tls_client_crt_pem}" - } -} - -data "ignition_file" "etcd_server_key" { - path = "/etc/ssl/etcd/server.key" - mode = 0400 - uid = 232 - gid = 232 - filesystem = "root" - - content { - content = "${var.tls_server_key_pem}" - } -} - -data "ignition_file" "etcd_server_crt" { - path = "/etc/ssl/etcd/server.crt" - mode = 0400 - uid = 232 - gid = 232 - filesystem = "root" - - content { - content = "${var.tls_server_crt_pem}" - } -} - -data "ignition_file" "etcd_peer_key" { - path = "/etc/ssl/etcd/peer.key" - mode = 0400 - uid = 232 - gid = 232 - filesystem = "root" - - content { - content = "${var.tls_peer_key_pem}" - } -} - -data "ignition_file" "etcd_peer_crt" { - path = "/etc/ssl/etcd/peer.crt" - mode = 0400 - uid = 232 - gid = 232 - filesystem = "root" - - content { - content = "${var.tls_peer_crt_pem}" - } -} - data "ignition_systemd_unit" "locksmithd" { count = "${length(var.external_endpoints) == 0 ? var.instance_count : 0}" diff --git a/modules/vmware/etcd/variables.tf b/modules/vmware/etcd/variables.tf index 1beb85573f..049a0e00f7 100644 --- a/modules/vmware/etcd/variables.tf +++ b/modules/vmware/etcd/variables.tf @@ -95,34 +95,10 @@ variable hostname { description = "Hostname of the node" } -variable "tls_ca_crt_pem" { - default = "" -} - -variable "tls_client_key_pem" { - default = "" -} - -variable "tls_client_crt_pem" { - default = "" -} - -variable "tls_server_key_pem" { - default = "" -} - -variable "tls_server_crt_pem" { - default = "" -} - -variable "tls_peer_key_pem" { - default = "" -} - -variable "tls_peer_crt_pem" { - default = "" +variable "ign_etcd_dropin_id_list" { + type = "list" } -variable "ign_etcd_dropin_id_list" { +variable "ign_etcd_crt_id_list" { type = "list" } diff --git a/modules/vmware/node/variables.tf b/modules/vmware/node/variables.tf index 1baa016719..72060b4152 100644 --- a/modules/vmware/node/variables.tf +++ b/modules/vmware/node/variables.tf @@ -124,8 +124,3 @@ variable "ign_tectonic_path_unit_id" { type = "string" default = "" } - -variable "ign_ca_cert_id_list" { - type = "list" - description = "The list of public CA certificate ignition file IDs." -} diff --git a/platforms/vmware/main.tf b/platforms/vmware/main.tf index c60917d01c..d8788a2bb8 100644 --- a/platforms/vmware/main.tf +++ b/platforms/vmware/main.tf @@ -9,16 +9,10 @@ module "etcd" { external_endpoints = ["${compact(var.tectonic_etcd_servers)}"] gateways = "${var.tectonic_vmware_etcd_gateways}" hostname = "${var.tectonic_vmware_etcd_hostnames}" + ign_etcd_crt_id_list = "${module.ignition_masters.etcd_crt_id_list}" ign_etcd_dropin_id_list = "${module.ignition_masters.etcd_dropin_id_list}" instance_count = "${var.tectonic_self_hosted_etcd != "" ? 0 : var.tectonic_etcd_count }" ip_address = "${var.tectonic_vmware_etcd_ip}" - tls_ca_crt_pem = "${module.etcd_certs.etcd_ca_crt_pem}" - tls_client_crt_pem = "${module.etcd_certs.etcd_client_crt_pem}" - tls_client_key_pem = "${module.etcd_certs.etcd_client_key_pem}" - tls_peer_crt_pem = "${module.etcd_certs.etcd_peer_crt_pem}" - tls_peer_key_pem = "${module.etcd_certs.etcd_peer_key_pem}" - tls_server_crt_pem = "${module.etcd_certs.etcd_server_crt_pem}" - tls_server_key_pem = "${module.etcd_certs.etcd_server_key_pem}" vm_disk_datastore = "${var.tectonic_vmware_etcd_datastore}" vm_disk_template = "${var.tectonic_vmware_vm_template}" vm_disk_template_folder = "${var.tectonic_vmware_vm_template_folder}" @@ -46,7 +40,13 @@ module "ignition_masters" { custom_ca_cert_pem_list = "${var.tectonic_custom_ca_pem_list}" etcd_advertise_name_list = "${data.template_file.etcd_hostname_list.*.rendered}" etcd_ca_cert_pem = "${module.etcd_certs.etcd_ca_crt_pem}" + etcd_client_crt_pem = "${module.etcd_certs.etcd_client_crt_pem}" + etcd_client_key_pem = "${module.etcd_certs.etcd_client_key_pem}" etcd_count = "${length(data.template_file.etcd_hostname_list.*.rendered)}" + etcd_peer_crt_pem = "${module.etcd_certs.etcd_peer_crt_pem}" + etcd_peer_key_pem = "${module.etcd_certs.etcd_peer_key_pem}" + etcd_server_crt_pem = "${module.etcd_certs.etcd_server_crt_pem}" + etcd_server_key_pem = "${module.etcd_certs.etcd_server_key_pem}" image_re = "${var.tectonic_image_re}" ingress_ca_cert_pem = "${module.ingress_certs.ca_cert_pem}" kube_ca_cert_pem = "${module.kube_certs.ca_cert_pem}" From 6d66b86112082d209d6e6cbeac8f1e07137301de Mon Sep 17 00:00:00 2001 From: Sergiusz Urbaniak Date: Fri, 10 Nov 2017 17:28:35 +0100 Subject: [PATCH 9/9] Documentation/examples: regenerate --- Documentation/variables/config.md | 1 + examples/terraform.tfvars.aws | 3 +++ examples/terraform.tfvars.azure | 3 +++ examples/terraform.tfvars.gcp | 3 +++ examples/terraform.tfvars.metal | 3 +++ examples/terraform.tfvars.openstack-neutron | 3 +++ examples/terraform.tfvars.vmware | 3 +++ 7 files changed, 19 insertions(+) diff --git a/Documentation/variables/config.md b/Documentation/variables/config.md index 41caa7e032..4e8cbbc463 100644 --- a/Documentation/variables/config.md +++ b/Documentation/variables/config.md @@ -20,6 +20,7 @@ This document gives an overview of variables used in all platforms of the Tecton | tectonic_container_images | (internal) Container images to use | map | `` | | tectonic_container_linux_channel | (optional) The Container Linux update channel.

Examples: `stable`, `beta`, `alpha` | string | `stable` | | tectonic_container_linux_version | The Container Linux version to use. Set to `latest` to select the latest available version for the selected update channel.

Examples: `latest`, `1465.6.0` | string | `latest` | +| tectonic_custom_ca_pem_list | (optional) A list of PEM encoded CA files that will be installed in /etc/ssl/certs on etcd, master, and worker nodes. | list | `` | | tectonic_ddns_key_algorithm | (optional) This only applies if you use the modules/dns/ddns module.

Specifies the RFC2136 Dynamic DNS server key algorithm. | string | `` | | tectonic_ddns_key_name | (optional) This only applies if you use the modules/dns/ddns module.

Specifies the RFC2136 Dynamic DNS server key name. | string | `` | | tectonic_ddns_key_secret | (optional) This only applies if you use the modules/dns/ddns module.

Specifies the RFC2136 Dynamic DNS server key secret. | string | `` | diff --git a/examples/terraform.tfvars.aws b/examples/terraform.tfvars.aws index 1a84cd32be..390f455b4a 100644 --- a/examples/terraform.tfvars.aws +++ b/examples/terraform.tfvars.aws @@ -194,6 +194,9 @@ tectonic_cluster_name = "" // Examples: `latest`, `1465.6.0` tectonic_container_linux_version = "latest" +// (optional) A list of PEM encoded CA files that will be installed in /etc/ssl/certs on etcd, master, and worker nodes. +// tectonic_custom_ca_pem_list = "" + // (optional) This only applies if you use the modules/dns/ddns module. // // Specifies the RFC2136 Dynamic DNS server key algorithm. diff --git a/examples/terraform.tfvars.azure b/examples/terraform.tfvars.azure index 7cfaeaa653..488f04994e 100644 --- a/examples/terraform.tfvars.azure +++ b/examples/terraform.tfvars.azure @@ -155,6 +155,9 @@ tectonic_cluster_name = "" // Examples: `latest`, `1465.6.0` tectonic_container_linux_version = "latest" +// (optional) A list of PEM encoded CA files that will be installed in /etc/ssl/certs on etcd, master, and worker nodes. +// tectonic_custom_ca_pem_list = "" + // (optional) This only applies if you use the modules/dns/ddns module. // // Specifies the RFC2136 Dynamic DNS server key algorithm. diff --git a/examples/terraform.tfvars.gcp b/examples/terraform.tfvars.gcp index 74b44eaf58..9db52c0c6a 100644 --- a/examples/terraform.tfvars.gcp +++ b/examples/terraform.tfvars.gcp @@ -46,6 +46,9 @@ tectonic_cluster_name = "" // Examples: `latest`, `1465.6.0` tectonic_container_linux_version = "latest" +// (optional) A list of PEM encoded CA files that will be installed in /etc/ssl/certs on etcd, master, and worker nodes. +// tectonic_custom_ca_pem_list = "" + // (optional) This only applies if you use the modules/dns/ddns module. // // Specifies the RFC2136 Dynamic DNS server key algorithm. diff --git a/examples/terraform.tfvars.metal b/examples/terraform.tfvars.metal index 9ab604ccfe..044fa33dbc 100644 --- a/examples/terraform.tfvars.metal +++ b/examples/terraform.tfvars.metal @@ -46,6 +46,9 @@ tectonic_cluster_name = "" // Examples: `latest`, `1465.6.0` tectonic_container_linux_version = "latest" +// (optional) A list of PEM encoded CA files that will be installed in /etc/ssl/certs on etcd, master, and worker nodes. +// tectonic_custom_ca_pem_list = "" + // (optional) This only applies if you use the modules/dns/ddns module. // // Specifies the RFC2136 Dynamic DNS server key algorithm. diff --git a/examples/terraform.tfvars.openstack-neutron b/examples/terraform.tfvars.openstack-neutron index d67e73a936..ab50e8efe5 100644 --- a/examples/terraform.tfvars.openstack-neutron +++ b/examples/terraform.tfvars.openstack-neutron @@ -46,6 +46,9 @@ tectonic_cluster_name = "" // Examples: `latest`, `1465.6.0` tectonic_container_linux_version = "latest" +// (optional) A list of PEM encoded CA files that will be installed in /etc/ssl/certs on etcd, master, and worker nodes. +// tectonic_custom_ca_pem_list = "" + // (optional) This only applies if you use the modules/dns/ddns module. // // Specifies the RFC2136 Dynamic DNS server key algorithm. diff --git a/examples/terraform.tfvars.vmware b/examples/terraform.tfvars.vmware index e5c2a4f183..78b18b0052 100644 --- a/examples/terraform.tfvars.vmware +++ b/examples/terraform.tfvars.vmware @@ -46,6 +46,9 @@ tectonic_cluster_name = "" // Examples: `latest`, `1465.6.0` tectonic_container_linux_version = "latest" +// (optional) A list of PEM encoded CA files that will be installed in /etc/ssl/certs on etcd, master, and worker nodes. +// tectonic_custom_ca_pem_list = "" + // (optional) This only applies if you use the modules/dns/ddns module. // // Specifies the RFC2136 Dynamic DNS server key algorithm.