Install assets only via Ignition#3183
Conversation
|
Can one of the admins verify this patch? |
|
|
@abhinavdahiya You are right that the .zip file has a different ACL. I'll change that. The downloaded secret files are never deleted from the master - perhaps they should be, but that's not anything different in this PR. All "rm-assets.sh" does (and did) is overwrite the uploaded S3 files with empty files. |
squeed
force-pushed
the
no-assets
branch
2 times, most recently
from
8064d4c to
0b34564
Compare
|
@abhinavdahiya Changed the ignition flow to redirect to a s3:// url. Ignition can fetch private s3:// urls. |
|
ok to test |
| REGION=$(wget -q -O - http://169.254.169.254/latest/meta-data/placement/availability-zone | sed '"'"'s/[a-zA-Z]$//'"'"') | ||
| /usr/bin/aws --region="$REGION" s3 cp /tmp/assets.zip s3://"$LOCATION/assets.zip" | ||
| /usr/bin/aws --region="$REGION" s3 cp /tmp/assets.zip s3://"$LOCATION/config/master" | ||
| /usr/bin/aws --region="$REGION" s3 cp /tmp/empty s3://"$LOCATION/config/bootstrap" |
There was a problem hiding this comment.
Do we have 'config/bootstrap' ?
There was a problem hiding this comment.
Yeah. it's the third step in the redirect chain, and it has a private acl.
There was a problem hiding this comment.
Should also include a set -u here, so if $LOCATION is omitted bash will complain, and we don't just get a cryptic S3 API error back.
| # folder, we write it in the Terraform managed hidden folder `.terraform`. | ||
| output_path = "./.terraform/generated_${sha1("${var.tectonic_cluster_id}")}.zip" | ||
| # The public ignition configuration | ||
| data "ignition_config" "bootstrap_redirect" { |
There was a problem hiding this comment.
I’ve been scratching my head to figure out how to make the http s3 endpoint more secure, this is just very nice and super simple, thanks!
|
The tests have failed because it's looking for files in |
|
I'm stuck now. All of the tests expect to be able to compare |
|
The test failing is checking that some expected files are written to local disk, as this was part of the bootstrap workflow runtime https://github.com/coreos/tectonic-installer/blob/master/tests/rspec/lib/shared_examples/k8s.rb#L65 |
|
The easiest answer is probably to enable a test mode that renders some files to disk. |
|
all green! |
colhom
left a comment
colhom
left a comment
There was a problem hiding this comment.
Great stuff, this really cleans up the provisioning process.
In general, also wondering why the directory structure needed to shuffle around (perhaps I'm missing something.) Would be nice if the generated/ folder had same structure as before, if you think it's possible.
modules/bootkube/outputs.tf
Outdated
|
|
||
| output "ignition_file_id_list" { | ||
| value = [ | ||
| "${data.ignition_file.manifest_file_list.*.id}", |
There was a problem hiding this comment.
This splat evaluates to a list, which means the ignition_file_id_list will be a list which contains a list element (which I'm assuming is not intended). A pretty robust way to deal with this is and ensure the output is always a flat list of id's:
value = [ "${flatten(list(data.foo.bar.*.id, data.blah.thing.id, data.blah.otherthing.id))}" ]
modules/ignition/outputs.tf
Outdated
| "${data.ignition_file.root_ca_cert_pem.id}", | ||
| "${data.ignition_file.ingress_ca_cert_pem.id}", | ||
| "${data.ignition_file.etcd_ca_cert_pem.id}", | ||
| "${data.ignition_file.custom_ca_cert_pem.*.id}", |
There was a problem hiding this comment.
Same thing here, when mixing splat id lists and singelton ids into a single list, use flatten(list(...)) so you get a flat list consistently
modules/tectonic/output.tf
Outdated
|
|
||
| output "ignition_file_id_list" { | ||
| value = [ | ||
| "${data.ignition_file.tectonic_manifest_list.*.id}", |
| path = "/opt/tectonic/tls/root-ca.crt" | ||
|
|
||
| content { | ||
| content = "${var.root_ca_cert_pem == "" ? join("", tls_self_signed_cert.root_ca.*.cert_pem) : var.root_ca_cert_pem}" |
There was a problem hiding this comment.
Ternary expressions conditionally consuming lists can make terraform behave "oddly". Would recommend doing something more generic like:
${join("\n",compact(flatten(list(tls_self_signed_cert.root_ca.*.cert_pem, var.root_ca_cert_pem))))}
Also- I'd think you'd want to join the certificate pem blocks using a newline, instead of empty string?
There was a problem hiding this comment.
I just copied this from the line above; while you're probably right, I'd rather not change what "works". I'm not sure that custom certificates work right now anyways.
There was a problem hiding this comment.
a good rule of thumb w/ terraform is to only use ternary expressions when all inputs and outputs are primitives. we learned this the hard way in earlier versions of terraform, for all I know this could be perfectly fine with more current versions.
modules/tls/ca/self-signed/assets.tf
Outdated
|
|
||
| data "ignition_file" "aggregator_ca_key" { | ||
| filesystem = "root" | ||
| mode = "0644" |
There was a problem hiding this comment.
This (and all other private keys) need to be 0600 mode
steps/assets/ignition-bootstrap.tf
Outdated
| } | ||
|
|
||
| data "ignition_config" "bootstrap" { | ||
| files = ["${compact(list( |
There was a problem hiding this comment.
This will also be a nested list situation, recommend flattening the whole list. (nice use of compact here).
steps/assets/ignition-bootstrap.tf
Outdated
| "${module.etcd_certs.ignition_file_id_list}", | ||
| ] | ||
|
|
||
| systemd = ["${compact(list( |
steps/assets/local-files.tf
Outdated
| # some files we want rendered to disk for other use | ||
| resource "local_file" "kubeconfig-kubelet" { | ||
| content = "${module.bootkube.kubeconfig-kubelet_rendered}" | ||
| filename = "./generated/auth/kubeconfig-kubelet" |
There was a problem hiding this comment.
It would be nice if these generated file paths were canonically defined in a locals block.
| REGION=$(wget -q -O - http://169.254.169.254/latest/meta-data/placement/availability-zone | sed '"'"'s/[a-zA-Z]$//'"'"') | ||
| /usr/bin/aws --region="$REGION" s3 cp /tmp/assets.zip s3://"$LOCATION/assets.zip" | ||
| /usr/bin/aws --region="$REGION" s3 cp /tmp/assets.zip s3://"$LOCATION/config/master" | ||
| /usr/bin/aws --region="$REGION" s3 cp /tmp/empty s3://"$LOCATION/config/bootstrap" |
There was a problem hiding this comment.
Should also include a set -u here, so if $LOCATION is omitted bash will complain, and we don't just get a cryptic S3 API error back.
| output_path = "./.terraform/generated_${sha1("${var.tectonic_cluster_id}")}.zip" | ||
| # The public ignition configuration | ||
| data "ignition_config" "bootstrap_redirect" { | ||
| replace { |
There was a problem hiding this comment.
What is the reason this a replace and not an append block?
There was a problem hiding this comment.
Basically to keep people honest :-).
There was a problem hiding this comment.
In other words, I don't want there any to be any chance that there's insecure ignition information out there.
This PR does the following: - No longer zips up /generated and uploads it to S3 - Installs all needed files via Ignition - Stops writing some files to /generated - Cleans up the ignition API
|
@colhom thanks a ton for the terraform tips! I reverted the directory structure change, there was no real reason for it. |
|
🎉 |
The last consumer was removed in b2e0bcf (Don't upload /generated to S3 - only use Ignition, 2018-04-13, coreos/tectonic-installer#3183).
This variable was added in a2232f3 (platform/aws: create bootstrap step, 2018-02-14, coreos/tectonic-installer#2946), to force VPC creation after the S3 bucket. But that dependency was removed in b2e0bcf (Don't upload /generated to S3 - only use Ignition, 2018-04-13, coreos/tectonic-installer#3183), so we no longer need the variable.
7 participants
This PR does the following: