Install assets only via Ignition

installer/pkg/workflow/install.go

@@ -9,8 +9,8 @@ func NewInstallFullWorkflow(clusterDir string) Workflow {
 		metadata: metadata{clusterDir: clusterDir},
 		steps: []Step{
 			readClusterConfigStep,
+			generateClusterConfigMaps,
 			installAssetsStep,
-			generateKubeConfigStep,
 			generateIgnConfigStep,
 			installTopologyStep,
 			installTNCCNAMEStep,
@@ -30,8 +30,8 @@ func NewInstallAssetsWorkflow(clusterDir string) Workflow {
 		metadata: metadata{clusterDir: clusterDir},
 		steps: []Step{
 			readClusterConfigStep,
+			generateClusterConfigMaps,
 			installAssetsStep,
-			generateKubeConfigStep,
 			generateIgnConfigStep,
 		},
 	}

installer/pkg/workflow/utils.go

@@ -75,7 +75,7 @@ func findStepTemplates(stepName, platform string) (string, error) {
 	return "", os.ErrNotExist
 }
 
-func generateKubeConfigStep(m *metadata) error {
+func generateClusterConfigMaps(m *metadata) error {
 	clusterGeneratedPath := filepath.Join(m.clusterDir, generatedPath)
 	if err := os.MkdirAll(clusterGeneratedPath, os.ModeDir|0755); err != nil {
 		return fmt.Errorf("Failed to create cluster generated directory at %s", clusterGeneratedPath)

modules/bootkube/assets.tf

@@ -11,40 +11,7 @@ resource "random_string" "kubelet_bootstrap_token_secret" {
   upper   = false
 }
 
-# Self-hosted manifests (resources/generated/manifests/)
-resource "template_dir" "bootkube" {
-  source_dir      = "${path.module}/resources/manifests"
-  destination_dir = "./generated/manifests"
-
-  vars {
-    tectonic_network_operator_image = "${var.container_images["tectonic_network_operator"]}"
-    tnc_operator_image              = "${var.container_images["tnc_operator"]}"
-
-    cloud_provider_config = "${var.cloud_provider_config}"
-
-    root_ca_cert                   = "${base64encode(var.root_ca_cert_pem)}"
-    aggregator_ca_cert             = "${base64encode(var.aggregator_ca_cert_pem)}"
-    kube_ca_cert                   = "${base64encode(var.kube_ca_cert_pem)}"
-    kube_ca_key                    = "${base64encode(var.kube_ca_key_pem)}"
-    kubelet_bootstrap_token_id     = "${random_string.kubelet_bootstrap_token_id.result}"
-    kubelet_bootstrap_token_secret = "${random_string.kubelet_bootstrap_token_secret.result}"
-    apiserver_key                  = "${base64encode(var.apiserver_key_pem)}"
-    apiserver_cert                 = "${base64encode(var.apiserver_cert_pem)}"
-    apiserver_proxy_key            = "${base64encode(var.apiserver_proxy_key_pem)}"
-    apiserver_proxy_cert           = "${base64encode(var.apiserver_proxy_cert_pem)}"
-    oidc_ca_cert                   = "${base64encode(var.oidc_ca_cert)}"
-    pull_secret                    = "${base64encode(file(var.pull_secret_path))}"
-    serviceaccount_pub             = "${base64encode(tls_private_key.service_account.public_key_pem)}"
-    serviceaccount_key             = "${base64encode(tls_private_key.service_account.private_key_pem)}"
-    kube_dns_service_ip            = "${cidrhost(var.service_cidr, 10)}"
-
-    etcd_ca_cert     = "${base64encode(var.etcd_ca_cert_pem)}"
-    etcd_client_cert = "${base64encode(var.etcd_client_cert_pem)}"
-    etcd_client_key  = "${base64encode(var.etcd_client_key_pem)}"
-  }
-}
-
-# kubeconfig (resources/generated/auth/kubeconfig)
+# kubeconfig (/auth/kubeconfig)
 data "template_file" "kubeconfig" {
   template = "${file("${path.module}/resources/kubeconfig")}"
 
@@ -57,12 +24,17 @@ data "template_file" "kubeconfig" {
   }
 }
 
-resource "local_file" "kubeconfig" {
-  content  = "${data.template_file.kubeconfig.rendered}"
-  filename = "./generated/auth/kubeconfig"
+data "ignition_file" "kubeconfig" {
+  filesystem = "root"
+  path       = "/opt/tectonic/auth/kubeconfig"
+  mode       = "0600"
+
+  content {
+    content = "${data.template_file.kubeconfig.rendered}"
+  }
 }
 
-# kubeconfig-kubelet (resources/generated/auth/kubeconfig-kubelet)
+# kubeconfig-kubelet 
 data "template_file" "kubeconfig-kubelet" {
   template = "${file("${path.module}/resources/kubeconfig-kubelet")}"
 
@@ -75,12 +47,17 @@ data "template_file" "kubeconfig-kubelet" {
   }
 }
 
-resource "local_file" "kubeconfig-kubelet" {
-  content  = "${data.template_file.kubeconfig-kubelet.rendered}"
-  filename = "./generated/auth/kubeconfig-kubelet"
+data "ignition_file" "kubeconfig-kubelet" {
+  filesystem = "root"
+  path       = "/opt/tectonic/auth/kubeconfig-kubelet"
+  mode       = "0600"
+
+  content {
+    content = "${data.template_file.kubeconfig-kubelet.rendered}"
+  }
 }
 
-# bootkube.sh (resources/generated/bootkube.sh)
+# bootkube.sh 
 data "template_file" "bootkube_sh" {
   template = "${file("${path.module}/resources/bootkube.sh")}"
 
@@ -91,9 +68,14 @@ data "template_file" "bootkube_sh" {
   }
 }
 
-resource "local_file" "bootkube_sh" {
-  content  = "${data.template_file.bootkube_sh.rendered}"
-  filename = "./generated/bootkube.sh"
+data "ignition_file" "bootkube_sh" {
+  filesystem = "root"
+  path       = "/opt/tectonic/bootkube.sh"
+  mode       = "0755"
+
+  content {
+    content = "${data.template_file.bootkube_sh.rendered}"
+  }
 }
 
 # bootkube.service (available as output variable)

modules/bootkube/manifests.tf

@@ -0,0 +1,72 @@
+variable "manifest_names" {
+  default = [
+    "01-tectonic-namespace.yaml",
+    "02-ingress-namespace.yaml",
+    "app-version-kind.yaml",
+    "app-version-tectonic-network.yaml",
+    "app-version-tnc.yaml",
+    "kube-apiserver-secret.yaml",
+    "kube-cloud-config.yaml",
+    "kube-controller-manager-secret.yaml",
+    "kubelet-bootstrap-token.yaml",
+    "node-config-kind.yaml",
+    "pull.json",
+    "tectonic-network-operator.yaml",
+    "tectonic-node-controller-operator.yaml",
+  ]
+}
+
+# Self-hosted manifests (resources/generated/manifests/)
+data "template_file" "manifest_file_list" {
+  count    = "${length(var.manifest_names)}"
+  template = "${file("${path.module}/resources/manifests/${var.manifest_names[count.index]}")}"
+
+  vars {
+    tectonic_network_operator_image = "${var.container_images["tectonic_network_operator"]}"
+    tnc_operator_image              = "${var.container_images["tnc_operator"]}"
+
+    cloud_provider_config = "${var.cloud_provider_config}"
+
+    root_ca_cert                   = "${base64encode(var.root_ca_cert_pem)}"
+    aggregator_ca_cert             = "${base64encode(var.aggregator_ca_cert_pem)}"
+    kube_ca_cert                   = "${base64encode(var.kube_ca_cert_pem)}"
+    kube_ca_key                    = "${base64encode(var.kube_ca_key_pem)}"
+    kubelet_bootstrap_token_id     = "${random_string.kubelet_bootstrap_token_id.result}"
+    kubelet_bootstrap_token_secret = "${random_string.kubelet_bootstrap_token_secret.result}"
+    apiserver_key                  = "${base64encode(var.apiserver_key_pem)}"
+    apiserver_cert                 = "${base64encode(var.apiserver_cert_pem)}"
+    apiserver_proxy_key            = "${base64encode(var.apiserver_proxy_key_pem)}"
+    apiserver_proxy_cert           = "${base64encode(var.apiserver_proxy_cert_pem)}"
+    oidc_ca_cert                   = "${base64encode(var.oidc_ca_cert)}"
+    pull_secret                    = "${base64encode(file(var.pull_secret_path))}"
+    serviceaccount_pub             = "${base64encode(tls_private_key.service_account.public_key_pem)}"
+    serviceaccount_key             = "${base64encode(tls_private_key.service_account.private_key_pem)}"
+    kube_dns_service_ip            = "${cidrhost(var.service_cidr, 10)}"
+
+    etcd_ca_cert     = "${base64encode(var.etcd_ca_cert_pem)}"
+    etcd_client_cert = "${base64encode(var.etcd_client_cert_pem)}"
+    etcd_client_key  = "${base64encode(var.etcd_client_key_pem)}"
+  }
+}
+
+# Ignition entry for every bootkube manifest
+# Drops them in /opt/tectonic/manifests/<path>
+data "ignition_file" "manifest_file_list" {
+  count      = "${length(var.manifest_names)}"
+  filesystem = "root"
+  mode       = "0644"
+
+  path = "/opt/tectonic/manifests/${var.manifest_names[count.index]}"
+
+  content {
+    content = "${data.template_file.manifest_file_list.*.rendered[count.index]}"
+  }
+}
+
+# Log the generated manifest files to disk for debugging and user visibility
+# Dest: ./generated/manifests/<path>
+resource "local_file" "manifest_files" {
+  count    = "${length(var.manifest_names)}"
+  filename = "./generated/manifests/${var.manifest_names[count.index]}"
+  content  = "${data.template_file.manifest_file_list.*.rendered[count.index]}"
+}

modules/bootkube/outputs.tf

@@ -1,53 +1,36 @@
-# This output is meant to be used to inject a dependency on the generated
-# assets. As of Terraform v0.9, it is difficult to make a module depend on
-# another module (no depends_on, no triggers), or to make a data source
-# depend on a module (no depends_on, no triggers, generally no dummy variable).
-#
-# For instance, using the 'archive_file' data source against the generated
-# assets, which is a common use-case, is tricky. There is no mechanism for
-# defining explicit dependencies and the only available variables are for the
-# source, destination and archive type, leaving little opportunities for us to
-# inject a dependency. Thanks to the property described below, this output can
-# be used as part of the output filename, in order to enforce the creation of
-# the archive after the assets have been properly generated.
-#
-# Both localfile and template_dir providers compute their IDs by hashing
-# the content of the resources on disk. Because this output is computed from the
-# combination of all the resources' IDs, it can't be guessed and can only be
-# interpolated once the assets have all been created.
-output "id" {
-  value = "${sha1("
-  ${local_file.kubeconfig.id}
-  ${local_file.kubeconfig-kubelet.id}
-  ${local_file.bootkube_sh.id}
-  ${template_dir.bootkube.id}
-  ")}"
-}
-
-output "kubeconfig" {
-  value = "${data.template_file.kubeconfig.rendered}"
-}
-
 output "kubeconfig-kubelet" {
   value = "${data.template_file.kubeconfig-kubelet.rendered}"
 }
 
-output "systemd_service_rendered" {
-  value = "${data.template_file.bootkube_service.rendered}"
-}
-
 output "systemd_service_id" {
   value = "${data.ignition_systemd_unit.bootkube_service.id}"
 }
 
-output "systemd_path_unit_rendered" {
-  value = "${data.template_file.bootkube_path_unit.rendered}"
-}
-
 output "systemd_path_unit_id" {
   value = "${data.ignition_systemd_unit.bootkube_path_unit.id}"
 }
 
 output "kube_dns_service_ip" {
   value = "${cidrhost(var.service_cidr, 10)}"
 }
+
+output "kubeconfig_rendered" {
+  value = "${data.template_file.kubeconfig.rendered}"
+}
+
+output "kubeconfig-kubelet_rendered" {
+  value = "${data.template_file.kubeconfig-kubelet.rendered}"
+}
+
+output "ignition_file_id_list" {
+  value = ["${flatten(list(
+    list(
+      data.ignition_file.bootkube_sh.id,
+      data.ignition_file.kubeconfig.id,
+      data.ignition_file.kubeconfig-kubelet.id,
+      data.ignition_file.service_account_key.id,
+      data.ignition_file.service_account_crt.id,
+    ),
+    data.ignition_file.manifest_file_list.*.id,
+  ))}"]
+}

modules/bootkube/service-account.tf

@@ -9,7 +9,27 @@ resource "local_file" "service_account_key" {
   filename = "./generated/tls/service-account.key"
 }
 
+data "ignition_file" "service_account_key" {
+  filesystem = "root"
+  path       = "/opt/tectonic/tls/service-account.key"
+  mode       = "0644"
+
+  content {
+    content = "${tls_private_key.service_account.private_key_pem}"
+  }
+}
+
 resource "local_file" "service_account_crt" {
   content  = "${tls_private_key.service_account.public_key_pem}"
   filename = "./generated/tls/service-account.pub"
 }
+
+data "ignition_file" "service_account_crt" {
+  filesystem = "root"
+  path       = "/opt/tectonic/tls/service-account.pub"
+  mode       = "0644"
+
+  content {
+    content = "${tls_private_key.service_account.public_key_pem}"
+  }
+}