Fix race condition in DigitalOcean cluster create

* DigitalOcean clusters must secure copy a kubeconfig to worker nodes, but Terraform could decide to try copying before firewall rules have been added to allow SSH access. * Add an explicit dependency on adding firewall rules first
poseidon · May 17, 2019 · 875b9b2 · 875b9b2
1 parent f62286b
commit 875b9b2
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 0 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -12,6 +12,11 @@ Notable changes between versions.
 
 * Only set internal VXLAN rules when `networking` is flannel (default: calico)
 
+#### DigitalOcean
+
+* Add explicit ordering between firewall rule creation and secure copying Kubelet credentials ([#469](https://github.com/poseidon/typhoon/pull/469))
+  * Fix race condition scenario where secure copy attempts to nodes took place before rule creation, blocking cluster creation
+
 #### Addons
 
 * Update Prometheus from v2.8.1 to v2.9.2

diff --git a/digital-ocean/container-linux/kubernetes/ssh.tf b/digital-ocean/container-linux/kubernetes/ssh.tf
@@ -1,6 +1,9 @@
 # Secure copy etcd TLS assets and kubeconfig to controllers. Activates kubelet.service
 resource "null_resource" "copy-controller-secrets" {
   count = "${var.controller_count}"
+  depends_on = [
+    "digitalocean_firewall.rules",
+  ]
 
   connection {
     type    = "ssh"

diff --git a/digital-ocean/fedora-atomic/kubernetes/ssh.tf b/digital-ocean/fedora-atomic/kubernetes/ssh.tf
@@ -1,6 +1,9 @@
 # Secure copy etcd TLS assets and kubeconfig to controllers. Activates kubelet.service
 resource "null_resource" "copy-controller-secrets" {
   count = "${var.controller_count}"
+  depends_on = [
+    "digitalocean_firewall.rules",
+  ]
 
   connection {
     type    = "ssh"