mirror of
https://github.com/outbackdingo/terraform-render-bootstrap.git
synced 2026-01-28 10:20:39 +00:00
Compare commits
15 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
581f24d11a | ||
|
|
15b380a471 | ||
|
|
33e00a6dc5 | ||
|
|
109ddd2dc1 | ||
|
|
b408d80c59 | ||
|
|
61fb176647 | ||
|
|
5f3546b66f | ||
|
|
e01ff60e42 | ||
|
|
88b361207d | ||
|
|
747603e90d | ||
|
|
366f751283 | ||
|
|
457b596fa0 | ||
|
|
36bf88af70 | ||
|
|
c5fc93d95f | ||
|
|
c92f3589db |
@@ -34,7 +34,7 @@ Find bootkube assets rendered to the `asset_dir` path. That's it.
|
||||
|
||||
### Comparison
|
||||
|
||||
Render bootkube assets directly with bootkube v0.11.0.
|
||||
Render bootkube assets directly with bootkube v0.12.0.
|
||||
|
||||
```sh
|
||||
bootkube render --asset-dir=assets --api-servers=https://node1.example.com:443 --api-server-alt-names=DNS=node1.example.com --etcd-servers=https://node1.example.com:2379
|
||||
|
||||
@@ -10,6 +10,8 @@ resource "template_dir" "bootstrap-manifests" {
|
||||
cloud_provider = "${var.cloud_provider}"
|
||||
pod_cidr = "${var.pod_cidr}"
|
||||
service_cidr = "${var.service_cidr}"
|
||||
|
||||
trusted_certs_dir = "${var.trusted_certs_dir}"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -32,6 +34,7 @@ resource "template_dir" "manifests" {
|
||||
service_cidr = "${var.service_cidr}"
|
||||
cluster_domain_suffix = "${var.cluster_domain_suffix}"
|
||||
kube_dns_service_ip = "${cidrhost(var.service_cidr, 10)}"
|
||||
trusted_certs_dir = "${var.trusted_certs_dir}"
|
||||
|
||||
ca_cert = "${base64encode(var.ca_certificate == "" ? join(" ", tls_self_signed_cert.kube-ca.*.cert_pem) : var.ca_certificate)}"
|
||||
server = "${format("https://%s:443", element(var.api_servers, 0))}"
|
||||
|
||||
@@ -15,7 +15,7 @@ output "kubeconfig" {
|
||||
}
|
||||
|
||||
output "user-kubeconfig" {
|
||||
value = "${local_file.user-kubeconfig.filename}"
|
||||
value = "${data.template_file.user-kubeconfig.rendered}"
|
||||
}
|
||||
|
||||
# etcd TLS assets
|
||||
|
||||
@@ -10,17 +10,16 @@ spec:
|
||||
command:
|
||||
- /hyperkube
|
||||
- apiserver
|
||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ValidatingAdmissionWebhook,ResourceQuota,DefaultTolerationSeconds,MutatingAdmissionWebhook
|
||||
- --advertise-address=$(POD_IP)
|
||||
- --allow-privileged=true
|
||||
- --authorization-mode=RBAC
|
||||
- --bind-address=0.0.0.0
|
||||
- --client-ca-file=/etc/kubernetes/secrets/ca.crt
|
||||
- --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultTolerationSeconds,DefaultStorageClass,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota
|
||||
- --etcd-cafile=/etc/kubernetes/secrets/etcd-client-ca.crt
|
||||
- --etcd-certfile=/etc/kubernetes/secrets/etcd-client.crt
|
||||
- --etcd-keyfile=/etc/kubernetes/secrets/etcd-client.key
|
||||
- --etcd-servers=${etcd_servers}
|
||||
- --insecure-port=0
|
||||
- --kubelet-client-certificate=/etc/kubernetes/secrets/apiserver.crt
|
||||
- --kubelet-client-key=/etc/kubernetes/secrets/apiserver.key
|
||||
- --secure-port=443
|
||||
@@ -28,7 +27,6 @@ spec:
|
||||
- --service-cluster-ip-range=${service_cidr}
|
||||
- --cloud-provider=${cloud_provider}
|
||||
- --storage-backend=etcd3
|
||||
- --tls-ca-file=/etc/kubernetes/secrets/ca.crt
|
||||
- --tls-cert-file=/etc/kubernetes/secrets/apiserver.crt
|
||||
- --tls-private-key-file=/etc/kubernetes/secrets/apiserver.key
|
||||
env:
|
||||
@@ -53,7 +51,7 @@ spec:
|
||||
path: /etc/kubernetes/bootstrap-secrets
|
||||
- name: ssl-certs-host
|
||||
hostPath:
|
||||
path: /usr/share/ca-certificates
|
||||
path: ${trusted_certs_dir}
|
||||
- name: var-lock
|
||||
hostPath:
|
||||
path: /var/lock
|
||||
|
||||
@@ -33,4 +33,4 @@ spec:
|
||||
path: /etc/kubernetes
|
||||
- name: ssl-host
|
||||
hostPath:
|
||||
path: /usr/share/ca-certificates
|
||||
path: ${trusted_certs_dir}
|
||||
|
||||
@@ -4,6 +4,7 @@ metadata:
|
||||
name: calico-config
|
||||
namespace: kube-system
|
||||
data:
|
||||
# Disable Typha for now.
|
||||
typha_service_name: "none"
|
||||
# The CNI network configuration to install on each node.
|
||||
cni_network_config: |-
|
||||
|
||||
@@ -102,6 +102,9 @@ spec:
|
||||
- mountPath: /var/run/calico
|
||||
name: var-run-calico
|
||||
readOnly: false
|
||||
- mountPath: /var/lib/calico
|
||||
name: var-lib-calico
|
||||
readOnly: false
|
||||
# Install Calico CNI binaries and CNI network config file on nodes
|
||||
- name: install-cni
|
||||
image: ${calico_cni_image}
|
||||
@@ -137,6 +140,9 @@ spec:
|
||||
- name: var-run-calico
|
||||
hostPath:
|
||||
path: /var/run/calico
|
||||
- name: var-lib-calico
|
||||
hostPath:
|
||||
path: /var/lib/calico
|
||||
# Used by install-cni
|
||||
- name: cni-bin-dir
|
||||
hostPath:
|
||||
|
||||
@@ -25,7 +25,6 @@ spec:
|
||||
command:
|
||||
- /hyperkube
|
||||
- apiserver
|
||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ValidatingAdmissionWebhook,ResourceQuota,DefaultTolerationSeconds,MutatingAdmissionWebhook
|
||||
- --advertise-address=$(POD_IP)
|
||||
- --allow-privileged=true
|
||||
- --anonymous-auth=false
|
||||
@@ -33,18 +32,17 @@ spec:
|
||||
- --bind-address=0.0.0.0
|
||||
- --client-ca-file=/etc/kubernetes/secrets/ca.crt
|
||||
- --cloud-provider=${cloud_provider}
|
||||
- --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultTolerationSeconds,DefaultStorageClass,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota
|
||||
- --etcd-cafile=/etc/kubernetes/secrets/etcd-client-ca.crt
|
||||
- --etcd-certfile=/etc/kubernetes/secrets/etcd-client.crt
|
||||
- --etcd-keyfile=/etc/kubernetes/secrets/etcd-client.key
|
||||
- --etcd-servers=${etcd_servers}
|
||||
- --insecure-port=0
|
||||
- --kubelet-client-certificate=/etc/kubernetes/secrets/apiserver.crt
|
||||
- --kubelet-client-key=/etc/kubernetes/secrets/apiserver.key
|
||||
- --secure-port=443
|
||||
- --service-account-key-file=/etc/kubernetes/secrets/service-account.pub
|
||||
- --service-cluster-ip-range=${service_cidr}
|
||||
- --storage-backend=etcd3
|
||||
- --tls-ca-file=/etc/kubernetes/secrets/ca.crt
|
||||
- --tls-cert-file=/etc/kubernetes/secrets/apiserver.crt
|
||||
- --tls-private-key-file=/etc/kubernetes/secrets/apiserver.key
|
||||
env:
|
||||
@@ -72,7 +70,7 @@ spec:
|
||||
volumes:
|
||||
- name: ssl-certs-host
|
||||
hostPath:
|
||||
path: /usr/share/ca-certificates
|
||||
path: ${trusted_certs_dir}
|
||||
- name: secrets
|
||||
secret:
|
||||
secretName: kube-apiserver
|
||||
|
||||
@@ -47,6 +47,7 @@ spec:
|
||||
- --service-cluster-ip-range=${service_cidr}
|
||||
- --configure-cloud-routes=false
|
||||
- --leader-elect=true
|
||||
- --flex-volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
||||
- --root-ca-file=/etc/kubernetes/secrets/ca.crt
|
||||
- --service-account-private-key-file=/etc/kubernetes/secrets/service-account.key
|
||||
livenessProbe:
|
||||
@@ -59,6 +60,9 @@ spec:
|
||||
- name: secrets
|
||||
mountPath: /etc/kubernetes/secrets
|
||||
readOnly: true
|
||||
- name: volumeplugins
|
||||
mountPath: /var/lib/kubelet/volumeplugins
|
||||
readOnly: true
|
||||
- name: ssl-host
|
||||
mountPath: /etc/ssl/certs
|
||||
readOnly: true
|
||||
@@ -78,5 +82,8 @@ spec:
|
||||
secretName: kube-controller-manager
|
||||
- name: ssl-host
|
||||
hostPath:
|
||||
path: /usr/share/ca-certificates
|
||||
path: ${trusted_certs_dir}
|
||||
- name: volumeplugins
|
||||
hostPath:
|
||||
path: /var/lib/kubelet/volumeplugins
|
||||
dnsPolicy: Default # Don't use cluster DNS.
|
||||
|
||||
@@ -57,7 +57,7 @@ spec:
|
||||
path: /lib/modules
|
||||
- name: ssl-certs-host
|
||||
hostPath:
|
||||
path: /usr/share/ca-certificates
|
||||
path: ${trusted_certs_dir}
|
||||
- name: kubeconfig
|
||||
configMap:
|
||||
name: kubeconfig-in-cluster
|
||||
|
||||
20
variables.tf
20
variables.tf
@@ -63,18 +63,24 @@ variable "container_images" {
|
||||
type = "map"
|
||||
|
||||
default = {
|
||||
calico = "quay.io/calico/node:v3.0.2"
|
||||
calico_cni = "quay.io/calico/cni:v2.0.0"
|
||||
calico = "quay.io/calico/node:v3.0.4"
|
||||
calico_cni = "quay.io/calico/cni:v2.0.1"
|
||||
flannel = "quay.io/coreos/flannel:v0.10.0-amd64"
|
||||
flannel_cni = "quay.io/coreos/flannel-cni:v0.3.0"
|
||||
hyperkube = "gcr.io/google_containers/hyperkube:v1.9.3"
|
||||
kubedns = "gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.8"
|
||||
kubedns_dnsmasq = "gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.8"
|
||||
kubedns_sidecar = "gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.8"
|
||||
pod_checkpointer = "quay.io/coreos/pod-checkpointer:3cd08279c564e95c8b42a0b97c073522d4a6b965"
|
||||
hyperkube = "k8s.gcr.io/hyperkube:v1.10.0"
|
||||
kubedns = "k8s.gcr.io/k8s-dns-kube-dns-amd64:1.14.9"
|
||||
kubedns_dnsmasq = "k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64:1.14.9"
|
||||
kubedns_sidecar = "k8s.gcr.io/k8s-dns-sidecar-amd64:1.14.9"
|
||||
pod_checkpointer = "quay.io/coreos/pod-checkpointer:9dc83e1ab3bc36ca25c9f7c18ddef1b91d4a0558"
|
||||
}
|
||||
}
|
||||
|
||||
variable "trusted_certs_dir" {
|
||||
description = "Path to the directory on cluster nodes where trust TLS certs are kept"
|
||||
type = "string"
|
||||
default = "/usr/share/ca-certificates"
|
||||
}
|
||||
|
||||
variable "ca_certificate" {
|
||||
description = "Existing PEM-encoded CA certificate (generated if blank)"
|
||||
type = "string"
|
||||
|
||||
Reference in New Issue
Block a user