Update Kubernetes from v1.14.2 to v1.14.3

* https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.14.md#v1143

README.md

@@ -12,7 +12,7 @@ Use the module to declare bootkube assets. Check [variables.tf](variables.tf) fo
 
 ```hcl
 module "bootkube" {
-  source = "git://https://github.com/poseidon/terraform-render-bootkube.git?ref=SHA"
+  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=SHA"
 
   cluster_name = "example"
   api_servers = ["node1.example.com"]
@@ -25,7 +25,6 @@ Generate the assets.
 
 ```sh
 terraform init
-terraform get --update
 terraform plan
 terraform apply
 ```
@@ -34,15 +33,13 @@ Find bootkube assets rendered to the `asset_dir` path. That's it.
 
 ### Comparison
 
-Render bootkube assets directly with bootkube v0.9.0.
-
-#### On-host etcd (recommended)
+Render bootkube assets directly with bootkube v0.14.0.
 
 ```sh
-bootkube render --asset-dir=assets --api-servers=https://node1.example.com:443 --api-server-alt-names=DNS=node1.example.com --etcd-servers=https://node1.example.com:2379
+bootkube render --asset-dir=assets --api-servers=https://node1.example.com:6443 --api-server-alt-names=DNS=node1.example.com --etcd-servers=https://node1.example.com:2379
 ```
 
-Compare assets. The only diffs you should see are TLS credentials.
+Compare assets. Rendered assets may differ slightly from bootkube assets to reflect decisions made by the [Typhoon](https://github.com/poseidon/typhoon) distribution.
 
 ```sh
 pushd /home/core/mycluster
@@ -50,21 +47,3 @@ mv manifests-networking/* manifests
 popd
 diff -rw assets /home/core/mycluster
 ```
-
-#### Self-hosted etcd (deprecated)
-
-```sh
-bootkube render --asset-dir=assets --api-servers=https://node1.example.com:443 --api-server-alt-names=DNS=node1.example.com --experimental-self-hosted-etcd
-```
-
-Compare assets. Note that experimental must be generated to a separate directory for terraform applies to sync. Move the experimental `bootstrap-manifests` and `manifests` files during deployment.
-
-```sh
-pushd /home/core/mycluster
-mv experimental/bootstrap-manifests/* boostrap-manifests
-mv experimental/manifests/* manifests
-mv manifests-networking/* manifests
-popd
-diff -rw assets /home/core/mycluster
-```
-

assets.tf

@@ -5,11 +5,14 @@ resource "template_dir" "bootstrap-manifests" {
 
   vars {
     hyperkube_image = "${var.container_images["hyperkube"]}"
-    etcd_servers    = "${var.experimental_self_hosted_etcd ? format("https://%s:2379,https://127.0.0.1:12379", cidrhost(var.service_cidr, 15)) : join(",", formatlist("https://%s:2379", var.etcd_servers))}"
+    etcd_servers    = "${join(",", formatlist("https://%s:2379", var.etcd_servers))}"
 
     cloud_provider = "${var.cloud_provider}"
     pod_cidr       = "${var.pod_cidr}"
     service_cidr   = "${var.service_cidr}"
+
+    trusted_certs_dir = "${var.trusted_certs_dir}"
+    apiserver_port    = "${var.apiserver_port}"
   }
 }
 
@@ -21,19 +24,22 @@ resource "template_dir" "manifests" {
   vars {
     hyperkube_image        = "${var.container_images["hyperkube"]}"
     pod_checkpointer_image = "${var.container_images["pod_checkpointer"]}"
-    kubedns_image          = "${var.container_images["kubedns"]}"
-    kubedns_dnsmasq_image  = "${var.container_images["kubedns_dnsmasq"]}"
-    kubedns_sidecar_image  = "${var.container_images["kubedns_sidecar"]}"
+    coredns_image          = "${var.container_images["coredns"]}"
 
-    etcd_servers = "${var.experimental_self_hosted_etcd ? format("https://%s:2379", cidrhost(var.service_cidr, 15)) : join(",", formatlist("https://%s:2379", var.etcd_servers))}"
+    etcd_servers           = "${join(",", formatlist("https://%s:2379", var.etcd_servers))}"
+    control_plane_replicas = "${max(2, length(var.etcd_servers))}"
 
-    cloud_provider      = "${var.cloud_provider}"
-    pod_cidr            = "${var.pod_cidr}"
-    service_cidr        = "${var.service_cidr}"
-    kube_dns_service_ip = "${cidrhost(var.service_cidr, 10)}"
+    cloud_provider         = "${var.cloud_provider}"
+    pod_cidr               = "${var.pod_cidr}"
+    service_cidr           = "${var.service_cidr}"
+    cluster_domain_suffix  = "${var.cluster_domain_suffix}"
+    cluster_dns_service_ip = "${cidrhost(var.service_cidr, 10)}"
+    trusted_certs_dir      = "${var.trusted_certs_dir}"
+    apiserver_port         = "${var.apiserver_port}"
 
-    ca_cert            = "${base64encode(var.ca_certificate == "" ? join(" ", tls_self_signed_cert.kube-ca.*.cert_pem) : var.ca_certificate)}"
-    server       = "${format("https://%s:443", element(var.api_servers, 0))}"
+    ca_cert            = "${base64encode(tls_self_signed_cert.kube-ca.cert_pem)}"
+    ca_key             = "${base64encode(tls_private_key.kube-ca.private_key_pem)}"
+    server             = "${format("https://%s:%s", element(var.api_servers, 0), var.apiserver_port)}"
     apiserver_key      = "${base64encode(tls_private_key.apiserver.private_key_pem)}"
     apiserver_cert     = "${base64encode(tls_locally_signed_cert.apiserver.cert_pem)}"
     serviceaccount_pub = "${base64encode(tls_private_key.service-account.public_key_pem)}"
@@ -42,40 +48,63 @@ resource "template_dir" "manifests" {
     etcd_ca_cert     = "${base64encode(tls_self_signed_cert.etcd-ca.cert_pem)}"
     etcd_client_cert = "${base64encode(tls_locally_signed_cert.client.cert_pem)}"
     etcd_client_key  = "${base64encode(tls_private_key.client.private_key_pem)}"
+
+    aggregation_flags       = "${var.enable_aggregation == "true" ? indent(8, local.aggregation_flags) : ""}"
+    aggregation_ca_cert     = "${var.enable_aggregation == "true" ? base64encode(join(" ", tls_self_signed_cert.aggregation-ca.*.cert_pem)) : ""}"
+    aggregation_client_cert = "${var.enable_aggregation == "true" ? base64encode(join(" ", tls_locally_signed_cert.aggregation-client.*.cert_pem)) : ""}"
+    aggregation_client_key  = "${var.enable_aggregation == "true" ? base64encode(join(" ", tls_private_key.aggregation-client.*.private_key_pem)) : ""}"
   }
 }
 
-# Generated kubeconfig
-resource "local_file" "kubeconfig" {
-  content  = "${data.template_file.kubeconfig.rendered}"
+locals {
+  aggregation_flags = <<EOF
+
+- --proxy-client-cert-file=/etc/kubernetes/secrets/aggregation-client.crt
+- --proxy-client-key-file=/etc/kubernetes/secrets/aggregation-client.key
+- --requestheader-client-ca-file=/etc/kubernetes/secrets/aggregation-ca.crt
+- --requestheader-extra-headers-prefix=X-Remote-Extra-
+- --requestheader-group-headers=X-Remote-Group
+- --requestheader-username-headers=X-Remote-UserEOF
+}
+
+# Generated kubeconfig for Kubelets
+resource "local_file" "kubeconfig-kubelet" {
+  content  = "${data.template_file.kubeconfig-kubelet.rendered}"
+  filename = "${var.asset_dir}/auth/kubeconfig-kubelet"
+}
+
+# Generated admin kubeconfig (bootkube requires it be at auth/kubeconfig)
+# https://github.com/kubernetes-incubator/bootkube/blob/master/pkg/bootkube/bootkube.go#L42
+resource "local_file" "kubeconfig-admin" {
+  content  = "${data.template_file.kubeconfig-admin.rendered}"
   filename = "${var.asset_dir}/auth/kubeconfig"
 }
 
-# Generated kubeconfig with user-context
-resource "local_file" "user-kubeconfig" {
-  content  = "${data.template_file.user-kubeconfig.rendered}"
+# Generated admin kubeconfig in a file named after the cluster
+resource "local_file" "kubeconfig-admin-named" {
+  content  = "${data.template_file.kubeconfig-admin.rendered}"
   filename = "${var.asset_dir}/auth/${var.cluster_name}-config"
 }
 
-data "template_file" "kubeconfig" {
-  template = "${file("${path.module}/resources/kubeconfig")}"
+data "template_file" "kubeconfig-kubelet" {
+  template = "${file("${path.module}/resources/kubeconfig-kubelet")}"
 
   vars {
-    ca_cert      = "${base64encode(var.ca_certificate == "" ? join(" ", tls_self_signed_cert.kube-ca.*.cert_pem) : var.ca_certificate)}"
+    ca_cert      = "${base64encode(tls_self_signed_cert.kube-ca.cert_pem)}"
     kubelet_cert = "${base64encode(tls_locally_signed_cert.kubelet.cert_pem)}"
     kubelet_key  = "${base64encode(tls_private_key.kubelet.private_key_pem)}"
-    server       = "${format("https://%s:443", element(var.api_servers, 0))}"
+    server       = "${format("https://%s:%s", element(var.api_servers, 0), var.apiserver_port)}"
   }
 }
 
-data "template_file" "user-kubeconfig" {
-  template = "${file("${path.module}/resources/user-kubeconfig")}"
+data "template_file" "kubeconfig-admin" {
+  template = "${file("${path.module}/resources/kubeconfig-admin")}"
 
   vars {
     name         = "${var.cluster_name}"
-    ca_cert      = "${base64encode(var.ca_certificate == "" ? join(" ", tls_self_signed_cert.kube-ca.*.cert_pem) : var.ca_certificate)}"
-    kubelet_cert = "${base64encode(tls_locally_signed_cert.kubelet.cert_pem)}"
-    kubelet_key  = "${base64encode(tls_private_key.kubelet.private_key_pem)}"
-    server       = "${format("https://%s:443", element(var.api_servers, 0))}"
+    ca_cert      = "${base64encode(tls_self_signed_cert.kube-ca.cert_pem)}"
+    kubelet_cert = "${base64encode(tls_locally_signed_cert.admin.cert_pem)}"
+    kubelet_key  = "${base64encode(tls_private_key.admin.private_key_pem)}"
+    server       = "${format("https://%s:%s", element(var.api_servers, 0), var.apiserver_port)}"
   }
 }

conditional.tf

@@ -1,4 +1,4 @@
-# Assets generated only when experimental self-hosted etcd is enabled
+# Assets generated only when certain options are chosen
 
 resource "template_dir" "flannel-manifests" {
   count           = "${var.networking == "flannel" ? 1 : 0}"
@@ -22,53 +22,26 @@ resource "template_dir" "calico-manifests" {
     calico_image     = "${var.container_images["calico"]}"
     calico_cni_image = "${var.container_images["calico_cni"]}"
 
+    network_mtu                     = "${var.network_mtu}"
+    network_encapsulation           = "${indent(2, var.network_encapsulation == "vxlan" ? "vxlanMode: Always" : "ipipMode: Always")}"
+    ipip_enabled                   = "${var.network_encapsulation == "ipip" ? true : false}"
+    ipip_readiness                 = "${var.network_encapsulation == "ipip" ? indent(16, "- --bird-ready") : ""}"
+    vxlan_enabled                   = "${var.network_encapsulation == "vxlan" ? true : false}"
+    network_ip_autodetection_method = "${var.network_ip_autodetection_method}"
+    pod_cidr                        = "${var.pod_cidr}"
+    enable_reporting                = "${var.enable_reporting}"
+  }
+}
+
+resource "template_dir" "kube-router-manifests" {
+  count           = "${var.networking == "kube-router" ? 1 : 0}"
+  source_dir      = "${path.module}/resources/kube-router"
+  destination_dir = "${var.asset_dir}/manifests-networking"
+
+  vars {
+    kube_router_image = "${var.container_images["kube_router"]}"
+    flannel_cni_image = "${var.container_images["flannel_cni"]}"
+
     network_mtu = "${var.network_mtu}"
-    pod_cidr    = "${var.pod_cidr}"
-  }
-}
-
-# bootstrap-etcd.yaml pod bootstrap-manifest
-resource "template_dir" "experimental-bootstrap-manifests" {
-  count           = "${var.experimental_self_hosted_etcd ? 1 : 0}"
-  source_dir      = "${path.module}/resources/experimental/bootstrap-manifests"
-  destination_dir = "${var.asset_dir}/experimental/bootstrap-manifests"
-
-  vars {
-    etcd_image                = "${var.container_images["etcd"]}"
-    bootstrap_etcd_service_ip = "${cidrhost(var.service_cidr, 20)}"
-  }
-}
-
-# etcd subfolder - bootstrap-etcd-service.json and migrate-etcd-cluster.json TPR
-resource "template_dir" "etcd-subfolder" {
-  count           = "${var.experimental_self_hosted_etcd ? 1 : 0}"
-  source_dir      = "${path.module}/resources/etcd"
-  destination_dir = "${var.asset_dir}/etcd"
-
-  vars {
-    bootstrap_etcd_service_ip = "${cidrhost(var.service_cidr, 20)}"
-  }
-}
-
-# etcd-operator deployment and etcd-service manifests
-# etcd client, server, and peer tls secrets
-resource "template_dir" "experimental-manifests" {
-  count           = "${var.experimental_self_hosted_etcd ? 1 : 0}"
-  source_dir      = "${path.module}/resources/experimental/manifests"
-  destination_dir = "${var.asset_dir}/experimental/manifests"
-
-  vars {
-    etcd_operator_image     = "${var.container_images["etcd_operator"]}"
-    etcd_checkpointer_image = "${var.container_images["etcd_checkpointer"]}"
-    etcd_service_ip         = "${cidrhost(var.service_cidr, 15)}"
-
-    # Self-hosted etcd TLS certs / keys
-    etcd_ca_cert     = "${base64encode(tls_self_signed_cert.etcd-ca.cert_pem)}"
-    etcd_client_cert = "${base64encode(tls_locally_signed_cert.client.cert_pem)}"
-    etcd_client_key  = "${base64encode(tls_private_key.client.private_key_pem)}"
-    etcd_server_cert = "${base64encode(tls_locally_signed_cert.server.cert_pem)}"
-    etcd_server_key  = "${base64encode(tls_private_key.server.private_key_pem)}"
-    etcd_peer_cert   = "${base64encode(tls_locally_signed_cert.peer.cert_pem)}"
-    etcd_peer_key    = "${base64encode(tls_private_key.peer.private_key_pem)}"
   }
 }

outputs.tf

@@ -1,25 +1,23 @@
 output "id" {
-  value = "${sha1("${template_dir.bootstrap-manifests.id} ${local_file.kubeconfig.id}")}"
+  value = "${sha1("${template_dir.bootstrap-manifests.id} ${template_dir.manifests.id}")}"
 }
 
 output "content_hash" {
   value = "${sha1("${template_dir.bootstrap-manifests.id} ${template_dir.manifests.id}")}"
 }
 
-output "kube_dns_service_ip" {
+output "cluster_dns_service_ip" {
   value = "${cidrhost(var.service_cidr, 10)}"
 }
 
-output "etcd_service_ip" {
-  value = "${cidrhost(var.service_cidr, 15)}"
+// Generated kubeconfig for Kubelets (i.e. lower privilege than admin)
+output "kubeconfig-kubelet" {
+  value = "${data.template_file.kubeconfig-kubelet.rendered}"
 }
 
-output "kubeconfig" {
-  value = "${data.template_file.kubeconfig.rendered}"
-}
-
-output "user-kubeconfig" {
-  value = "${local_file.user-kubeconfig.filename}"
+// Generated kubeconfig for admins (i.e. human super-user)
+output "kubeconfig-admin" {
+  value = "${data.template_file.kubeconfig-admin.rendered}"
 }
 
 # etcd TLS assets
@@ -57,7 +55,7 @@ output "etcd_peer_key" {
 # contents so the raw components of the kubeconfig may be needed.
 
 output "ca_cert" {
-  value = "${base64encode(var.ca_certificate == "" ? join(" ", tls_self_signed_cert.kube-ca.*.cert_pem) : var.ca_certificate)}"
+  value = "${base64encode(tls_self_signed_cert.kube-ca.cert_pem)}"
 }
 
 output "kubelet_cert" {
@@ -69,5 +67,5 @@ output "kubelet_key" {
 }
 
 output "server" {
-  value = "${format("https://%s:443", element(var.api_servers, 0))}"
+  value = "${format("https://%s:%s", element(var.api_servers, 0), var.apiserver_port)}"
 }

resources/bootstrap-manifests/bootstrap-apiserver.yaml

@@ -3,33 +3,36 @@ kind: Pod
 metadata:
   name: bootstrap-kube-apiserver
   namespace: kube-system
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
 spec:
+  hostNetwork: true
   containers:
   - name: kube-apiserver
     image: ${hyperkube_image}
     command:
     - /hyperkube
     - apiserver
-    - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
     - --advertise-address=$(POD_IP)
     - --allow-privileged=true
+    - --anonymous-auth=false
     - --authorization-mode=RBAC
     - --bind-address=0.0.0.0
     - --client-ca-file=/etc/kubernetes/secrets/ca.crt
+    - --cloud-provider=${cloud_provider}
+    - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultTolerationSeconds,DefaultStorageClass,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,Priority
     - --etcd-cafile=/etc/kubernetes/secrets/etcd-client-ca.crt
     - --etcd-certfile=/etc/kubernetes/secrets/etcd-client.crt
     - --etcd-keyfile=/etc/kubernetes/secrets/etcd-client.key
-    - --etcd-quorum-read=true
     - --etcd-servers=${etcd_servers}
     - --insecure-port=0
     - --kubelet-client-certificate=/etc/kubernetes/secrets/apiserver.crt
     - --kubelet-client-key=/etc/kubernetes/secrets/apiserver.key
-    - --secure-port=443
+    - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
+    - --secure-port=${apiserver_port}
     - --service-account-key-file=/etc/kubernetes/secrets/service-account.pub
     - --service-cluster-ip-range=${service_cidr}
-    - --cloud-provider=${cloud_provider}
     - --storage-backend=etcd3
-    - --tls-ca-file=/etc/kubernetes/secrets/ca.crt
     - --tls-cert-file=/etc/kubernetes/secrets/apiserver.crt
     - --tls-private-key-file=/etc/kubernetes/secrets/apiserver.key
     env:
@@ -38,23 +41,16 @@ spec:
         fieldRef:
           fieldPath: status.podIP
     volumeMounts:
-    - mountPath: /etc/ssl/certs
-      name: ssl-certs-host
+    - name: secrets
+      mountPath: /etc/kubernetes/secrets
       readOnly: true
-    - mountPath: /etc/kubernetes/secrets
-      name: secrets
+    - name: ssl-certs-host
+      mountPath: /etc/ssl/certs
       readOnly: true
-    - mountPath: /var/lock
-      name: var-lock
-      readOnly: false
-  hostNetwork: true
   volumes:
   - name: secrets
     hostPath:
       path: /etc/kubernetes/bootstrap-secrets
   - name: ssl-certs-host
     hostPath:
-      path: /usr/share/ca-certificates
-  - name: var-lock
-    hostPath:
-      path: /var/lock
+      path: ${trusted_certs_dir}

resources/bootstrap-manifests/bootstrap-controller-manager.yaml

@@ -3,6 +3,8 @@ kind: Pod
 metadata:
   name: bootstrap-kube-controller-manager
   namespace: kube-system
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
 spec:
   containers:
   - name: kube-controller-manager
@@ -12,24 +14,27 @@ spec:
     - controller-manager
     - --allocate-node-cidrs=true
     - --cluster-cidr=${pod_cidr}
+    - --service-cluster-ip-range=${service_cidr}
     - --cloud-provider=${cloud_provider}
+    - --cluster-signing-cert-file=/etc/kubernetes/secrets/ca.crt
+    - --cluster-signing-key-file=/etc/kubernetes/secrets/ca.key
     - --configure-cloud-routes=false
-    - --kubeconfig=/etc/kubernetes/kubeconfig
+    - --kubeconfig=/etc/kubernetes/secrets/kubeconfig
     - --leader-elect=true
-    - --root-ca-file=/etc/kubernetes/bootstrap-secrets/ca.crt
-    - --service-account-private-key-file=/etc/kubernetes/bootstrap-secrets/service-account.key
+    - --root-ca-file=/etc/kubernetes/secrets/ca.crt
+    - --service-account-private-key-file=/etc/kubernetes/secrets/service-account.key
     volumeMounts:
-    - name: kubernetes
-      mountPath: /etc/kubernetes
+    - name: secrets
+      mountPath: /etc/kubernetes/secrets
       readOnly: true
     - name: ssl-host
       mountPath: /etc/ssl/certs
       readOnly: true
   hostNetwork: true
   volumes:
-  - name: kubernetes
+  - name: secrets
     hostPath:
-      path: /etc/kubernetes
+      path: /etc/kubernetes/bootstrap-secrets
   - name: ssl-host
     hostPath:
-      path: /usr/share/ca-certificates
+      path: ${trusted_certs_dir}

resources/bootstrap-manifests/bootstrap-scheduler.yaml

@@ -3,6 +3,8 @@ kind: Pod
 metadata:
   name: bootstrap-kube-scheduler
   namespace: kube-system
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
 spec:
   containers:
   - name: kube-scheduler
@@ -10,14 +12,14 @@ spec:
     command:
     - ./hyperkube
     - scheduler
-    - --kubeconfig=/etc/kubernetes/kubeconfig
+    - --kubeconfig=/etc/kubernetes/secrets/kubeconfig
     - --leader-elect=true
     volumeMounts:
-    - name: kubernetes
-      mountPath: /etc/kubernetes
+    - name: secrets
+      mountPath: /etc/kubernetes/secrets
       readOnly: true
   hostNetwork: true
   volumes:
-  - name: kubernetes
+  - name: secrets
     hostPath:
-      path: /etc/kubernetes
+      path: /etc/kubernetes/bootstrap-secrets

resources/calico/bgpconfigurations-crd.yaml

@@ -0,0 +1,12 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: bgpconfigurations.crd.projectcalico.org
+spec:
+  scope: Cluster
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: BGPConfiguration
+    plural: bgpconfigurations
+    singular: bgpconfiguration

resources/calico/bgppeers-crd.yaml

@@ -1,5 +1,4 @@
 apiVersion: apiextensions.k8s.io/v1beta1
-description: Calico BGP Peers
 kind: CustomResourceDefinition
 metadata:
   name: bgppeers.crd.projectcalico.org

resources/calico/blockaffinities-crd.yaml

@@ -0,0 +1,12 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: blockaffinities.crd.projectcalico.org
+spec:
+  scope: Cluster
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: BlockAffinity
+    plural: blockaffinities
+    singular: blockaffinity

resources/calico/calico-cluster-role.yaml

@@ -1,53 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: calico-node
-  namespace: kube-system
-rules:
-  - apiGroups: [""]
-    resources:
-      - namespaces
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups: [""]
-    resources:
-      - pods/status
-    verbs:
-      - update
-  - apiGroups: [""]
-    resources:
-      - pods
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups: [""]
-    resources:
-      - nodes
-    verbs:
-      - get
-      - list
-      - update
-      - watch
-  - apiGroups: ["extensions"]
-    resources:
-      - networkpolicies
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups: ["crd.projectcalico.org"]
-    resources:
-      - globalfelixconfigs
-      - bgppeers
-      - globalbgpconfigs
-      - ippools
-      - globalnetworkpolicies
-    verbs:
-      - create
-      - get
-      - list
-      - update
-      - watch

resources/calico/calico-config.yaml

@@ -1,29 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: calico-config
-  namespace: kube-system
-data:
-  # The CNI network configuration to install on each node.
-  cni_network_config: |-
-    {
-        "name": "k8s-pod-network",
-        "cniVersion": "0.3.0",
-        "type": "calico",
-        "log_level": "info",
-        "datastore_type": "kubernetes",
-        "nodename": "__KUBERNETES_NODE_NAME__",
-        "mtu": ${network_mtu},
-        "ipam": {
-            "type": "host-local",
-            "subnet": "usePodCidr"
-        },
-        "policy": {
-            "type": "k8s",
-            "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
-        },
-        "kubernetes": {
-            "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
-            "kubeconfig": "__KUBECONFIG_FILEPATH__"
-        }
-    }

resources/calico/calico-gloabl-felix-configs.yaml

@@ -1,13 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1beta1
-description: Calico Global Felix Configuration
-kind: CustomResourceDefinition
-metadata:
-   name: globalfelixconfigs.crd.projectcalico.org
-spec:
-  scope: Cluster
-  group: crd.projectcalico.org
-  version: v1
-  names:
-    kind: GlobalFelixConfig
-    plural: globalfelixconfigs
-    singular: globalfelixconfig

resources/calico/calico-global-bgp-configs.yaml

@@ -1,13 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1beta1
-description: Calico Global BGP Configuration
-kind: CustomResourceDefinition
-metadata:
-  name: globalbgpconfigs.crd.projectcalico.org
-spec:
-  scope: Cluster
-  group: crd.projectcalico.org
-  version: v1
-  names:
-    kind: GlobalBGPConfig
-    plural: globalbgpconfigs
-    singular: globalbgpconfig

resources/calico/cluster-role.yaml

@@ -0,0 +1,108 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: calico-node
+rules:
+  - apiGroups: [""]
+    resources:
+      - pods
+      - nodes
+      - namespaces
+    verbs:
+      - get
+  - apiGroups: [""]
+    resources:
+      - endpoints
+      - services
+    verbs:
+      - watch
+      - list
+  # Used by Calico for policy information
+  - apiGroups: [""]
+    resources:
+      - pods
+      - namespaces
+      - serviceaccounts
+    verbs:
+      - list
+      - watch
+  - apiGroups: [""]
+    resources:
+      - nodes/status
+    verbs:
+      # Calico patches the node NetworkUnavilable status
+      - patch
+      # Calico updates some info in node annotations
+      - update
+  # CNI plugin patches pods/status
+  - apiGroups: [""]
+    resources:
+      - pods/status
+    verbs:
+      - patch
+  # Calico reads some info on nodes
+  - apiGroups: [""]
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+  # Calico monitors Kubernetes NetworkPolicies
+  - apiGroups: ["networking.k8s.io"]
+    resources:
+      - networkpolicies
+    verbs:
+      - watch
+      - list
+  # Calico monitors its CRDs
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - globalfelixconfigs
+      - felixconfigurations
+      - bgppeers
+      - globalbgpconfigs
+      - bgpconfigurations
+      - ippools
+      - ipamblocks
+      - globalnetworkpolicies
+      - globalnetworksets
+      - networksets
+      - networkpolicies
+      - clusterinformations
+      - hostendpoints
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - felixconfigurations
+      - ippools
+      - clusterinformations
+    verbs:
+      - create
+      - update
+  # Calico may perform IPAM allocations
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - blockaffinities
+      - ipamblocks
+      - ipamhandles
+    verbs:
+      - get
+      - list
+      - create
+      - update
+      - delete
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - ipamconfigs
+    verbs:
+      - get
+  # Watch block affinities for route aggregation
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - blockaffinities
+    verbs:
+      - watch

resources/calico/clusterinformations-crd.yaml

@@ -0,0 +1,12 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterinformations.crd.projectcalico.org
+spec:
+  scope: Cluster
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: ClusterInformation
+    plural: clusterinformations
+    singular: clusterinformation

resources/calico/config.yaml

@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: calico-config
+  namespace: kube-system
+data:
+  # Disable Typha for now.
+  typha_service_name: "none"
+  # Calico backend to use
+  calico_backend: "bird"
+  # Calico MTU
+  veth_mtu: "${network_mtu}"
+  # The CNI network configuration to install on each node.
+  cni_network_config: |-
+    {
+      "name": "k8s-pod-network",
+      "cniVersion": "0.3.1",
+      "plugins": [
+        {
+          "type": "calico",
+          "log_level": "info",
+          "datastore_type": "kubernetes",
+          "nodename": "__KUBERNETES_NODE_NAME__",
+          "mtu": __CNI_MTU__,
+          "ipam": {
+            "type": "calico-ipam"
+          },
+          "policy": {
+            "type": "k8s"
+          },
+          "kubernetes": {
+            "kubeconfig": "__KUBECONFIG_FILEPATH__"
+          }
+        },
+        {
+          "type": "portmap",
+          "snat": true,
+          "capabilities": {"portMappings": true}
+        }
+      ]
+    }

resources/calico/daemonset.yaml

@@ -1,4 +1,4 @@
-apiVersion: apps/v1beta2
+apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: calico-node
@@ -9,17 +9,59 @@ spec:
   selector:
     matchLabels:
       k8s-app: calico-node
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
   template:
     metadata:
       labels:
         k8s-app: calico-node
+      annotations:
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
       hostNetwork: true
+      priorityClassName: system-node-critical
       serviceAccountName: calico-node
       tolerations:
-        # Allow the pod to run on master nodes
-        - key: node-role.kubernetes.io/master
-          effect: NoSchedule
+        - effect: NoSchedule
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+      initContainers:
+        # Install Calico CNI binaries and CNI network config file on nodes
+        - name: install-cni
+          image: ${calico_cni_image}
+          command: ["/install-cni.sh"]
+          env:
+            # Name of the CNI config file to create on each node.
+            - name: CNI_CONF_NAME
+              value: "10-calico.conflist"
+            # Set node name based on k8s nodeName
+            - name: KUBERNETES_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            # Contents of the CNI config to create on each node.
+            - name: CNI_NETWORK_CONFIG
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: cni_network_config
+            - name: CNI_NET_DIR
+              value: "/etc/kubernetes/cni/net.d"
+            - name: CNI_MTU
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: veth_mtu
+            - name: SLEEP
+              value: "false"
+          volumeMounts:
+            - name: cni-bin-dir
+              mountPath: /host/opt/cni/bin
+            - name: cni-conf-dir
+              mountPath: /host/etc/cni/net.d
       containers:
         - name: calico-node
           image: ${calico_image}
@@ -27,12 +69,56 @@ spec:
             # Use Kubernetes API as the backing datastore.
             - name: DATASTORE_TYPE
               value: "kubernetes"
-            # Enable felix info logging.
-            - name: FELIX_LOGSEVERITYSCREEN
-              value: "info"
+            # Wait for datastore
+            - name: WAIT_FOR_DATASTORE
+              value: "true"
+            # Typha support: controlled by the ConfigMap.
+            - name: FELIX_TYPHAK8SSERVICENAME
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: typha_service_name
+            - name: FELIX_USAGEREPORTINGENABLED
+              value: "${enable_reporting}"
+            # Set node name based on k8s nodeName.
+            - name: NODENAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            # Calico network backend
+            - name: CALICO_NETWORKING_BACKEND
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: calico_backend
             # Cluster type to identify the deployment type
             - name: CLUSTER_TYPE
               value: "k8s,bgp"
+            # Auto-detect the BGP IP address.
+            - name: IP
+              value: "autodetect"
+            - name: IP_AUTODETECTION_METHOD
+              value: "${network_ip_autodetection_method}"
+            # Whether Felix should enable IP-in-IP tunnel
+            - name: FELIX_IPINIPENABLED
+              value: "${ipip_enabled}"
+            # MTU to set on the IPIP tunnel (if enabled)
+            - name: FELIX_IPINIPMTU
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: veth_mtu
+            # Whether Felix should enable VXLAN tunnel
+            - name: FELIX_VXLANENABLED
+              value: "${vxlan_enabled}"
+            # MTU to set on the VXLAN tunnel (if enabled)
+            - name: FELIX_VXLANMTU
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: veth_mtu
+            - name: NO_DEFAULT_POOLS
+              value: "true"
             # Disable file logging so `kubectl logs` works.
             - name: CALICO_DISABLE_FILE_LOGGING
               value: "true"
@@ -42,93 +128,64 @@ spec:
             # Disable IPV6 on Kubernetes.
             - name: FELIX_IPV6SUPPORT
               value: "false"
-            # Set MTU for tunnel device used if ipip is enabled
-            - name: FELIX_IPINIPMTU
-              value: "${network_mtu}"
-            # Wait for the datastore.
-            - name: WAIT_FOR_DATASTORE
-              value: "true"
-            # The Calico IPv4 pool CIDR (should match `--cluster-cidr`).
-            - name: CALICO_IPV4POOL_CIDR
-              value: "${pod_cidr}"
-            # Enable IPIP
-            - name: CALICO_IPV4POOL_IPIP
-              value: "Always"
-            # Enable IP-in-IP within Felix.
-            - name: FELIX_IPINIPENABLED
-              value: "true"
-            # Set node name based on k8s nodeName.
-            - name: NODENAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: spec.nodeName
-            - name: IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.podIP
+            # Enable felix info logging.
+            - name: FELIX_LOGSEVERITYSCREEN
+              value: "info"
             - name: FELIX_HEALTHENABLED
               value: "true"
           securityContext:
             privileged: true
           resources:
             requests:
-              cpu: 250m
+              cpu: 150m
           livenessProbe:
             httpGet:
               path: /liveness
               port: 9099
+              host: localhost
             periodSeconds: 10
             initialDelaySeconds: 10
             failureThreshold: 6
           readinessProbe:
-            httpGet:
-              path: /readiness
-              port: 9099
+            exec:
+              command:
+                - /bin/calico-node
+                - -felix-ready
+                ${ipip_readiness}
             periodSeconds: 10
           volumeMounts:
-            - mountPath: /lib/modules
-              name: lib-modules
+            - name: lib-modules
+              mountPath: /lib/modules
               readOnly: true
-            - mountPath: /var/run/calico
-              name: var-run-calico
+            - name: var-lib-calico
+              mountPath: /var/lib/calico
+              readOnly: false
+            - name: var-run-calico
+              mountPath: /var/run/calico
+              readOnly: false
+            - name: xtables-lock
+              mountPath: /run/xtables.lock
               readOnly: false
-        # Install Calico CNI binaries and CNI network config file on nodes
-        - name: install-cni
-          image: ${calico_cni_image}
-          command: ["/install-cni.sh"]
-          env:
-            - name: CNI_NETWORK_CONFIG
-              valueFrom:
-                configMapKeyRef:
-                  name: calico-config
-                  key: cni_network_config
-            - name: CNI_NET_DIR
-              value: "/etc/kubernetes/cni/net.d"
-            # Set node name based on k8s nodeName
-            - name: KUBERNETES_NODE_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: spec.nodeName
-          volumeMounts:
-            - mountPath: /host/opt/cni/bin
-              name: cni-bin-dir
-            - mountPath: /host/etc/cni/net.d
-              name: cni-net-dir
       terminationGracePeriodSeconds: 0
       volumes:
+        # Used by calico/node
         - name: lib-modules
           hostPath:
             path: /lib/modules
+        - name: var-lib-calico
+          hostPath:
+            path: /var/lib/calico
         - name: var-run-calico
           hostPath:
             path: /var/run/calico
+        - name: xtables-lock
+          hostPath:
+            type: FileOrCreate
+            path: /run/xtables.lock
+        # Used by install-cni
         - name: cni-bin-dir
           hostPath:
             path: /opt/cni/bin
-        - name: cni-net-dir
+        - name: cni-conf-dir
           hostPath:
             path: /etc/kubernetes/cni/net.d
-  updateStrategy:
-    rollingUpdate:
-      maxUnavailable: 1
-    type: RollingUpdate

resources/calico/default-ipv4-ippool.yaml

@@ -0,0 +1,10 @@
+apiVersion: crd.projectcalico.org/v1
+kind: IPPool
+metadata:
+  name: default-ipv4-ippool
+spec:
+  blockSize: 24
+  cidr: ${pod_cidr}
+  ${network_encapsulation}
+  natOutgoing: true
+  nodeSelector: all()

resources/calico/felixconfigurations-crd.yaml

@@ -0,0 +1,12 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: felixconfigurations.crd.projectcalico.org
+spec:
+  scope: Cluster
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: FelixConfiguration
+    plural: felixconfigurations
+    singular: felixconfiguration

resources/calico/globalnetworkpolicies-crd.yaml

@@ -1,5 +1,4 @@
 apiVersion: apiextensions.k8s.io/v1beta1
-description: Calico Global Network Policies
 kind: CustomResourceDefinition
 metadata:
   name: globalnetworkpolicies.crd.projectcalico.org

resources/calico/globalnetworksets-crd.yaml

@@ -0,0 +1,12 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: globalnetworksets.crd.projectcalico.org
+spec:
+  scope: Cluster
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: GlobalNetworkSet
+    plural: globalnetworksets
+    singular: globalnetworkset

resources/calico/hostendpoints-crd.yaml

@@ -0,0 +1,12 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: hostendpoints.crd.projectcalico.org
+spec:
+  scope: Cluster
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: HostEndpoint
+    plural: hostendpoints
+    singular: hostendpoint

resources/calico/ipamblocks.crd.yaml

@@ -0,0 +1,12 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ipamblocks.crd.projectcalico.org
+spec:
+  scope: Cluster
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: IPAMBlock
+    plural: ipamblocks
+    singular: ipamblock

resources/calico/ipamconfigs-crd.yaml

@@ -0,0 +1,12 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ipamconfigs.crd.projectcalico.org
+spec:
+  scope: Cluster
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: IPAMConfig
+    plural: ipamconfigs
+    singular: ipamconfig

resources/calico/ipamhandles-crd.yaml

@@ -0,0 +1,12 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ipamhandles.crd.projectcalico.org
+spec:
+  scope: Cluster
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: IPAMHandle
+    plural: ipamhandles
+    singular: ipamhandle

resources/calico/ippools-crd.yaml

@@ -1,5 +1,4 @@
 apiVersion: apiextensions.k8s.io/v1beta1
-description: Calico IP Pools
 kind: CustomResourceDefinition
 metadata:
   name: ippools.crd.projectcalico.org

resources/calico/networkpolicies-crd.yaml

@@ -0,0 +1,12 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: networkpolicies.crd.projectcalico.org
+spec:
+  scope: Namespaced
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: NetworkPolicy
+    plural: networkpolicies
+    singular: networkpolicy

resources/calico/networksets-crd.yaml

@@ -0,0 +1,12 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: networksets.crd.projectcalico.org
+spec:
+  scope: Namespaced
+  group: crd.projectcalico.org
+  version: v1
+  names:
+    kind: NetworkSet
+    plural: networksets
+    singular: networkset

resources/etcd/bootstrap-etcd-service.json

@@ -1,26 +0,0 @@
-{
-  "apiVersion": "v1",
-  "kind": "Service",
-  "metadata": {
-    "name": "bootstrap-etcd-service",
-    "namespace": "kube-system"
-  },
-  "spec": {
-    "selector": {
-      "k8s-app": "boot-etcd"
-    },
-    "clusterIP": "${bootstrap_etcd_service_ip}",
-    "ports": [
-      {
-        "name": "client",
-        "port": 12379,
-        "protocol": "TCP"
-      },
-      {
-        "name": "peers",
-        "port": 12380,
-        "protocol": "TCP"
-      }
-    ]
-  }
-}

resources/etcd/migrate-etcd-cluster.json

@@ -1,36 +0,0 @@
-{
-  "apiVersion": "etcd.database.coreos.com/v1beta2",
-  "kind": "EtcdCluster",
-  "metadata": {
-    "name": "kube-etcd",
-    "namespace": "kube-system"
-  },
-  "spec": {
-    "size": 1,
-    "version": "v3.1.8",
-    "pod": {
-      "nodeSelector": {
-        "node-role.kubernetes.io/master": ""
-      },
-      "tolerations": [
-        {
-          "key": "node-role.kubernetes.io/master",
-          "operator": "Exists",
-          "effect": "NoSchedule"
-        }
-      ]
-    },
-    "selfHosted": {
-      "bootMemberClientEndpoint": "https://${bootstrap_etcd_service_ip}:12379"
-    },
-    "TLS": {
-      "static": {
-        "member": {
-          "peerSecret": "etcd-peer-tls",
-          "serverSecret": "etcd-server-tls"
-        },
-        "operatorSecret": "etcd-client-tls"
-      }
-    }
-  }
-}

resources/experimental/bootstrap-manifests/bootstrap-etcd.yaml

@@ -1,41 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: bootstrap-etcd
-  namespace: kube-system
-  labels:
-    k8s-app: boot-etcd
-spec:
-  containers:
-  - name: etcd
-    image: ${etcd_image}
-    command:
-    - /usr/local/bin/etcd
-    - --name=boot-etcd
-    - --listen-client-urls=https://0.0.0.0:12379
-    - --listen-peer-urls=https://0.0.0.0:12380
-    - --advertise-client-urls=https://${bootstrap_etcd_service_ip}:12379
-    - --initial-advertise-peer-urls=https://${bootstrap_etcd_service_ip}:12380
-    - --initial-cluster=boot-etcd=https://${bootstrap_etcd_service_ip}:12380
-    - --initial-cluster-token=bootkube
-    - --initial-cluster-state=new
-    - --data-dir=/var/etcd/data
-    - --peer-client-cert-auth=true
-    - --peer-trusted-ca-file=/etc/kubernetes/secrets/etcd/peer-ca.crt
-    - --peer-cert-file=/etc/kubernetes/secrets/etcd/peer.crt
-    - --peer-key-file=/etc/kubernetes/secrets/etcd/peer.key
-    - --client-cert-auth=true
-    - --trusted-ca-file=/etc/kubernetes/secrets/etcd/server-ca.crt
-    - --cert-file=/etc/kubernetes/secrets/etcd/server.crt
-    - --key-file=/etc/kubernetes/secrets/etcd/server.key
-    volumeMounts:
-      - mountPath: /etc/kubernetes/secrets
-        name: secrets
-        readOnly: true
-  volumes:
-  - name: secrets
-    hostPath:
-      path: /etc/kubernetes/bootstrap-secrets 
-  hostNetwork: true
-  restartPolicy: Never
-  dnsPolicy: ClusterFirstWithHostNet 

resources/experimental/manifests/etcd-client-tls.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: etcd-client-tls
-  namespace: kube-system
-type: Opaque
-data:
-  etcd-client-ca.crt: ${etcd_ca_cert}
-  etcd-client.crt: ${etcd_client_cert}
-  etcd-client.key: ${etcd_client_key}

resources/experimental/manifests/etcd-operator.yaml

@@ -1,46 +0,0 @@
-apiVersion: apps/v1beta2
-kind: Deployment
-metadata:
-  name: etcd-operator
-  namespace: kube-system
-  labels:
-    k8s-app: etcd-operator
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      k8s-app: etcd-operator
-  template:
-    metadata:
-      labels:
-        k8s-app: etcd-operator
-    spec:
-      containers:
-      - name: etcd-operator
-        image: ${etcd_operator_image}
-        command:
-        - /usr/local/bin/etcd-operator
-        - --analytics=false
-        env:
-        - name: MY_POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: MY_POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-      nodeSelector:
-        node-role.kubernetes.io/master: ""
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 65534
-      tolerations:
-      - key: node-role.kubernetes.io/master
-        operator: Exists
-        effect: NoSchedule
-  strategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxUnavailable: 1
-      maxSurge: 1

resources/experimental/manifests/etcd-peer-tls.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: etcd-peer-tls
-  namespace: kube-system
-type: Opaque
-data:
-  peer-ca.crt: ${etcd_ca_cert}
-  peer.crt: ${etcd_peer_cert}
-  peer.key: ${etcd_peer_key}

resources/experimental/manifests/etcd-server-tls.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: etcd-server-tls
-  namespace: kube-system
-type: Opaque
-data:
-  server-ca.crt: ${etcd_ca_cert}
-  server.crt: ${etcd_server_cert}
-  server.key: ${etcd_server_key}

resources/experimental/manifests/etcd-service.yaml

@@ -1,18 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: etcd-service
-  namespace: kube-system
-  # This alpha annotation will retain the endpoints even if the etcd pod isn't ready.
-  # This feature is always enabled in endpoint controller in k8s even it is alpha.
-  annotations:
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
-spec:
-  selector:
-    app: etcd
-    etcd_cluster: kube-etcd
-  clusterIP: ${etcd_service_ip}
-  ports:
-  - name: client
-    port: 2379
-    protocol: TCP

resources/experimental/manifests/kube-etcd-network-checkpointer.yaml

@@ -1,62 +0,0 @@
-apiVersion: apps/v1beta2
-kind: DaemonSet
-metadata:
-  name: kube-etcd-network-checkpointer
-  namespace: kube-system
-  labels:
-    tier: control-plane
-    k8s-app: kube-etcd-network-checkpointer
-spec:
-  selector:
-    matchLabels:
-      tier: control-plane
-      k8s-app: kube-etcd-network-checkpointer
-  template:
-    metadata:
-      labels:
-        tier: control-plane
-        k8s-app: kube-etcd-network-checkpointer
-      annotations:
-        checkpointer.alpha.coreos.com/checkpoint: "true"
-    spec:
-      containers:
-      - image: ${etcd_checkpointer_image}
-        name: kube-etcd-network-checkpointer
-        securityContext:
-          privileged: true
-        volumeMounts:
-        - mountPath: /etc/kubernetes/selfhosted-etcd
-          name: checkpoint-dir
-          readOnly: false
-        - mountPath: /var/etcd
-          name: etcd-dir
-          readOnly: false
-        - mountPath: /var/lock
-          name: var-lock
-          readOnly: false
-        command:
-        - /usr/bin/flock
-        - /var/lock/kenc.lock
-        - -c
-        - "kenc -r -m iptables && kenc -m iptables"
-      hostNetwork: true
-      nodeSelector:
-        node-role.kubernetes.io/master: ""
-      tolerations:
-      - key: node-role.kubernetes.io/master
-        operator: Exists
-        effect: NoSchedule
-      volumes:
-      - name: checkpoint-dir
-        hostPath:
-          path: /etc/kubernetes/checkpoint-iptables
-      - name: etcd-dir
-        hostPath:
-          path: /var/etcd
-      - name: var-lock
-        hostPath:
-          path: /var/lock
-  updateStrategy:
-    rollingUpdate:
-      maxUnavailable: 1
-    type: RollingUpdate

resources/flannel/cluster-role-binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: flannel
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: flannel
+subjects:
+- kind: ServiceAccount
+  name: flannel
+  namespace: kube-system

resources/flannel/cluster-role.yaml

@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: flannel
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes/status
+    verbs:
+      - patch

resources/flannel/config.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: kube-flannel-cfg
+  name: flannel-config
   namespace: kube-system
   labels:
     tier: node
@@ -31,6 +31,7 @@ data:
     {
       "Network": "${pod_cidr}",
       "Backend": {
-        "Type": "vxlan"
+        "Type": "vxlan",
+        "Port": 4789
       }
     }

resources/flannel/daemonset.yaml

@@ -0,0 +1,85 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: flannel
+  namespace: kube-system
+  labels:
+    k8s-app: flannel
+spec:
+  selector:
+    matchLabels:
+      k8s-app: flannel
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+  template:
+    metadata:
+      labels:
+        k8s-app: flannel
+      annotations:
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+    spec:
+      hostNetwork: true
+      priorityClassName: system-node-critical
+      serviceAccountName: flannel
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+      containers:
+        - name: flannel
+          image: ${flannel_image}
+          command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr", "--iface=$(POD_IP)"]
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+          securityContext:
+            privileged: true
+          resources:
+            requests:
+              cpu: 100m
+          volumeMounts:
+            - name: flannel-config
+              mountPath: /etc/kube-flannel/
+            - name: run-flannel
+              mountPath: /run/flannel
+        - name: install-cni
+          image: ${flannel_cni_image}
+          command: ["/install-cni.sh"]
+          env:
+            - name: CNI_NETWORK_CONFIG
+              valueFrom:
+                configMapKeyRef:
+                  name: flannel-config
+                  key: cni-conf.json
+          volumeMounts:
+            - name: cni-bin-dir
+              mountPath: /host/opt/cni/bin/
+            - name: cni-conf-dir
+              mountPath: /host/etc/cni/net.d
+      volumes:
+        - name: flannel-config
+          configMap:
+            name: flannel-config
+        - name: run-flannel
+          hostPath:
+            path: /run/flannel
+        # Used by install-cni
+        - name: cni-bin-dir
+          hostPath:
+            path: /opt/cni/bin
+        - name: cni-conf-dir
+          hostPath:
+            path: /etc/kubernetes/cni/net.d

resources/flannel/kube-flannel.yaml

@@ -1,81 +0,0 @@
-apiVersion: apps/v1beta2
-kind: DaemonSet
-metadata:
-  name: kube-flannel
-  namespace: kube-system
-  labels:
-    tier: node
-    k8s-app: flannel
-spec:
-  selector:
-    matchLabels:
-      tier: node
-      k8s-app: flannel
-  template:
-    metadata:
-      labels:
-        tier: node
-        k8s-app: flannel
-    spec:
-      containers:
-      - name: kube-flannel
-        image: ${flannel_image}
-        command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr", "--iface=$(POD_IP)"]
-        securityContext:
-          privileged: true
-        env:
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              fieldPath: status.podIP
-        volumeMounts:
-        - name: run
-          mountPath: /run
-        - name: cni
-          mountPath: /etc/cni/net.d
-        - name: flannel-cfg
-          mountPath: /etc/kube-flannel/
-      - name: install-cni
-        image: ${flannel_cni_image}
-        command: ["/install-cni.sh"]
-        env:
-        - name: CNI_NETWORK_CONFIG
-          valueFrom:
-            configMapKeyRef:
-              name: kube-flannel-cfg
-              key: cni-conf.json
-        volumeMounts:
-        - name: cni
-          mountPath: /host/etc/cni/net.d
-        - name: host-cni-bin
-          mountPath: /host/opt/cni/bin/
-      hostNetwork: true
-      tolerations:
-      - key: node-role.kubernetes.io/master
-        operator: Exists
-        effect: NoSchedule
-      volumes:
-        - name: run
-          hostPath:
-            path: /run
-        - name: cni
-          hostPath:
-            path: /etc/kubernetes/cni/net.d
-        - name: flannel-cfg
-          configMap:
-            name: kube-flannel-cfg
-        - name: host-cni-bin
-          hostPath:
-            path: /opt/cni/bin
-  updateStrategy:
-    rollingUpdate:
-      maxUnavailable: 1
-    type: RollingUpdate

resources/flannel/service-account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: flannel
+  namespace: kube-system

resources/kube-router/cluster-role-binding.yaml

@@ -1,12 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: system:default-sa
+  name: kube-router
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-router
 subjects:
   - kind: ServiceAccount
-    name: default
+    name: kube-router
     namespace: kube-system
-roleRef:
-  kind: ClusterRole
-  name: cluster-admin
-  apiGroup: rbac.authorization.k8s.io

resources/kube-router/cluster-role.yaml

@@ -0,0 +1,33 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: kube-router
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+      - pods
+      - services
+      - nodes
+      - endpoints
+    verbs:
+      - list
+      - get
+      - watch
+  - apiGroups:
+      - "networking.k8s.io"
+    resources:
+      - networkpolicies
+    verbs:
+      - list
+      - get
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - networkpolicies
+    verbs:
+      - get
+      - list
+      - watch

resources/kube-router/config.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kube-router-config
+  namespace: kube-system
+data:
+  cni-conf.json: |
+    {
+      "name": "pod-network",
+      "cniVersion": "0.3.1",
+      "plugins":[
+        {
+          "name": "kube-router",
+          "type": "bridge",
+          "bridge": "kube-bridge",
+          "isDefaultGateway": true,
+          "mtu": ${network_mtu},
+          "ipam": {
+            "type": "host-local"
+          }
+        },
+        {
+          "type": "portmap",
+          "snat": true,
+          "capabilities": {
+            "portMappings": true
+          }
+        }
+      ]
+    }

resources/kube-router/daemonset.yaml

@@ -0,0 +1,90 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: kube-router
+  namespace: kube-system
+  labels:
+    k8s-app: kube-router
+spec:
+  selector:
+    matchLabels:
+      k8s-app: kube-router
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+  template:
+    metadata:
+      labels:
+        k8s-app: kube-router
+      annotations:
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+    spec:
+      hostNetwork: true
+      priorityClassName: system-node-critical
+      serviceAccountName: kube-router
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+      containers:
+        - name: kube-router
+          image: ${kube_router_image}
+          args:
+            - --kubeconfig=/etc/kubernetes/kubeconfig
+            - --run-router=true
+            - --run-firewall=true
+            - --run-service-proxy=false
+            - --v=5
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: KUBE_ROUTER_CNI_CONF_FILE
+              value: /etc/cni/net.d/10-kuberouter.conflist
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - name: lib-modules
+              mountPath: /lib/modules
+              readOnly: true
+            - name: cni-conf-dir
+              mountPath: /etc/cni/net.d
+            - name: kubeconfig
+              mountPath: /etc/kubernetes
+              readOnly: true
+        - name: install-cni
+          image: ${flannel_cni_image}
+          command: ["/install-cni.sh"]
+          env:
+            - name: CNI_OLD_NAME
+              value: 10-flannel.conflist
+            - name: CNI_CONF_NAME
+              value: 10-kuberouter.conflist
+            - name: CNI_NETWORK_CONFIG
+              valueFrom:
+                configMapKeyRef:
+                  name: kube-router-config
+                  key: cni-conf.json
+          volumeMounts:
+            - name: cni-bin-dir
+              mountPath: /host/opt/cni/bin
+            - name: cni-conf-dir
+              mountPath: /host/etc/cni/net.d
+      volumes:
+        # Used by kube-router
+        - name: lib-modules
+          hostPath:
+            path: /lib/modules
+        - name: kubeconfig
+          configMap:
+            name: kubeconfig-in-cluster
+        # Used by install-cni
+        - name: cni-bin-dir
+          hostPath:
+            path: /opt/cni/bin
+        - name: cni-conf-dir
+          hostPath:
+            path: /etc/kubernetes/cni/net.d

resources/kube-router/service-account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-router
+  namespace: kube-system

resources/kubeconfig-admin

@@ -10,6 +10,7 @@ users:
   user:
     client-certificate-data: ${kubelet_cert}
     client-key-data: ${kubelet_key}
+current-context: ${name}-context
 contexts:
 - name: ${name}-context
   context:

resources/manifests/coredns/cluster-role-binding.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:coredns
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:coredns
+subjects:
+  - kind: ServiceAccount
+    name: coredns
+    namespace: kube-system

resources/manifests/coredns/cluster-role.yaml

@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:coredns
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+rules:
+  - apiGroups: [""]
+    resources:
+      - endpoints
+      - services
+      - pods
+      - namespaces
+    verbs:
+      - list
+      - watch
+  - apiGroups: [""]
+    resources:
+      - nodes
+    verbs:
+      - get

resources/manifests/coredns/config.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns
+  namespace: kube-system
+data:
+  Corefile: |
+    .:53 {
+        errors
+        health
+        ready
+        log . {
+            class error
+        }
+        kubernetes ${cluster_domain_suffix} in-addr.arpa ip6.arpa {
+            pods insecure
+            fallthrough in-addr.arpa ip6.arpa
+        }
+        prometheus :9153
+        forward . /etc/resolv.conf
+        cache 30
+        loop
+        reload
+        loadbalance
+    }

resources/manifests/coredns/deployment.yaml

@@ -0,0 +1,102 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: coredns
+  namespace: kube-system
+  labels:
+    k8s-app: coredns
+    kubernetes.io/name: "CoreDNS"
+    kubernetes.io/cluster-service: "true"
+spec:
+  replicas: ${control_plane_replicas}
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+  selector:
+    matchLabels:
+      tier: control-plane
+      k8s-app: coredns
+  template:
+    metadata:
+      labels:
+        tier: control-plane
+        k8s-app: coredns
+      annotations:
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: tier
+                  operator: In
+                  values:
+                  - control-plane
+                - key: k8s-app
+                  operator: In
+                  values:
+                  - coredns
+              topologyKey: kubernetes.io/hostname
+      priorityClassName: system-cluster-critical
+      serviceAccountName: coredns
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule
+      containers:
+        - name: coredns
+          image: ${coredns_image}
+          resources:
+            limits:
+              memory: 170Mi
+            requests:
+              cpu: 100m
+              memory: 70Mi
+          args: [ "-conf", "/etc/coredns/Corefile" ]
+          volumeMounts:
+            - name: config
+              mountPath: /etc/coredns
+              readOnly: true
+          ports:
+            - name: dns
+              protocol: UDP
+              containerPort: 53
+            - name: dns-tcp
+              protocol: TCP
+              containerPort: 53
+            - name: metrics
+              protocol: TCP
+              containerPort: 9153
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 60
+            timeoutSeconds: 5
+            successThreshold: 1
+            failureThreshold: 5
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 8181
+              scheme: HTTP
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              add:
+              - NET_BIND_SERVICE
+              drop:
+              - all
+            readOnlyRootFilesystem: true
+      dnsPolicy: Default
+      volumes:
+        - name: config
+          configMap:
+            name: coredns
+            items:
+            - key: Corefile
+              path: Corefile

resources/manifests/coredns/service-account.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: coredns
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"

resources/manifests/coredns/service.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: coredns
+  namespace: kube-system
+  annotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/port: "9153"
+  labels:
+    k8s-app: coredns
+    kubernetes.io/cluster-service: "true"
+    kubernetes.io/name: "CoreDNS"
+spec:
+  selector:
+    k8s-app: coredns
+  clusterIP: ${cluster_dns_service_ip}
+  ports:
+    - name: dns
+      port: 53
+      protocol: UDP
+    - name: dns-tcp
+      port: 53
+      protocol: TCP

resources/manifests/kube-apiserver-role-binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kube-apiserver
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: kube-apiserver
+  namespace: kube-system

resources/manifests/kube-apiserver-sa.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: kube-system
+  name: kube-apiserver

resources/manifests/kube-apiserver-secret.yaml

@@ -12,3 +12,7 @@ data:
   etcd-client-ca.crt: ${etcd_ca_cert}
   etcd-client.crt: ${etcd_client_cert}
   etcd-client.key: ${etcd_client_key}
+  aggregation-ca.crt: ${aggregation_ca_cert}
+  aggregation-client.crt: ${aggregation_client_cert}
+  aggregation-client.key: ${aggregation_client_key}
+

resources/manifests/kube-apiserver.yaml

@@ -1,4 +1,4 @@
-apiVersion: apps/v1beta2
+apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: kube-apiserver
@@ -11,6 +11,10 @@ spec:
     matchLabels:
       tier: control-plane
       k8s-app: kube-apiserver
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
   template:
     metadata:
       labels:
@@ -18,14 +22,23 @@ spec:
         k8s-app: kube-apiserver
       annotations:
         checkpointer.alpha.coreos.com/checkpoint: "true"
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
+      hostNetwork: true
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      priorityClassName: system-cluster-critical
+      serviceAccountName: kube-apiserver
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
       containers:
       - name: kube-apiserver
         image: ${hyperkube_image}
         command:
         - /hyperkube
         - apiserver
-        - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
         - --advertise-address=$(POD_IP)
         - --allow-privileged=true
         - --anonymous-auth=false
@@ -33,19 +46,19 @@ spec:
         - --bind-address=0.0.0.0
         - --client-ca-file=/etc/kubernetes/secrets/ca.crt
         - --cloud-provider=${cloud_provider}
+        - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultTolerationSeconds,DefaultStorageClass,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,Priority
         - --etcd-cafile=/etc/kubernetes/secrets/etcd-client-ca.crt
         - --etcd-certfile=/etc/kubernetes/secrets/etcd-client.crt
         - --etcd-keyfile=/etc/kubernetes/secrets/etcd-client.key
-        - --etcd-quorum-read=true
         - --etcd-servers=${etcd_servers}
         - --insecure-port=0
         - --kubelet-client-certificate=/etc/kubernetes/secrets/apiserver.crt
         - --kubelet-client-key=/etc/kubernetes/secrets/apiserver.key
-        - --secure-port=443
+        - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname${aggregation_flags}
+        - --secure-port=${apiserver_port}
         - --service-account-key-file=/etc/kubernetes/secrets/service-account.pub
         - --service-cluster-ip-range=${service_cidr}
         - --storage-backend=etcd3
-        - --tls-ca-file=/etc/kubernetes/secrets/ca.crt
         - --tls-cert-file=/etc/kubernetes/secrets/apiserver.crt
         - --tls-private-key-file=/etc/kubernetes/secrets/apiserver.key
         env:
@@ -54,33 +67,16 @@ spec:
             fieldRef:
               fieldPath: status.podIP
         volumeMounts:
-        - mountPath: /etc/ssl/certs
-          name: ssl-certs-host
+        - name: secrets
+          mountPath: /etc/kubernetes/secrets
           readOnly: true
-        - mountPath: /etc/kubernetes/secrets
-          name: secrets
+        - name: ssl-certs-host
+          mountPath: /etc/ssl/certs
           readOnly: true
-        - mountPath: /var/lock
-          name: var-lock
-          readOnly: false
-      hostNetwork: true
-      nodeSelector:
-        node-role.kubernetes.io/master: ""
-      tolerations:
-      - key: node-role.kubernetes.io/master
-        operator: Exists
-        effect: NoSchedule
       volumes:
-      - name: ssl-certs-host
-        hostPath:
-          path: /usr/share/ca-certificates
       - name: secrets
         secret:
           secretName: kube-apiserver
-      - name: var-lock
+      - name: ssl-certs-host
         hostPath:
-          path: /var/lock
-  updateStrategy:
-    rollingUpdate:
-      maxUnavailable: 1
-    type: RollingUpdate
+          path: ${trusted_certs_dir}

resources/manifests/kube-controller-manager-role-binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kube-controller-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:kube-controller-manager
+subjects:
+- kind: ServiceAccount
+  name: kube-controller-manager
+  namespace: kube-system

resources/manifests/kube-controller-manager-sa.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: kube-system
+  name: kube-controller-manager

resources/manifests/kube-controller-manager-secret.yaml

@@ -7,3 +7,5 @@ type: Opaque
 data:
   service-account.key: ${serviceaccount_key}
   ca.crt: ${ca_cert}
+  ca.key: ${ca_key}
+

resources/manifests/kube-controller-manager.yaml

@@ -1,4 +1,4 @@
-apiVersion: apps/v1beta2
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: kube-controller-manager
@@ -7,7 +7,7 @@ metadata:
     tier: control-plane
     k8s-app: kube-controller-manager
 spec:
-  replicas: 2
+  replicas: ${control_plane_replicas}
   selector:
     matchLabels:
       tier: control-plane
@@ -17,6 +17,8 @@ spec:
       labels:
         tier: control-plane
         k8s-app: kube-controller-manager
+      annotations:
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
       affinity:
         podAntiAffinity:
@@ -34,46 +36,61 @@ spec:
                   values:
                   - kube-controller-manager
               topologyKey: kubernetes.io/hostname
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      priorityClassName: system-cluster-critical
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+      serviceAccountName: kube-controller-manager
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
       containers:
       - name: kube-controller-manager
         image: ${hyperkube_image}
         command:
         - ./hyperkube
         - controller-manager
+        - --use-service-account-credentials
         - --allocate-node-cidrs=true
         - --cloud-provider=${cloud_provider}
         - --cluster-cidr=${pod_cidr}
+        - --service-cluster-ip-range=${service_cidr}
+        - --cluster-signing-cert-file=/etc/kubernetes/secrets/ca.crt
+        - --cluster-signing-key-file=/etc/kubernetes/secrets/ca.key
         - --configure-cloud-routes=false
         - --leader-elect=true
+        - --flex-volume-plugin-dir=/var/lib/kubelet/volumeplugins
+        - --pod-eviction-timeout=1m
         - --root-ca-file=/etc/kubernetes/secrets/ca.crt
         - --service-account-private-key-file=/etc/kubernetes/secrets/service-account.key
         livenessProbe:
           httpGet:
+            scheme: HTTPS
             path: /healthz
-            port: 10252  # Note: Using default port. Update if --port option is set differently.
+            port: 10257
           initialDelaySeconds: 15
           timeoutSeconds: 15
         volumeMounts:
         - name: secrets
           mountPath: /etc/kubernetes/secrets
           readOnly: true
+        - name: volumeplugins
+          mountPath: /var/lib/kubelet/volumeplugins
+          readOnly: true          
         - name: ssl-host
           mountPath: /etc/ssl/certs
           readOnly: true
-      nodeSelector:
-        node-role.kubernetes.io/master: ""
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 65534
-      tolerations:
-      - key: node-role.kubernetes.io/master
-        operator: Exists
-        effect: NoSchedule
       volumes:
       - name: secrets
         secret:
           secretName: kube-controller-manager
       - name: ssl-host
         hostPath:
-          path: /usr/share/ca-certificates
+          path: ${trusted_certs_dir}
+      - name: volumeplugins
+        hostPath:
+          path: /var/lib/kubelet/volumeplugins          
       dnsPolicy: Default # Don't use cluster DNS.

resources/manifests/kube-dns-deployment.yaml

@@ -1,153 +0,0 @@
-apiVersion: apps/v1beta2
-kind: Deployment
-metadata:
-  name: kube-dns
-  namespace: kube-system
-  labels:
-    k8s-app: kube-dns
-    kubernetes.io/cluster-service: "true"
-    addonmanager.kubernetes.io/mode: Reconcile
-spec:
-  # replicas: not specified here:
-  # 1. In order to make Addon Manager do not reconcile this replicas parameter.
-  # 2. Default is 1.
-  # 3. Will be tuned in real time if DNS horizontal auto-scaling is turned on.
-  strategy:
-    rollingUpdate:
-      maxSurge: 10%
-      maxUnavailable: 0
-  selector:
-    matchLabels:
-      k8s-app: kube-dns
-  template:
-    metadata:
-      labels:
-        k8s-app: kube-dns
-    spec:
-      nodeSelector:
-        node-role.kubernetes.io/master: ""
-      tolerations:
-      - key: node-role.kubernetes.io/master
-        operator: Exists
-        effect: NoSchedule
-      volumes:
-      - name: kube-dns-config
-        configMap:
-          name: kube-dns
-          optional: true
-      containers:
-      - name: kubedns
-        image: ${kubedns_image}
-        resources:
-          # TODO: Set memory limits when we've profiled the container for large
-          # clusters, then set request = limit to keep this container in
-          # guaranteed class. Currently, this container falls into the
-          # "burstable" category so the kubelet doesn't backoff from restarting it.
-          limits:
-            memory: 170Mi
-          requests:
-            cpu: 100m
-            memory: 70Mi
-        livenessProbe:
-          httpGet:
-            path: /healthcheck/kubedns
-            port: 10054
-            scheme: HTTP
-          initialDelaySeconds: 60
-          timeoutSeconds: 5
-          successThreshold: 1
-          failureThreshold: 5
-        readinessProbe:
-          httpGet:
-            path: /readiness
-            port: 8081
-            scheme: HTTP
-          # we poll on pod startup for the Kubernetes master service and
-          # only setup the /readiness HTTP server once that's available.
-          initialDelaySeconds: 3
-          timeoutSeconds: 5
-        args:
-        - --domain=cluster.local.
-        - --dns-port=10053
-        - --config-dir=/kube-dns-config
-        - --v=2
-        env:
-        - name: PROMETHEUS_PORT
-          value: "10055"
-        ports:
-        - containerPort: 10053
-          name: dns-local
-          protocol: UDP
-        - containerPort: 10053
-          name: dns-tcp-local
-          protocol: TCP
-        - containerPort: 10055
-          name: metrics
-          protocol: TCP
-        volumeMounts:
-        - name: kube-dns-config
-          mountPath: /kube-dns-config
-      - name: dnsmasq
-        image: ${kubedns_dnsmasq_image}
-        livenessProbe:
-          httpGet:
-            path: /healthcheck/dnsmasq
-            port: 10054
-            scheme: HTTP
-          initialDelaySeconds: 60
-          timeoutSeconds: 5
-          successThreshold: 1
-          failureThreshold: 5
-        args:
-        - -v=2
-        - -logtostderr
-        - -configDir=/etc/k8s/dns/dnsmasq-nanny
-        - -restartDnsmasq=true
-        - --
-        - -k
-        - --cache-size=1000
-        - --no-negcache
-        - --log-facility=-
-        - --server=/cluster.local/127.0.0.1#10053
-        - --server=/in-addr.arpa/127.0.0.1#10053
-        - --server=/ip6.arpa/127.0.0.1#10053
-        ports:
-        - containerPort: 53
-          name: dns
-          protocol: UDP
-        - containerPort: 53
-          name: dns-tcp
-          protocol: TCP
-        # see: https://github.com/kubernetes/kubernetes/issues/29055 for details
-        resources:
-          requests:
-            cpu: 150m
-            memory: 20Mi
-        volumeMounts:
-        - name: kube-dns-config
-          mountPath: /etc/k8s/dns/dnsmasq-nanny
-      - name: sidecar
-        image: ${kubedns_sidecar_image}
-        livenessProbe:
-          httpGet:
-            path: /metrics
-            port: 10054
-            scheme: HTTP
-          initialDelaySeconds: 60
-          timeoutSeconds: 5
-          successThreshold: 1
-          failureThreshold: 5
-        args:
-        - --v=2
-        - --logtostderr
-        - --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.cluster.local,5,A
-        - --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.cluster.local,5,A
-        ports:
-        - containerPort: 10054
-          name: metrics
-          protocol: TCP
-        resources:
-          requests:
-            memory: 20Mi
-            cpu: 10m
-      dnsPolicy: Default  # Don't use cluster DNS.

resources/manifests/kube-dns-svc.yaml

@@ -1,20 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: kube-dns
-  namespace: kube-system
-  labels:
-    k8s-app: kube-dns
-    kubernetes.io/cluster-service: "true"
-    kubernetes.io/name: "KubeDNS"
-spec:
-  selector:
-    k8s-app: kube-dns
-  clusterIP: ${kube_dns_service_ip}
-  ports:
-  - name: dns
-    port: 53
-    protocol: UDP
-  - name: dns-tcp
-    port: 53
-    protocol: TCP

resources/manifests/kube-proxy.yaml

@@ -1,4 +1,4 @@
-apiVersion: apps/v1beta2
+apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: kube-proxy
@@ -11,12 +11,26 @@ spec:
     matchLabels:
       tier: node
       k8s-app: kube-proxy
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
   template:
     metadata:
       labels:
         tier: node
         k8s-app: kube-proxy
+      annotations:
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
+      hostNetwork: true
+      priorityClassName: system-node-critical
+      serviceAccountName: kube-proxy
+      tolerations:
+      - effect: NoSchedule
+        operator: Exists
+      - effect: NoExecute
+        operator: Exists
       containers:
       - name: kube-proxy
         image: ${hyperkube_image}
@@ -32,35 +46,31 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: spec.nodeName
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 10256
+          initialDelaySeconds: 15
+          timeoutSeconds: 15
         securityContext:
           privileged: true
         volumeMounts:
-        - mountPath: /lib/modules
-          name: lib-modules
-          readOnly: true
-        - mountPath: /etc/ssl/certs
-          name: ssl-certs-host
-          readOnly: true
         - name: kubeconfig
           mountPath: /etc/kubernetes
           readOnly: true
-      hostNetwork: true
-      serviceAccountName: kube-proxy
-      tolerations:
-      - key: node-role.kubernetes.io/master
-        operator: Exists
-        effect: NoSchedule
+        - name: lib-modules
+          mountPath: /lib/modules
+          readOnly: true
+        - name: ssl-certs-host
+          mountPath: /etc/ssl/certs
+          readOnly: true
       volumes:
+      - name: kubeconfig
+        configMap:
+          name: kubeconfig-in-cluster
       - name: lib-modules
         hostPath:
           path: /lib/modules
       - name: ssl-certs-host
         hostPath:
-          path: /usr/share/ca-certificates
-      - name: kubeconfig
-        secret:
-          secretName: kubeconfig-in-cluster
-  updateStrategy:
-    rollingUpdate:
-      maxUnavailable: 1
-    type: RollingUpdate
+          path: ${trusted_certs_dir}

resources/manifests/kube-scheduler-role-binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kube-scheduler
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:kube-scheduler
+subjects:
+- kind: ServiceAccount
+  name: kube-scheduler
+  namespace: kube-system

resources/manifests/kube-scheduler-sa.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: kube-system
+  name: kube-scheduler

resources/manifests/kube-scheduler-volume-scheduler-role-binding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: volume-scheduler
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:volume-scheduler
+subjects:
+- kind: ServiceAccount
+  name: kube-scheduler
+  namespace: kube-system
+

resources/manifests/kube-scheduler.yaml

@@ -1,4 +1,4 @@
-apiVersion: apps/v1beta2
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: kube-scheduler
@@ -7,7 +7,7 @@ metadata:
     tier: control-plane
     k8s-app: kube-scheduler
 spec:
-  replicas: 2
+  replicas: ${control_plane_replicas}
   selector:
     matchLabels:
       tier: control-plane
@@ -17,6 +17,8 @@ spec:
       labels:
         tier: control-plane
         k8s-app: kube-scheduler
+      annotations:
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
       affinity:
         podAntiAffinity:
@@ -34,6 +36,17 @@ spec:
                   values:
                   - kube-scheduler
               topologyKey: kubernetes.io/hostname
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      priorityClassName: system-cluster-critical
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+      serviceAccountName: kube-scheduler
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
       containers:
       - name: kube-scheduler
         image: ${hyperkube_image}
@@ -43,16 +56,8 @@ spec:
         - --leader-elect=true
         livenessProbe:
           httpGet:
+            scheme: HTTPS
             path: /healthz
-            port: 10251  # Note: Using default port. Update if --port option is set differently.
+            port: 10259
           initialDelaySeconds: 15
           timeoutSeconds: 15
-      nodeSelector:
-        node-role.kubernetes.io/master: ""
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 65534
-      tolerations:
-      - key: node-role.kubernetes.io/master
-        operator: Exists
-        effect: NoSchedule

resources/manifests/kubeconfig-in-cluster.yaml

@@ -1,16 +1,18 @@
 apiVersion: v1
-kind: Secret
+kind: ConfigMap
 metadata:
   name: kubeconfig-in-cluster
   namespace: kube-system
-stringData:
+data:
   kubeconfig: |
     apiVersion: v1
     clusters:
     - name: local
       cluster:
+        # kubeconfig-in-cluster is for control plane components that must reach
+        # kube-apiserver before service IPs are available (e.g.10.3.0.1)
         server: ${server}
-        certificate-authority-data: ${ca_cert}
+        certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
     users:
     - name: service-account
       user:

resources/manifests/kubelet-delete-cluster-role-binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubelet-delete
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubelet-delete
+subjects:
+- kind: Group
+  name: system:nodes
+  apiGroup: rbac.authorization.k8s.io

resources/manifests/kubelet-delete-cluster-role.yaml

@@ -0,0 +1,10 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubelet-delete
+rules:
+  - apiGroups: [""]
+    resources:
+      - nodes
+    verbs:
+      - delete

resources/manifests/kubelet-nodes-cluster-role-binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system-nodes
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:node
+subjects:
+- kind: Group
+  name: system:nodes
+  apiGroup: rbac.authorization.k8s.io

resources/manifests/pod-checkpointer-cluster-role-binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: pod-checkpointer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: pod-checkpointer
+subjects:
+- kind: ServiceAccount
+  name: pod-checkpointer
+  namespace: kube-system

resources/manifests/pod-checkpointer-cluster-role.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pod-checkpointer
+rules:
+  - apiGroups: [""]
+    resources:
+      - nodes
+      - nodes/proxy
+    verbs:
+      - get

resources/manifests/pod-checkpointer-role-binding.yaml

@@ -1,10 +1,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: pod-checkpointer
+  namespace: kube-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: pod-checkpointer
 subjects:
 - kind: ServiceAccount

resources/manifests/pod-checkpointer-role.yaml

@@ -1,7 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: pod-checkpointer
+  namespace: kube-system
 rules:
 - apiGroups: [""] # "" indicates the core API group
   resources: ["pods"]

resources/manifests/pod-checkpointer.yaml

@@ -1,4 +1,4 @@
-apiVersion: apps/v1beta2
+apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: pod-checkpointer
@@ -11,6 +11,10 @@ spec:
     matchLabels:
       tier: control-plane
       k8s-app: pod-checkpointer
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
   template:
     metadata:
       labels:
@@ -18,7 +22,17 @@ spec:
         k8s-app: pod-checkpointer
       annotations:
         checkpointer.alpha.coreos.com/checkpoint: "true"
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
+      hostNetwork: true
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      priorityClassName: system-node-critical
+      serviceAccountName: pod-checkpointer
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
       containers:
       - name: pod-checkpointer
         image: ${pod_checkpointer_image}
@@ -39,34 +53,20 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        imagePullPolicy: Always
         volumeMounts:
-        - mountPath: /etc/checkpointer
-          name: kubeconfig
-        - mountPath: /etc/kubernetes
-          name: etc-kubernetes
-        - mountPath: /var/run
-          name: var-run
-      serviceAccountName: pod-checkpointer
-      hostNetwork: true
-      nodeSelector:
-        node-role.kubernetes.io/master: ""
-      restartPolicy: Always
-      tolerations:
-      - key: node-role.kubernetes.io/master
-        operator: Exists
-        effect: NoSchedule
+        - name: kubeconfig
+          mountPath: /etc/checkpointer
+        - name: etc-kubernetes
+          mountPath: /etc/kubernetes
+        - name: var-run
+          mountPath: /var/run
       volumes:
       - name: kubeconfig
-        secret:
-          secretName: kubeconfig-in-cluster
+        configMap:
+          name: kubeconfig-in-cluster
       - name: etc-kubernetes
         hostPath:
           path: /etc/kubernetes
       - name: var-run
         hostPath:
           path: /var/run
-  updateStrategy:
-    rollingUpdate:
-      maxUnavailable: 1
-    type: RollingUpdate

terraform.tfvars.example

@@ -3,4 +3,3 @@ api_servers = ["node1.example.com"]
 etcd_servers = ["node1.example.com"]
 asset_dir = "/home/core/mycluster"
 networking = "flannel"
-experimental_self_hosted_etcd = false

tls-aggregation.tf

@@ -0,0 +1,105 @@
+# NOTE: Across this module, the following workaround is used:
+# `"${var.some_var == "condition" ? join(" ", tls_private_key.aggregation-ca.*.private_key_pem) : ""}"`
+# Due to https://github.com/hashicorp/hil/issues/50, both sides of conditions
+# are evaluated, until one of them is discarded. When a `count` is used resources
+# can be referenced as lists with the `.*` notation, and arrays are allowed to be
+# empty. The `join()` interpolation function is then used to cast them back to
+# a string. Since `count` can only be 0 or 1, the returned value is either empty
+# (and discarded anyways) or the desired value.
+
+# Kubernetes Aggregation CA (i.e. front-proxy-ca)
+# Files: tls/{aggregation-ca.crt,aggregation-ca.key}
+
+resource "tls_private_key" "aggregation-ca" {
+  count = "${var.enable_aggregation == "true" ? 1 : 0}"
+
+  algorithm = "RSA"
+  rsa_bits  = "2048"
+}
+
+resource "tls_self_signed_cert" "aggregation-ca" {
+  count = "${var.enable_aggregation == "true" ? 1 : 0}"
+
+  key_algorithm   = "${tls_private_key.aggregation-ca.algorithm}"
+  private_key_pem = "${tls_private_key.aggregation-ca.private_key_pem}"
+
+  subject {
+    common_name = "kubernetes-front-proxy-ca"
+  }
+
+  is_ca_certificate     = true
+  validity_period_hours = 8760
+
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "cert_signing",
+  ]
+}
+
+resource "local_file" "aggregation-ca-key" {
+  count = "${var.enable_aggregation == "true" ? 1 : 0}"
+
+  content  = "${tls_private_key.aggregation-ca.private_key_pem}"
+  filename = "${var.asset_dir}/tls/aggregation-ca.key"
+}
+
+resource "local_file" "aggregation-ca-crt" {
+  count = "${var.enable_aggregation == "true" ? 1 : 0}"
+
+  content  = "${tls_self_signed_cert.aggregation-ca.cert_pem}"
+  filename = "${var.asset_dir}/tls/aggregation-ca.crt"
+}
+
+# Kubernetes apiserver (i.e. front-proxy-client)
+# Files: tls/{aggregation-client.crt,aggregation-client.key}
+
+resource "tls_private_key" "aggregation-client" {
+  count = "${var.enable_aggregation == "true" ? 1 : 0}"
+
+  algorithm = "RSA"
+  rsa_bits  = "2048"
+}
+
+resource "tls_cert_request" "aggregation-client" {
+  count = "${var.enable_aggregation == "true" ? 1 : 0}"
+
+  key_algorithm   = "${tls_private_key.aggregation-client.algorithm}"
+  private_key_pem = "${tls_private_key.aggregation-client.private_key_pem}"
+
+  subject {
+    common_name = "kube-apiserver"
+  }
+}
+
+resource "tls_locally_signed_cert" "aggregation-client" {
+  count = "${var.enable_aggregation == "true" ? 1 : 0}"
+
+  cert_request_pem = "${tls_cert_request.aggregation-client.cert_request_pem}"
+
+  ca_key_algorithm   = "${tls_self_signed_cert.aggregation-ca.key_algorithm}"
+  ca_private_key_pem = "${tls_private_key.aggregation-ca.private_key_pem}"
+  ca_cert_pem        = "${tls_self_signed_cert.aggregation-ca.cert_pem}"
+
+  validity_period_hours = 8760
+
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "client_auth",
+  ]
+}
+
+resource "local_file" "aggregation-client-key" {
+  count = "${var.enable_aggregation == "true" ? 1 : 0}"
+
+  content  = "${tls_private_key.aggregation-client.private_key_pem}"
+  filename = "${var.asset_dir}/tls/aggregation-client.key"
+}
+
+resource "local_file" "aggregation-client-crt" {
+  count = "${var.enable_aggregation == "true" ? 1 : 0}"
+
+  content  = "${tls_locally_signed_cert.aggregation-client.cert_pem}"
+  filename = "${var.asset_dir}/tls/aggregation-client.crt"
+}

tls-etcd.tf

@@ -1,3 +1,15 @@
+# etcd-ca.crt
+resource "local_file" "etcd_ca_crt" {
+  content  = "${tls_self_signed_cert.etcd-ca.cert_pem}"
+  filename = "${var.asset_dir}/tls/etcd-ca.crt"
+}
+
+# etcd-ca.key
+resource "local_file" "etcd_ca_key" {
+  content  = "${tls_private_key.etcd-ca.private_key_pem}"
+  filename = "${var.asset_dir}/tls/etcd-ca.key"
+}
+
 # etcd-client-ca.crt
 resource "local_file" "etcd_client_ca_crt" {
   content  = "${tls_self_signed_cert.etcd-ca.cert_pem}"
@@ -96,16 +108,12 @@ resource "tls_cert_request" "client" {
 
   ip_addresses = [
     "127.0.0.1",
-    "${cidrhost(var.service_cidr, 15)}",
-    "${cidrhost(var.service_cidr, 20)}",
   ]
 
   dns_names = ["${concat(
     var.etcd_servers,
     list(
       "localhost",
-      "*.kube-etcd.kube-system.svc.cluster.local",
-      "kube-etcd-client.kube-system.svc.cluster.local",
     ))}"]
 }
 
@@ -142,16 +150,12 @@ resource "tls_cert_request" "server" {
 
   ip_addresses = [
     "127.0.0.1",
-    "${cidrhost(var.service_cidr, 15)}",
-    "${cidrhost(var.service_cidr, 20)}",
   ]
 
   dns_names = ["${concat(
     var.etcd_servers,
     list(
       "localhost",
-      "*.kube-etcd.kube-system.svc.cluster.local",
-      "kube-etcd-client.kube-system.svc.cluster.local",
     ))}"]
 }
 
@@ -186,16 +190,7 @@ resource "tls_cert_request" "peer" {
     organization = "etcd"
   }
 
-  ip_addresses = [
-    "${cidrhost(var.service_cidr, 20)}",
-  ]
-
-  dns_names = ["${concat(
-    var.etcd_servers,
-    list(
-      "*.kube-etcd.kube-system.svc.cluster.local",
-      "kube-etcd-client.kube-system.svc.cluster.local",
-    ))}"]
+  dns_names = ["${var.etcd_servers}"]
 }
 
 resource "tls_locally_signed_cert" "peer" {

tls-k8s.tf

@@ -1,32 +1,16 @@
-# NOTE: Across this module, the following syntax is used at various places:
-#   `"${var.ca_certificate == "" ? join(" ", tls_private_key.kube-ca.*.private_key_pem) : var.ca_private_key}"`
-#
-# Due to https://github.com/hashicorp/hil/issues/50, both sides of conditions
-# are evaluated, until one of them is discarded. Unfortunately, the
-# `{tls_private_key/tls_self_signed_cert}.kube-ca` resources are created
-# conditionally and might not be present - in which case an error is
-# generated. Because a `count` is used on these ressources, the resources can be
-# referenced as lists with the `.*` notation, and arrays are allowed to be
-# empty. The `join()` interpolation function is then used to cast them back to
-# a string. Since `count` can only be 0 or 1, the returned value is either empty
-# (and discarded anyways) or the desired value.
-
 # Kubernetes CA (tls/{ca.crt,ca.key})
-resource "tls_private_key" "kube-ca" {
-  count = "${var.ca_certificate == "" ? 1 : 0}"
 
+resource "tls_private_key" "kube-ca" {
   algorithm = "RSA"
   rsa_bits  = "2048"
 }
 
 resource "tls_self_signed_cert" "kube-ca" {
-  count = "${var.ca_certificate == "" ? 1 : 0}"
-
   key_algorithm   = "${tls_private_key.kube-ca.algorithm}"
   private_key_pem = "${tls_private_key.kube-ca.private_key_pem}"
 
   subject {
-    common_name  = "kube-ca"
+    common_name  = "kubernetes-ca"
     organization = "bootkube"
   }
 
@@ -41,16 +25,17 @@ resource "tls_self_signed_cert" "kube-ca" {
 }
 
 resource "local_file" "kube-ca-key" {
-  content  = "${var.ca_certificate == "" ? join(" ", tls_private_key.kube-ca.*.private_key_pem) : var.ca_private_key}"
+  content  = "${tls_private_key.kube-ca.private_key_pem}"
   filename = "${var.asset_dir}/tls/ca.key"
 }
 
 resource "local_file" "kube-ca-crt" {
-  content  = "${var.ca_certificate == "" ? join(" ", tls_self_signed_cert.kube-ca.*.cert_pem) : var.ca_certificate}"
+  content  = "${tls_self_signed_cert.kube-ca.cert_pem}"
   filename = "${var.asset_dir}/tls/ca.crt"
 }
 
 # Kubernetes API Server (tls/{apiserver.key,apiserver.crt})
+
 resource "tls_private_key" "apiserver" {
   algorithm = "RSA"
   rsa_bits  = "2048"
@@ -62,7 +47,7 @@ resource "tls_cert_request" "apiserver" {
 
   subject {
     common_name  = "kube-apiserver"
-    organization = "kube-master"
+    organization = "system:masters"
   }
 
   dns_names = [
@@ -70,7 +55,7 @@ resource "tls_cert_request" "apiserver" {
     "kubernetes",
     "kubernetes.default",
     "kubernetes.default.svc",
-    "kubernetes.default.svc.cluster.local",
+    "kubernetes.default.svc.${var.cluster_domain_suffix}",
   ]
 
   ip_addresses = [
@@ -81,9 +66,9 @@ resource "tls_cert_request" "apiserver" {
 resource "tls_locally_signed_cert" "apiserver" {
   cert_request_pem = "${tls_cert_request.apiserver.cert_request_pem}"
 
-  ca_key_algorithm   = "${var.ca_certificate == "" ? join(" ", tls_self_signed_cert.kube-ca.*.key_algorithm) : var.ca_key_alg}"
-  ca_private_key_pem = "${var.ca_certificate == "" ? join(" ", tls_private_key.kube-ca.*.private_key_pem) : var.ca_private_key}"
-  ca_cert_pem        = "${var.ca_certificate == "" ? join(" ", tls_self_signed_cert.kube-ca.*.cert_pem): var.ca_certificate}"
+  ca_key_algorithm   = "${tls_self_signed_cert.kube-ca.key_algorithm}"
+  ca_private_key_pem = "${tls_private_key.kube-ca.private_key_pem}"
+  ca_cert_pem        = "${tls_self_signed_cert.kube-ca.cert_pem}"
 
   validity_period_hours = 8760
 
@@ -105,7 +90,51 @@ resource "local_file" "apiserver-crt" {
   filename = "${var.asset_dir}/tls/apiserver.crt"
 }
 
+# Kubernetes Admin (tls/{admin.key,admin.crt})
+
+resource "tls_private_key" "admin" {
+  algorithm = "RSA"
+  rsa_bits  = "2048"
+}
+
+resource "tls_cert_request" "admin" {
+  key_algorithm   = "${tls_private_key.admin.algorithm}"
+  private_key_pem = "${tls_private_key.admin.private_key_pem}"
+
+  subject {
+    common_name  = "kubernetes-admin"
+    organization = "system:masters"
+  }
+}
+
+resource "tls_locally_signed_cert" "admin" {
+  cert_request_pem = "${tls_cert_request.admin.cert_request_pem}"
+
+  ca_key_algorithm   = "${tls_self_signed_cert.kube-ca.key_algorithm}"
+  ca_private_key_pem = "${tls_private_key.kube-ca.private_key_pem}"
+  ca_cert_pem        = "${tls_self_signed_cert.kube-ca.cert_pem}"
+
+  validity_period_hours = 8760
+
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "client_auth",
+  ]
+}
+
+resource "local_file" "admin-key" {
+  content  = "${tls_private_key.admin.private_key_pem}"
+  filename = "${var.asset_dir}/tls/admin.key"
+}
+
+resource "local_file" "admin-crt" {
+  content  = "${tls_locally_signed_cert.admin.cert_pem}"
+  filename = "${var.asset_dir}/tls/admin.crt"
+}
+
 # Kubernete's Service Account (tls/{service-account.key,service-account.pub})
+
 resource "tls_private_key" "service-account" {
   algorithm = "RSA"
   rsa_bits  = "2048"
@@ -122,6 +151,7 @@ resource "local_file" "service-account-crt" {
 }
 
 # Kubelet
+
 resource "tls_private_key" "kubelet" {
   algorithm = "RSA"
   rsa_bits  = "2048"
@@ -133,16 +163,16 @@ resource "tls_cert_request" "kubelet" {
 
   subject {
     common_name  = "kubelet"
-    organization = "system:masters"
+    organization = "system:nodes"
   }
 }
 
 resource "tls_locally_signed_cert" "kubelet" {
   cert_request_pem = "${tls_cert_request.kubelet.cert_request_pem}"
 
-  ca_key_algorithm   = "${var.ca_certificate == "" ? join(" ", tls_self_signed_cert.kube-ca.*.key_algorithm) : var.ca_key_alg}"
-  ca_private_key_pem = "${var.ca_certificate == "" ? join(" ", tls_private_key.kube-ca.*.private_key_pem) : var.ca_private_key}"
-  ca_cert_pem        = "${var.ca_certificate == "" ? join(" ", tls_self_signed_cert.kube-ca.*.cert_pem) : var.ca_certificate}"
+  ca_key_algorithm   = "${tls_self_signed_cert.kube-ca.key_algorithm}"
+  ca_private_key_pem = "${tls_private_key.kube-ca.private_key_pem}"
+  ca_cert_pem        = "${tls_self_signed_cert.kube-ca.cert_pem}"
 
   validity_period_hours = 8760
 

variables.tf

@@ -9,15 +9,10 @@ variable "api_servers" {
 }
 
 variable "etcd_servers" {
-  description = "List of URLs used to reach etcd servers. Ignored if experimental self-hosted etcd is enabled."
+  description = "List of URLs used to reach etcd servers."
   type        = "list"
 }
 
-variable "experimental_self_hosted_etcd" {
-  description = "(Experimental) Create self-hosted etcd assets"
-  default     = false
-}
-
 variable "asset_dir" {
   description = "Path to a directory where generated assets should be placed (contains secrets)"
   type        = "string"
@@ -30,17 +25,29 @@ variable "cloud_provider" {
 }
 
 variable "networking" {
-  description = "Choice of networking provider (flannel or calico)"
+  description = "Choice of networking provider (flannel or calico or kube-router)"
   type        = "string"
   default     = "flannel"
 }
 
 variable "network_mtu" {
-  description = "CNI interface MTU (applies to calico only)"
+  description = "CNI interface MTU (only applies to calico and kube-router)"
   type        = "string"
   default     = "1500"
 }
 
+variable "network_encapsulation" {
+  description = "Network encapsulation mode either ipip or vxlan (only applies to calico)"
+  type        = "string"
+  default     = "ipip"
+}
+
+variable "network_ip_autodetection_method" {
+  description = "Method to autodetect the host IPv4 address (only applies to calico)"
+  type        = "string"
+  default     = "first-found"
+}
+
 variable "pod_cidr" {
   description = "CIDR IP range to assign Kubernetes pods"
   type        = "string"
@@ -50,47 +57,57 @@ variable "pod_cidr" {
 variable "service_cidr" {
   description = <<EOD
 CIDR IP range to assign Kubernetes services.
-The 1st IP will be reserved for kube_apiserver, the 10th IP will be reserved for kube-dns, the 15th IP will be reserved for self-hosted etcd, and the 20th IP will be reserved for bootstrap self-hosted etcd.
+The 1st IP will be reserved for kube_apiserver, the 10th IP will be reserved for kube-dns.
 EOD
 
   type    = "string"
   default = "10.3.0.0/24"
 }
 
+variable "cluster_domain_suffix" {
+  description = "Queries for domains with the suffix will be answered by kube-dns"
+  type        = "string"
+  default     = "cluster.local"
+}
+
 variable "container_images" {
   description = "Container images to use"
   type        = "map"
 
   default = {
-    calico            = "quay.io/calico/node:v2.6.3"
-    calico_cni        = "quay.io/calico/cni:v1.11.1"
-    etcd              = "quay.io/coreos/etcd:v3.1.8"
-    etcd_operator     = "quay.io/coreos/etcd-operator:v0.5.0"
-    etcd_checkpointer = "quay.io/coreos/kenc:0.0.2"
-    flannel           = "quay.io/coreos/flannel:v0.9.1-amd64"
-    flannel_cni       = "quay.io/coreos/flannel-cni:v0.3.0"
-    hyperkube         = "gcr.io/google_containers/hyperkube:v1.8.4"
-    kubedns           = "gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.5"
-    kubedns_dnsmasq   = "gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.5"
-    kubedns_sidecar   = "gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.5"
-    pod_checkpointer  = "quay.io/coreos/pod-checkpointer:e22cc0e3714378de92f45326474874eb602ca0ac"
+    calico           = "quay.io/calico/node:v3.7.2"
+    calico_cni       = "quay.io/calico/cni:v3.7.2"
+    flannel          = "quay.io/coreos/flannel:v0.11.0-amd64"
+    flannel_cni      = "quay.io/coreos/flannel-cni:v0.3.0"
+    kube_router      = "cloudnativelabs/kube-router:v0.3.1"
+    hyperkube        = "k8s.gcr.io/hyperkube:v1.14.3"
+    coredns          = "k8s.gcr.io/coredns:1.5.0"
+    pod_checkpointer = "quay.io/coreos/pod-checkpointer:83e25e5968391b9eb342042c435d1b3eeddb2be1"
   }
 }
 
-variable "ca_certificate" {
-  description = "Existing PEM-encoded CA certificate (generated if blank)"
+variable "enable_reporting" {
   type        = "string"
-  default     = ""
+  description = "Enable usage or analytics reporting to upstream component owners (Tigera: Calico)"
+  default     = "false"
 }
 
-variable "ca_key_alg" {
-  description = "Algorithm used to generate ca_key (required if ca_cert is specified)"
+variable "trusted_certs_dir" {
+  description = "Path to the directory on cluster nodes where trust TLS certs are kept"
   type        = "string"
-  default     = "RSA"
+  default     = "/usr/share/ca-certificates"
 }
 
-variable "ca_private_key" {
-  description = "Existing Certificate Authority private key (required if ca_certificate is set)"
+variable "enable_aggregation" {
+  description = "Enable the Kubernetes Aggregation Layer (defaults to false, recommended)"
   type        = "string"
-  default     = ""
+  default     = "false"
+}
+
+# unofficial, temporary, may be removed without notice
+
+variable "apiserver_port" {
+  description = "kube-apiserver port"
+  type        = "string"
+  default     = "6443"
 }