A Terraform module which contains a number of common configurations for TLS certificates.
- ca
- Self signed CA to locally sign TLS certs.
- docker
- TLS certs for Docker daemon and client
- kubernetes
- TLS certs for APIserver, worker and admin key
- etcd
- TLS certs etcd
You can refer to the specific readme for every catalog element for checking individual use.
For a real use case using them all together in a kubernetes cluster on Digitalocean see https://github.com/Capgemini/kubeform/blob/master/terraform/digitalocean/main.tf
module "ca" {
source = "github.com/Capgemini/tf_tls//ca"
organization = "${var.organization}"
ca_count = "${var.masters + var.workers}"
ip_addresses_list = "${concat(digitalocean_droplet.master.*.ipv4_address, digitalocean_droplet.worker.*.ipv4_address)}"
ssh_user = "core"
ssh_private_key = "${tls_private_key.ssh.private_key_pem}"
}
module "kube_apiserver_certs" {
source = "github.com/Capgemini/tf_tls//kubernetes/apiserver"
ca_cert_pem = "${module.ca.ca_cert_pem}"
ca_private_key_pem = "${module.ca.ca_private_key_pem}"
ip_addresses = "${compact(digitalocean_droplet.master.*.ipv4_address)}"
master_count = "${var.masters}"
validity_period_hours = "8760"
early_renewal_hours = "720"
ssh_user = "core"
ssh_private_key = "${tls_private_key.ssh.private_key_pem}"
}
module "kube_worker_certs" {
source = "github.com/Capgemini/tf_tls//kubernetes/worker"
ca_cert_pem = "${module.ca.ca_cert_pem}"
ca_private_key_pem = "${module.ca.ca_private_key_pem}"
ip_addresses = "${compact(digitalocean_droplet.worker.*.ipv4_address)}"
worker_count = "${var.workers}"
validity_period_hours = "8760"
early_renewal_hours = "720"
ssh_user = "core"
ssh_private_key = "${tls_private_key.ssh.private_key_pem}"
}
module "kube_admin_cert" {
source = "github.com/Capgemini/tf_tls/kubernetes/admin"
ca_cert_pem = "${module.ca.ca_cert_pem}"
ca_private_key_pem = "${module.ca.ca_private_key_pem}"
kubectl_server_ip = "${digitalocean_droplet.master.0.ipv4_address}"
}
module "docker_daemon_certs" {
source = "github.com/Capgemini/tf_tls//docker/daemon"
ca_cert_pem = "${module.ca.ca_cert_pem}"
ca_private_key_pem = "${module.ca.ca_private_key_pem}"
ip_addresses_list = "${concat(digitalocean_droplet.master.*.ipv4_address, digitalocean_droplet.worker.*.ipv4_address)}"
dns_names_list = "kubernetes,kubernetes.default,kubernetes.default.svc"
docker_daemon_count = "${var.masters + var.workers}"
private_key = "${tls_private_key.ssh.private_key_pem}"
validity_period_hours = 8760
early_renewal_hours = 720
user = "core"
}
module "docker_client_certs" {
source = "github.com/Capgemini/tf_tls//docker/client"
ca_cert_pem = "${module.ca.ca_cert_pem}"
ca_private_key_pem = "${module.ca.ca_private_key_pem}"
ip_addresses_list = "${concat(digitalocean_droplet.master.*.ipv4_address, digitalocean_droplet.worker.*.ipv4_address)}"
dns_names_list = "*.*.cluster.internal,*.ec2.internal"
docker_client_count = "${var.masters + var.workers}"
private_key = "${tls_private_key.ssh.private_key_pem}"
validity_period_hours = 8760
early_renewal_hours = 720
user = "core"
}