Skip to content

Commit

Permalink
Remove asset_dir variable and optional asset writes
Browse files Browse the repository at this point in the history
* Originally, generated TLS certificates, manifests, and
cluster "assets" written to local disk (`asset_dir`) during
terraform apply cluster bootstrap
* Typhoon v1.17.0 introduced bootstrapping using only Terraform
state to store cluster assets, to avoid ever writing sensitive
materials to disk and improve automated use-cases. `asset_dir`
was changed to optional and defaulted to "" (no writes)
* Typhoon v1.18.0 deprecated the `asset_dir` variable, removed
docs, and announced it would be deleted in future.
* Remove the `asset_dir` variable

Cluster assets are now stored in Terraform state only. For those
who wish to write those assets to local files, this is possible
doing so explicitly.

```
resource local_file "assets" {
  for_each = module.bootstrap.assets_dist
  filename = "some-assets/${each.key}"
  content = each.value
}
```

Related:

* poseidon/typhoon#595
* poseidon/typhoon#678
  • Loading branch information
dghubble committed Oct 17, 2020
1 parent 7988fb7 commit 7266dcc
Show file tree
Hide file tree
Showing 9 changed files with 10 additions and 230 deletions.
12 changes: 10 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,21 @@ module "bootstrap" {
}
```

Generate the assets.
Generate assets in Terraform state.

```sh
terraform init
terraform plan
terraform apply
```

Find bootstrap assets rendered to the `asset_dir` path. That's it.
To inspect and write assets locally (e.g. debugging) use the `assets_dist` Terraform output.

```
resource local_file "assets" {
for_each = module.bootstrap.assets_dist
filename = "some-assets/${each.key}"
content = each.value
}
```

15 changes: 0 additions & 15 deletions auth.tf
Original file line number Diff line number Diff line change
Expand Up @@ -45,18 +45,3 @@ data "template_file" "kubeconfig-admin" {
}
}

# Generated admin kubeconfig to bootstrap control plane
resource "local_file" "kubeconfig-admin" {
count = var.asset_dir == "" ? 0 : 1

content = data.template_file.kubeconfig-admin.rendered
filename = "${var.asset_dir}/auth/kubeconfig"
}

# Generated admin kubeconfig in a file named after the cluster
resource "local_file" "kubeconfig-admin-named" {
count = var.asset_dir == "" ? 0 : 1

content = data.template_file.kubeconfig-admin.rendered
filename = "${var.asset_dir}/auth/${var.cluster_name}-config"
}
16 changes: 0 additions & 16 deletions conditional.tf
Original file line number Diff line number Diff line change
Expand Up @@ -57,19 +57,3 @@ locals {
}
}

# flannel manifests
resource "local_file" "flannel-manifests" {
for_each = var.asset_dir == "" ? {} : local.flannel_manifests

filename = "${var.asset_dir}/${each.key}"
content = each.value
}

# Calico manifests
resource "local_file" "calico-manifests" {
for_each = var.asset_dir == "" ? {} : local.calico_manifests

filename = "${var.asset_dir}/${each.key}"
content = each.value
}

16 changes: 0 additions & 16 deletions manifests.tf
Original file line number Diff line number Diff line change
Expand Up @@ -43,22 +43,6 @@ locals {
}
}

# Kubernetes static pod manifests
resource "local_file" "static-manifests" {
for_each = var.asset_dir == "" ? {} : local.static_manifests

content = each.value
filename = "${var.asset_dir}/${each.key}"
}

# Kubernetes control plane manifests
resource "local_file" "manifests" {
for_each = var.asset_dir == "" ? {} : local.manifests

content = each.value
filename = "${var.asset_dir}/${each.key}"
}

locals {
aggregation_flags = <<EOF
Expand Down
30 changes: 0 additions & 30 deletions tls-aggregation.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,6 @@ locals {
} : {}
}



# Kubernetes Aggregation CA (i.e. front-proxy-ca)
# Files: tls/{aggregation-ca.crt,aggregation-ca.key}

Expand Down Expand Up @@ -39,20 +37,6 @@ resource "tls_self_signed_cert" "aggregation-ca" {
]
}

resource "local_file" "aggregation-ca-key" {
count = var.enable_aggregation && var.asset_dir != "" ? 1 : 0

content = tls_private_key.aggregation-ca[0].private_key_pem
filename = "${var.asset_dir}/tls/aggregation-ca.key"
}

resource "local_file" "aggregation-ca-crt" {
count = var.enable_aggregation && var.asset_dir != "" ? 1 : 0

content = tls_self_signed_cert.aggregation-ca[0].cert_pem
filename = "${var.asset_dir}/tls/aggregation-ca.crt"
}

# Kubernetes apiserver (i.e. front-proxy-client)
# Files: tls/{aggregation-client.crt,aggregation-client.key}

Expand Down Expand Up @@ -92,17 +76,3 @@ resource "tls_locally_signed_cert" "aggregation-client" {
]
}

resource "local_file" "aggregation-client-key" {
count = var.enable_aggregation && var.asset_dir != "" ? 1 : 0

content = tls_private_key.aggregation-client[0].private_key_pem
filename = "${var.asset_dir}/tls/aggregation-client.key"
}

resource "local_file" "aggregation-client-crt" {
count = var.enable_aggregation && var.asset_dir != "" ? 1 : 0

content = tls_locally_signed_cert.aggregation-client[0].cert_pem
filename = "${var.asset_dir}/tls/aggregation-client.crt"
}

88 changes: 0 additions & 88 deletions tls-etcd.tf
Original file line number Diff line number Diff line change
Expand Up @@ -39,30 +39,6 @@ resource "tls_self_signed_cert" "etcd-ca" {
]
}

# etcd-ca.crt
resource "local_file" "etcd_ca_crt" {
count = var.asset_dir == "" ? 0 : 1

content = tls_self_signed_cert.etcd-ca.cert_pem
filename = "${var.asset_dir}/tls/etcd-ca.crt"
}

# etcd-client-ca.crt
resource "local_file" "etcd_client_ca_crt" {
count = var.asset_dir == "" ? 0 : 1

content = tls_self_signed_cert.etcd-ca.cert_pem
filename = "${var.asset_dir}/tls/etcd-client-ca.crt"
}

# etcd-ca.key
resource "local_file" "etcd_ca_key" {
count = var.asset_dir == "" ? 0 : 1

content = tls_private_key.etcd-ca.private_key_pem
filename = "${var.asset_dir}/tls/etcd-ca.key"
}

# etcd Client (apiserver to etcd communication)

resource "tls_private_key" "client" {
Expand Down Expand Up @@ -103,22 +79,6 @@ resource "tls_locally_signed_cert" "client" {
]
}

# etcd-client.crt
resource "local_file" "etcd_client_crt" {
count = var.asset_dir == "" ? 0 : 1

content = tls_locally_signed_cert.client.cert_pem
filename = "${var.asset_dir}/tls/etcd-client.crt"
}

# etcd-client.key
resource "local_file" "etcd_client_key" {
count = var.asset_dir == "" ? 0 : 1

content = tls_private_key.client.private_key_pem
filename = "${var.asset_dir}/tls/etcd-client.key"
}

# etcd Server

resource "tls_private_key" "server" {
Expand Down Expand Up @@ -159,30 +119,6 @@ resource "tls_locally_signed_cert" "server" {
]
}

# server-ca.crt
resource "local_file" "etcd_server_ca_crt" {
count = var.asset_dir == "" ? 0 : 1

content = tls_self_signed_cert.etcd-ca.cert_pem
filename = "${var.asset_dir}/tls/etcd/server-ca.crt"
}

# server.crt
resource "local_file" "etcd_server_crt" {
count = var.asset_dir == "" ? 0 : 1

content = tls_locally_signed_cert.server.cert_pem
filename = "${var.asset_dir}/tls/etcd/server.crt"
}

# server.key
resource "local_file" "etcd_server_key" {
count = var.asset_dir == "" ? 0 : 1

content = tls_private_key.server.private_key_pem
filename = "${var.asset_dir}/tls/etcd/server.key"
}

# etcd Peer

resource "tls_private_key" "peer" {
Expand Down Expand Up @@ -219,27 +155,3 @@ resource "tls_locally_signed_cert" "peer" {
]
}

# peer-ca.crt
resource "local_file" "etcd_peer_ca_crt" {
count = var.asset_dir == "" ? 0 : 1

content = tls_self_signed_cert.etcd-ca.cert_pem
filename = "${var.asset_dir}/tls/etcd/peer-ca.crt"
}

# peer.crt
resource "local_file" "etcd_peer_crt" {
count = var.asset_dir == "" ? 0 : 1

content = tls_locally_signed_cert.peer.cert_pem
filename = "${var.asset_dir}/tls/etcd/peer.crt"
}

# peer.key
resource "local_file" "etcd_peer_key" {
count = var.asset_dir == "" ? 0 : 1

content = tls_private_key.peer.private_key_pem
filename = "${var.asset_dir}/tls/etcd/peer.key"
}

56 changes: 0 additions & 56 deletions tls-k8s.tf
Original file line number Diff line number Diff line change
Expand Up @@ -36,20 +36,6 @@ resource "tls_self_signed_cert" "kube-ca" {
]
}

resource "local_file" "kube-ca-key" {
count = var.asset_dir == "" ? 0 : 1

content = tls_private_key.kube-ca.private_key_pem
filename = "${var.asset_dir}/tls/ca.key"
}

resource "local_file" "kube-ca-crt" {
count = var.asset_dir == "" ? 0 : 1

content = tls_self_signed_cert.kube-ca.cert_pem
filename = "${var.asset_dir}/tls/ca.crt"
}

# Kubernetes API Server (tls/{apiserver.key,apiserver.crt})

resource "tls_private_key" "apiserver" {
Expand Down Expand Up @@ -96,20 +82,6 @@ resource "tls_locally_signed_cert" "apiserver" {
]
}

resource "local_file" "apiserver-key" {
count = var.asset_dir == "" ? 0 : 1

content = tls_private_key.apiserver.private_key_pem
filename = "${var.asset_dir}/tls/apiserver.key"
}

resource "local_file" "apiserver-crt" {
count = var.asset_dir == "" ? 0 : 1

content = tls_locally_signed_cert.apiserver.cert_pem
filename = "${var.asset_dir}/tls/apiserver.crt"
}

# Kubernetes Admin (tls/{admin.key,admin.crt})

resource "tls_private_key" "admin" {
Expand Down Expand Up @@ -143,41 +115,13 @@ resource "tls_locally_signed_cert" "admin" {
]
}

resource "local_file" "admin-key" {
count = var.asset_dir == "" ? 0 : 1

content = tls_private_key.admin.private_key_pem
filename = "${var.asset_dir}/tls/admin.key"
}

resource "local_file" "admin-crt" {
count = var.asset_dir == "" ? 0 : 1

content = tls_locally_signed_cert.admin.cert_pem
filename = "${var.asset_dir}/tls/admin.crt"
}

# Kubernete's Service Account (tls/{service-account.key,service-account.pub})

resource "tls_private_key" "service-account" {
algorithm = "RSA"
rsa_bits = "2048"
}

resource "local_file" "service-account-key" {
count = var.asset_dir == "" ? 0 : 1

content = tls_private_key.service-account.private_key_pem
filename = "${var.asset_dir}/tls/service-account.key"
}

resource "local_file" "service-account-crt" {
count = var.asset_dir == "" ? 0 : 1

content = tls_private_key.service-account.public_key_pem
filename = "${var.asset_dir}/tls/service-account.pub"
}

# Kubelet

resource "tls_private_key" "kubelet" {
Expand Down
6 changes: 0 additions & 6 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,6 @@ variable "etcd_servers" {
description = "List of URLs used to reach etcd servers."
}

variable "asset_dir" {
type = string
description = "Absolute path to a directory where generated assets should be placed (contains secrets)"
default = ""
}

variable "cloud_provider" {
type = string
description = "The provider for cloud services (empty string for no provider)"
Expand Down
1 change: 0 additions & 1 deletion versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
terraform {
required_version = ">= 0.12.0, < 0.14.0"
required_providers {
local = "~> 1.2"
random = "~> 2.2"
template = "~> 2.1"
tls = "~> 2.0"
Expand Down

0 comments on commit 7266dcc

Please sign in to comment.