Skip to content

Commit

Permalink
Add kubeconfig's for kube-scheduler and kube-controller-manager
Browse files Browse the repository at this point in the history 
* Generate TLS client certificates for `kube-scheduler` and
`kube-controller-manager` with `system:kube-scheduler` and
`system:kube-controller-manager` CNs
* Template separate kubeconfigs for kube-scheduler and
kube-controller manager (`scheduler.conf` and
`controller-manager.conf`). Rename admin for clarity
* Before v1.16.0, Typhoon scheduled a self-hosted control
plane, which allowed the steady-state kube-scheduler and
kube-controller-manager to use a scoped ServiceAccount.
With a static pod control plane, separate CN TLS client
certificates are the nearest equiv.
* https://kubernetes.io/docs/setup/best-practices/certificates/
* Remove unused Kubelet certificate, TLS bootstrap is used
instead
  • Loading branch information
@dghubble
dghubble committed Dec 2, 2020
1 parent 8ba23f3 commit 804dfea
Show file tree
Hide file tree
Showing 21 changed files with 32 additions and 32 deletions.
4 changes: 2 additions & 2 deletions CHANGES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,9 @@ Notable changes between versions.
* Add input variable validations ([#880](https://github.com/poseidon/typhoon/pull/880))
* Require Terraform v0.13+ ([migration guide](https://typhoon.psdn.io/topics/maintenance/#terraform-versions))
* Set output sensitive to suppress console display for some cases ([#885](https://github.com/poseidon/typhoon/pull/885))
* Add service account token [volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) ([#897](https://github.com/poseidon/typhoon/pull/897))
* Scope kube-scheduler and kube-controller-manager permissions ([#898](https://github.com/poseidon/typhoon/pull/898))
* Update etcd from v3.4.12 to [v3.4.14](https://github.com/etcd-io/etcd/releases/tag/v3.4.14)
* Enable service account token [volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) ([#897](https://github.com/poseidon/typhoon/pull/897))
* Update Calico from v3.16.5 to v3.17.0 ([#890](https://github.com/poseidon/typhoon/pull/890))
* Enable Calico MTU auto-detection
* Remove [workaround](https://github.com/poseidon/typhoon/pull/724) to Calico cni-plugin [issue](https://github.com/projectcalico/cni-plugin/issues/874)
Expand Down Expand Up @@ -64,7 +65,6 @@ Notable changes between versions.
### Flatcar Linux

* Rename `container-linux` modules to `flatcar-linux` ([#858](https://github.com/poseidon/typhoon/issues/858)) (**action required**)

* Change on-host system containers from rkt to docker
* Change `etcd-member.service` container runnner from rkt to docker ([#867](https://github.com/poseidon/typhoon/pull/867))
* Change `kubelet.service` container runner from rkt-fly to docker ([#855](https://github.com/poseidon/typhoon/pull/855))
Expand Down
2 changes: 1 addition & 1 deletion aws/fedora-coreos/kubernetes/bootstrap.tf
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Kubernetes assets (kubeconfig, manifests)
module "bootstrap" {
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8"
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b"

cluster_name = var.cluster_name
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]
Expand Down
4 changes: 2 additions & 2 deletions aws/fedora-coreos/kubernetes/fcc/controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,7 @@ storage:
mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/
chown -R etcd:etcd /etc/ssl/etcd
chmod -R 500 /etc/ssl/etcd
mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
mv auth/* /etc/kubernetes/bootstrap-secrets/
mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
mkdir -p /etc/kubernetes/manifests
mv static-manifests/* /etc/kubernetes/manifests/
Expand All @@ -161,7 +161,7 @@ storage:
contents:
inline: |
#!/bin/bash -e
export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig
export KUBECONFIG=/etc/kubernetes/secrets/admin.conf
until kubectl version; do
echo "Waiting for static pod control plane"
sleep 5
Expand Down
2 changes: 1 addition & 1 deletion aws/flatcar-linux/kubernetes/bootstrap.tf
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Kubernetes assets (kubeconfig, manifests)
module "bootstrap" {
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8"
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b"

cluster_name = var.cluster_name
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]
Expand Down
4 changes: 2 additions & 2 deletions aws/flatcar-linux/kubernetes/cl/controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ storage:
chown -R etcd:etcd /etc/ssl/etcd
chmod -R 500 /etc/ssl/etcd
chmod -R 700 /var/lib/etcd
mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
mv auth/* /etc/kubernetes/bootstrap-secrets/
mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
mkdir -p /etc/kubernetes/manifests
mv static-manifests/* /etc/kubernetes/manifests/
Expand All @@ -169,7 +169,7 @@ storage:
contents:
inline: |
#!/bin/bash -e
export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig
export KUBECONFIG=/etc/kubernetes/secrets/admin.conf
until kubectl version; do
echo "Waiting for static pod control plane"
sleep 5
Expand Down
2 changes: 1 addition & 1 deletion azure/fedora-coreos/kubernetes/bootstrap.tf
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Kubernetes assets (kubeconfig, manifests)
module "bootstrap" {
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8"
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b"

cluster_name = var.cluster_name
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]
Expand Down
4 changes: 2 additions & 2 deletions azure/fedora-coreos/kubernetes/fcc/controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@ storage:
mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/
chown -R etcd:etcd /etc/ssl/etcd
chmod -R 500 /etc/ssl/etcd
mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
mv auth/* /etc/kubernetes/bootstrap-secrets/
mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
mkdir -p /etc/kubernetes/manifests
mv static-manifests/* /etc/kubernetes/manifests/
Expand All @@ -160,7 +160,7 @@ storage:
contents:
inline: |
#!/bin/bash -e
export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig
export KUBECONFIG=/etc/kubernetes/secrets/admin.conf
until kubectl version; do
echo "Waiting for static pod control plane"
sleep 5
Expand Down
2 changes: 1 addition & 1 deletion azure/flatcar-linux/kubernetes/bootstrap.tf
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Kubernetes assets (kubeconfig, manifests)
module "bootstrap" {
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8"
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b"

cluster_name = var.cluster_name
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]
Expand Down
4 changes: 2 additions & 2 deletions azure/flatcar-linux/kubernetes/cl/controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ storage:
chown -R etcd:etcd /etc/ssl/etcd
chmod -R 500 /etc/ssl/etcd
chmod -R 700 /var/lib/etcd
mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
mv auth/* /etc/kubernetes/bootstrap-secrets/
mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
mkdir -p /etc/kubernetes/manifests
mv static-manifests/* /etc/kubernetes/manifests/
Expand All @@ -169,7 +169,7 @@ storage:
contents:
inline: |
#!/bin/bash -e
export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig
export KUBECONFIG=/etc/kubernetes/secrets/admin.conf
until kubectl version; do
echo "Waiting for static pod control plane"
sleep 5
Expand Down
2 changes: 1 addition & 1 deletion bare-metal/fedora-coreos/kubernetes/bootstrap.tf
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Kubernetes assets (kubeconfig, manifests)
module "bootstrap" {
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8"
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b"

cluster_name = var.cluster_name
api_servers = [var.k8s_domain_name]
Expand Down
4 changes: 2 additions & 2 deletions bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ storage:
mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/
chown -R etcd:etcd /etc/ssl/etcd
chmod -R 500 /etc/ssl/etcd
mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
mv auth/* /etc/kubernetes/bootstrap-secrets/
mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
mkdir -p /etc/kubernetes/manifests
mv static-manifests/* /etc/kubernetes/manifests/
Expand All @@ -171,7 +171,7 @@ storage:
contents:
inline: |
#!/bin/bash -e
export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig
export KUBECONFIG=/etc/kubernetes/secrets/admin.conf
until kubectl version; do
echo "Waiting for static pod control plane"
sleep 5
Expand Down
2 changes: 1 addition & 1 deletion bare-metal/flatcar-linux/kubernetes/bootstrap.tf
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Kubernetes assets (kubeconfig, manifests)
module "bootstrap" {
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8"
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b"

cluster_name = var.cluster_name
api_servers = [var.k8s_domain_name]
Expand Down
4 changes: 2 additions & 2 deletions bare-metal/flatcar-linux/kubernetes/cl/controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ storage:
chown -R etcd:etcd /etc/ssl/etcd
chmod -R 500 /etc/ssl/etcd
chmod -R 700 /var/lib/etcd
mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
mv auth/* /etc/kubernetes/bootstrap-secrets/
mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
mkdir -p /etc/kubernetes/manifests
mv static-manifests/* /etc/kubernetes/manifests/
Expand All @@ -183,7 +183,7 @@ storage:
contents:
inline: |
#!/bin/bash -e
export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig
export KUBECONFIG=/etc/kubernetes/secrets/admin.conf
until kubectl version; do
echo "Waiting for static pod control plane"
sleep 5
Expand Down
2 changes: 1 addition & 1 deletion digital-ocean/fedora-coreos/kubernetes/bootstrap.tf
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Kubernetes assets (kubeconfig, manifests)
module "bootstrap" {
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8"
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b"

cluster_name = var.cluster_name
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]
Expand Down
4 changes: 2 additions & 2 deletions digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ storage:
mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/
chown -R etcd:etcd /etc/ssl/etcd
chmod -R 500 /etc/ssl/etcd
mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
mv auth/* /etc/kubernetes/bootstrap-secrets/
mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
mkdir -p /etc/kubernetes/manifests
mv static-manifests/* /etc/kubernetes/manifests/
Expand All @@ -167,7 +167,7 @@ storage:
contents:
inline: |
#!/bin/bash -e
export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig
export KUBECONFIG=/etc/kubernetes/secrets/admin.conf
until kubectl version; do
echo "Waiting for static pod control plane"
sleep 5
Expand Down
2 changes: 1 addition & 1 deletion digital-ocean/flatcar-linux/kubernetes/bootstrap.tf
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Kubernetes assets (kubeconfig, manifests)
module "bootstrap" {
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8"
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b"

cluster_name = var.cluster_name
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]
Expand Down
4 changes: 2 additions & 2 deletions digital-ocean/flatcar-linux/kubernetes/cl/controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ storage:
chown -R etcd:etcd /etc/ssl/etcd
chmod -R 500 /etc/ssl/etcd
chmod -R 700 /var/lib/etcd
mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
mv auth/* /etc/kubernetes/bootstrap-secrets/
mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
mkdir -p /etc/kubernetes/manifests
mv static-manifests/* /etc/kubernetes/manifests/
Expand All @@ -176,7 +176,7 @@ storage:
contents:
inline: |
#!/bin/bash -e
export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig
export KUBECONFIG=/etc/kubernetes/secrets/admin.conf
until kubectl version; do
echo "Waiting for static pod control plane"
sleep 5
Expand Down
2 changes: 1 addition & 1 deletion google-cloud/fedora-coreos/kubernetes/bootstrap.tf
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Kubernetes assets (kubeconfig, manifests)
module "bootstrap" {
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8"
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b"

cluster_name = var.cluster_name
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]
Expand Down
4 changes: 2 additions & 2 deletions google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@ storage:
mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/
chown -R etcd:etcd /etc/ssl/etcd
chmod -R 500 /etc/ssl/etcd
mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
mv auth/* /etc/kubernetes/bootstrap-secrets/
mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
mkdir -p /etc/kubernetes/manifests
mv static-manifests/* /etc/kubernetes/manifests/
Expand All @@ -160,7 +160,7 @@ storage:
contents:
inline: |
#!/bin/bash -e
export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig
export KUBECONFIG=/etc/kubernetes/secrets/admin.conf
until kubectl version; do
echo "Waiting for static pod control plane"
sleep 5
Expand Down
2 changes: 1 addition & 1 deletion google-cloud/flatcar-linux/kubernetes/bootstrap.tf
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Kubernetes assets (kubeconfig, manifests)
module "bootstrap" {
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8"
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b"

cluster_name = var.cluster_name
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]
Expand Down
4 changes: 2 additions & 2 deletions google-cloud/flatcar-linux/kubernetes/cl/controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ storage:
chown -R etcd:etcd /etc/ssl/etcd
chmod -R 500 /etc/ssl/etcd
chmod -R 700 /var/lib/etcd
mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
mv auth/* /etc/kubernetes/bootstrap-secrets/
mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
mkdir -p /etc/kubernetes/manifests
mv static-manifests/* /etc/kubernetes/manifests/
Expand All @@ -167,7 +167,7 @@ storage:
contents:
inline: |
#!/bin/bash -e
export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig
export KUBECONFIG=/etc/kubernetes/secrets/admin.conf
until kubectl version; do
echo "Waiting for static pod control plane"
sleep 5
Expand Down

0 comments on commit 804dfea

Please sign in to comment.