From 81f2d83ec3239a7dc075fdfd5f9792aa9da73a04 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Wed, 4 Dec 2019 22:10:55 -0800 Subject: [PATCH] Introduce cluster creation without local writes to asset_dir * Allow generated assets (TLS materials, manifests) to be securely distributed to controller node(s) via file provisioner (i.e. ssh-agent) of an assets bundle file, rather than relying on assets being locally rendered to disk in an asset_dir * Change `asset_dir` from required to optional. Left unset, asset_dir defaults to "" and no assets will be written to files on the machine that runs terraform apply * Enhancement: Managed cluster assets are kept only in Terraform state, which supports different backends (GCS, S3, etcd, etc) and optional encryption. terraform apply accesses state, runs in-memory, and distributes sensitive materials to controllers without making use of local disk (simplifies use in CI systems) * Enhancement: Improve asset unpack and layout process to position etcd certificates and control plane certificates more cleanly, without unneeded secret materials Details: * Terraform file provisioner support for distributing directories of contents (with unknown structure) has been limited to reading from a local directory, meaning local writes to asset_dir were required. https://github.com/poseidon/typhoon/issues/585 discusses the problem and newer or upcoming Terraform features that might help. * Observation: Terraform provisioner support for single files works well, but iteration isn't viable. We're also constrained to Terraform language features on the apply side (no extra plugins, no shelling out) and CoreOS / Fedora tools on the receive side. * Take a map representation of the contents that would have been splayed out in asset_dir and pack/encode them into a single file format devised for easy unpacking. Use an awk one-liner on the receive side to unpack. In pratice, this has worked well and its rather nice that a single assets file is transferred by file provisioner (all or none) Rel: https://github.com/poseidon/terraform-render-bootstrap/pull/162 --- aws/container-linux/kubernetes/bootstrap.tf | 2 +- .../kubernetes/cl/controller.yaml.tmpl | 26 +++++++- aws/container-linux/kubernetes/ssh.tf | 63 ++++-------------- aws/fedora-coreos/kubernetes/bootstrap.tf | 2 +- .../kubernetes/fcc/controller.yaml | 24 ++++++- aws/fedora-coreos/kubernetes/ssh.tf | 65 ++++--------------- azure/container-linux/kubernetes/bootstrap.tf | 2 +- .../kubernetes/cl/controller.yaml.tmpl | 26 +++++++- azure/container-linux/kubernetes/ssh.tf | 65 ++++--------------- .../container-linux/kubernetes/bootstrap.tf | 2 +- .../kubernetes/cl/controller.yaml.tmpl | 26 +++++++- bare-metal/container-linux/kubernetes/ssh.tf | 63 ++++-------------- .../fedora-coreos/kubernetes/bootstrap.tf | 2 +- .../kubernetes/fcc/controller.yaml | 24 ++++++- bare-metal/fedora-coreos/kubernetes/ssh.tf | 61 ++++------------- .../container-linux/kubernetes/bootstrap.tf | 2 +- .../kubernetes/cl/controller.yaml.tmpl | 26 +++++++- .../container-linux/kubernetes/ssh.tf | 63 ++++-------------- .../container-linux/kubernetes/bootstrap.tf | 2 +- .../kubernetes/cl/controller.yaml.tmpl | 26 +++++++- .../container-linux/kubernetes/ssh.tf | 65 ++++--------------- 21 files changed, 258 insertions(+), 379 deletions(-) diff --git a/aws/container-linux/kubernetes/bootstrap.tf b/aws/container-linux/kubernetes/bootstrap.tf index 0d7266e7b..1db669b98 100644 --- a/aws/container-linux/kubernetes/bootstrap.tf +++ b/aws/container-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=0f1f16c612a6877d25a3fedcb476b3087a3de999" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=dce49114a083436c5af6d9174b9c1248786ba3b6" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/aws/container-linux/kubernetes/cl/controller.yaml.tmpl b/aws/container-linux/kubernetes/cl/controller.yaml.tmpl index c4cb7b2f0..246c617ef 100644 --- a/aws/container-linux/kubernetes/cl/controller.yaml.tmpl +++ b/aws/container-linux/kubernetes/cl/controller.yaml.tmpl @@ -108,6 +108,8 @@ systemd: ExecStartPre=-/usr/bin/bash -c 'set -x && [ -n "$(ls /opt/bootstrap/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootstrap/assets/manifests-*/* /opt/bootstrap/assets/manifests && rm -rf /opt/bootstrap/assets/manifests-*' ExecStart=/usr/bin/rkt run \ --trust-keys-from-https \ + --volume config,kind=host,source=/etc/kubernetes/bootstrap-secrets \ + --mount volume=config,target=/etc/kubernetes/secrets \ --volume assets,kind=host,source=/opt/bootstrap/assets \ --mount volume=assets,target=/assets \ --volume script,kind=host,source=/opt/bootstrap/apply \ @@ -135,13 +137,35 @@ storage: inline: | KUBELET_IMAGE_URL=docker://k8s.gcr.io/hyperkube KUBELET_IMAGE_TAG=v1.16.3 + - path: /opt/bootstrap/layout + filesystem: root + mode: 0544 + contents: + inline: | + #!/bin/bash -e + mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking + awk '/#####/ {filename=$2; next} {print > filename}' assets + mkdir -p /etc/ssl/etcd/etcd + mkdir -p /etc/kubernetes/bootstrap-secrets + mv tls/etcd/{peer*,server*} /etc/ssl/etcd/etcd/ + mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ + chown -R etcd:etcd /etc/ssl/etcd + chmod -R 500 /etc/ssl/etcd + mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ + sudo mkdir -p /etc/kubernetes/manifests + sudo mv static-manifests/* /etc/kubernetes/manifests/ + sudo mkdir -p /opt/bootstrap/assets + sudo mv manifests /opt/bootstrap/assets/manifests + sudo mv manifests-networking /opt/bootstrap/assets/manifests-networking + rm -rf assets auth static-manifests tls - path: /opt/bootstrap/apply filesystem: root mode: 0544 contents: inline: | #!/bin/bash -e - export KUBECONFIG=/assets/auth/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/aws/container-linux/kubernetes/ssh.tf b/aws/container-linux/kubernetes/ssh.tf index 1d13aa55d..f180f3129 100644 --- a/aws/container-linux/kubernetes/ssh.tf +++ b/aws/container-linux/kubernetes/ssh.tf @@ -1,3 +1,12 @@ +locals { + # format assets for distribution + assets_bundle = [ + # header with the unpack location + for key, value in module.bootstrap.assets_dist: + format("##### %s\n%s", key, value) + ] +} + # Secure copy assets to controllers. resource "null_resource" "copy-controller-secrets" { count = var.controller_count @@ -14,63 +23,13 @@ resource "null_resource" "copy-controller-secrets" { } provisioner "file" { - content = module.bootstrap.etcd_ca_cert - destination = "$HOME/etcd-client-ca.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_client_cert - destination = "$HOME/etcd-client.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_client_key - destination = "$HOME/etcd-client.key" - } - - provisioner "file" { - content = module.bootstrap.etcd_server_cert - destination = "$HOME/etcd-server.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_server_key - destination = "$HOME/etcd-server.key" - } - - provisioner "file" { - content = module.bootstrap.etcd_peer_cert - destination = "$HOME/etcd-peer.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_peer_key - destination = "$HOME/etcd-peer.key" - } - - provisioner "file" { - source = var.asset_dir + content = join("\n", local.assets_bundle) destination = "$HOME/assets" } provisioner "remote-exec" { inline = [ - "sudo mkdir -p /etc/ssl/etcd/etcd", - "sudo mv etcd-client* /etc/ssl/etcd/", - "sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/server-ca.crt", - "sudo mv etcd-server.crt /etc/ssl/etcd/etcd/server.crt", - "sudo mv etcd-server.key /etc/ssl/etcd/etcd/server.key", - "sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/peer-ca.crt", - "sudo mv etcd-peer.crt /etc/ssl/etcd/etcd/peer.crt", - "sudo mv etcd-peer.key /etc/ssl/etcd/etcd/peer.key", - "sudo chown -R etcd:etcd /etc/ssl/etcd", - "sudo chmod -R 500 /etc/ssl/etcd", - "sudo mv $HOME/assets /opt/bootstrap/assets", - "sudo mkdir -p /etc/kubernetes/manifests", - "sudo mkdir -p /etc/kubernetes/bootstrap-secrets", - "sudo cp -r /opt/bootstrap/assets/tls/* /etc/kubernetes/bootstrap-secrets/", - "sudo cp /opt/bootstrap/assets/auth/kubeconfig /etc/kubernetes/bootstrap-secrets/", - "sudo cp -r /opt/bootstrap/assets/static-manifests/* /etc/kubernetes/manifests/", + "sudo /opt/bootstrap/layout", ] } } diff --git a/aws/fedora-coreos/kubernetes/bootstrap.tf b/aws/fedora-coreos/kubernetes/bootstrap.tf index f8651eae5..c2716fb8c 100644 --- a/aws/fedora-coreos/kubernetes/bootstrap.tf +++ b/aws/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=0f1f16c612a6877d25a3fedcb476b3087a3de999" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=dce49114a083436c5af6d9174b9c1248786ba3b6" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/aws/fedora-coreos/kubernetes/fcc/controller.yaml b/aws/fedora-coreos/kubernetes/fcc/controller.yaml index dc2edb21e..8db338720 100644 --- a/aws/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/aws/fedora-coreos/kubernetes/fcc/controller.yaml @@ -119,6 +119,7 @@ systemd: ExecStartPre=-/usr/bin/bash -c 'set -x && [ -n "$(ls /opt/bootstrap/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootstrap/assets/manifests-*/* /opt/bootstrap/assets/manifests && rm -rf /opt/bootstrap/assets/manifests-*' ExecStart=/usr/bin/podman run --name bootstrap \ --network host \ + --volume /etc/kubernetes/bootstrap-secrets:/etc/kubernetes/secrets:ro,Z \ --volume /opt/bootstrap/assets:/assets:ro,Z \ --volume /opt/bootstrap/apply:/apply:ro,Z \ k8s.gcr.io/hyperkube:v1.16.3 \ @@ -135,12 +136,33 @@ storage: contents: inline: | ${kubeconfig} + - path: /opt/bootstrap/layout + mode: 0544 + contents: + inline: | + #!/bin/bash -e + mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking + awk '/#####/ {filename=$2; next} {print > filename}' assets + mkdir -p /etc/ssl/etcd/etcd + mkdir -p /etc/kubernetes/bootstrap-secrets + mv tls/etcd/{peer*,server*} /etc/ssl/etcd/etcd/ + mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ + chown -R etcd:etcd /etc/ssl/etcd + chmod -R 500 /etc/ssl/etcd + mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ + sudo mkdir -p /etc/kubernetes/manifests + sudo mv static-manifests/* /etc/kubernetes/manifests/ + sudo mkdir -p /opt/bootstrap/assets + sudo mv manifests /opt/bootstrap/assets/manifests + sudo mv manifests-networking /opt/bootstrap/assets/manifests-networking + rm -rf assets auth static-manifests tls - path: /opt/bootstrap/apply mode: 0544 contents: inline: | #!/bin/bash -e - export KUBECONFIG=/assets/auth/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/aws/fedora-coreos/kubernetes/ssh.tf b/aws/fedora-coreos/kubernetes/ssh.tf index d4a61eb5b..f11ae0b25 100644 --- a/aws/fedora-coreos/kubernetes/ssh.tf +++ b/aws/fedora-coreos/kubernetes/ssh.tf @@ -1,3 +1,12 @@ +locals { + # format assets for distribution + assets_bundle = [ + # header with the unpack location + for key, value in module.bootstrap.assets_dist: + format("##### %s\n%s", key, value) + ] +} + # Secure copy assets to controllers. resource "null_resource" "copy-controller-secrets" { count = var.controller_count @@ -12,65 +21,15 @@ resource "null_resource" "copy-controller-secrets" { user = "core" timeout = "15m" } - - provisioner "file" { - content = module.bootstrap.etcd_ca_cert - destination = "$HOME/etcd-client-ca.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_client_cert - destination = "$HOME/etcd-client.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_client_key - destination = "$HOME/etcd-client.key" - } - - provisioner "file" { - content = module.bootstrap.etcd_server_cert - destination = "$HOME/etcd-server.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_server_key - destination = "$HOME/etcd-server.key" - } - - provisioner "file" { - content = module.bootstrap.etcd_peer_cert - destination = "$HOME/etcd-peer.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_peer_key - destination = "$HOME/etcd-peer.key" - } - + provisioner "file" { - source = var.asset_dir + content = join("\n", local.assets_bundle) destination = "$HOME/assets" } provisioner "remote-exec" { inline = [ - "sudo mkdir -p /etc/ssl/etcd/etcd", - "sudo mv etcd-client* /etc/ssl/etcd/", - "sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/server-ca.crt", - "sudo mv etcd-server.crt /etc/ssl/etcd/etcd/server.crt", - "sudo mv etcd-server.key /etc/ssl/etcd/etcd/server.key", - "sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/peer-ca.crt", - "sudo mv etcd-peer.crt /etc/ssl/etcd/etcd/peer.crt", - "sudo mv etcd-peer.key /etc/ssl/etcd/etcd/peer.key", - "sudo chown -R etcd:etcd /etc/ssl/etcd", - "sudo chmod -R 500 /etc/ssl/etcd", - "sudo mv $HOME/assets /opt/bootstrap/assets", - "sudo mkdir -p /etc/kubernetes/manifests", - "sudo mkdir -p /etc/kubernetes/bootstrap-secrets", - "sudo cp -r /opt/bootstrap/assets/tls/* /etc/kubernetes/bootstrap-secrets/", - "sudo cp /opt/bootstrap/assets/auth/kubeconfig /etc/kubernetes/bootstrap-secrets/", - "sudo cp -r /opt/bootstrap/assets/static-manifests/* /etc/kubernetes/manifests/" + "sudo /opt/bootstrap/layout", ] } } diff --git a/azure/container-linux/kubernetes/bootstrap.tf b/azure/container-linux/kubernetes/bootstrap.tf index b82a5dd0b..e26c8cf21 100644 --- a/azure/container-linux/kubernetes/bootstrap.tf +++ b/azure/container-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=0f1f16c612a6877d25a3fedcb476b3087a3de999" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=dce49114a083436c5af6d9174b9c1248786ba3b6" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/azure/container-linux/kubernetes/cl/controller.yaml.tmpl b/azure/container-linux/kubernetes/cl/controller.yaml.tmpl index 491350685..5e83e996a 100644 --- a/azure/container-linux/kubernetes/cl/controller.yaml.tmpl +++ b/azure/container-linux/kubernetes/cl/controller.yaml.tmpl @@ -106,6 +106,8 @@ systemd: ExecStartPre=-/usr/bin/bash -c 'set -x && [ -n "$(ls /opt/bootstrap/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootstrap/assets/manifests-*/* /opt/bootstrap/assets/manifests && rm -rf /opt/bootstrap/assets/manifests-*' ExecStart=/usr/bin/rkt run \ --trust-keys-from-https \ + --volume config,kind=host,source=/etc/kubernetes/bootstrap-secrets \ + --mount volume=config,target=/etc/kubernetes/secrets \ --volume assets,kind=host,source=/opt/bootstrap/assets \ --mount volume=assets,target=/assets \ --volume script,kind=host,source=/opt/bootstrap/apply \ @@ -133,13 +135,35 @@ storage: inline: | KUBELET_IMAGE_URL=docker://k8s.gcr.io/hyperkube KUBELET_IMAGE_TAG=v1.16.3 + - path: /opt/bootstrap/layout + filesystem: root + mode: 0544 + contents: + inline: | + #!/bin/bash -e + mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking + awk '/#####/ {filename=$2; next} {print > filename}' assets + mkdir -p /etc/ssl/etcd/etcd + mkdir -p /etc/kubernetes/bootstrap-secrets + mv tls/etcd/{peer*,server*} /etc/ssl/etcd/etcd/ + mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ + chown -R etcd:etcd /etc/ssl/etcd + chmod -R 500 /etc/ssl/etcd + mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ + sudo mkdir -p /etc/kubernetes/manifests + sudo mv static-manifests/* /etc/kubernetes/manifests/ + sudo mkdir -p /opt/bootstrap/assets + sudo mv manifests /opt/bootstrap/assets/manifests + sudo mv manifests-networking /opt/bootstrap/assets/manifests-networking + rm -rf assets auth static-manifests tls - path: /opt/bootstrap/apply filesystem: root mode: 0544 contents: inline: | #!/bin/bash -e - export KUBECONFIG=/assets/auth/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/azure/container-linux/kubernetes/ssh.tf b/azure/container-linux/kubernetes/ssh.tf index 2f0507f61..f93e096dd 100644 --- a/azure/container-linux/kubernetes/ssh.tf +++ b/azure/container-linux/kubernetes/ssh.tf @@ -1,3 +1,12 @@ +locals { + # format assets for distribution + assets_bundle = [ + # header with the unpack location + for key, value in module.bootstrap.assets_dist: + format("##### %s\n%s", key, value) + ] +} + # Secure copy assets to controllers. resource "null_resource" "copy-controller-secrets" { count = var.controller_count @@ -13,65 +22,15 @@ resource "null_resource" "copy-controller-secrets" { user = "core" timeout = "15m" } - - provisioner "file" { - content = module.bootstrap.etcd_ca_cert - destination = "$HOME/etcd-client-ca.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_client_cert - destination = "$HOME/etcd-client.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_client_key - destination = "$HOME/etcd-client.key" - } - - provisioner "file" { - content = module.bootstrap.etcd_server_cert - destination = "$HOME/etcd-server.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_server_key - destination = "$HOME/etcd-server.key" - } - - provisioner "file" { - content = module.bootstrap.etcd_peer_cert - destination = "$HOME/etcd-peer.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_peer_key - destination = "$HOME/etcd-peer.key" - } - + provisioner "file" { - source = var.asset_dir + content = join("\n", local.assets_bundle) destination = "$HOME/assets" } provisioner "remote-exec" { inline = [ - "sudo mkdir -p /etc/ssl/etcd/etcd", - "sudo mv etcd-client* /etc/ssl/etcd/", - "sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/server-ca.crt", - "sudo mv etcd-server.crt /etc/ssl/etcd/etcd/server.crt", - "sudo mv etcd-server.key /etc/ssl/etcd/etcd/server.key", - "sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/peer-ca.crt", - "sudo mv etcd-peer.crt /etc/ssl/etcd/etcd/peer.crt", - "sudo mv etcd-peer.key /etc/ssl/etcd/etcd/peer.key", - "sudo chown -R etcd:etcd /etc/ssl/etcd", - "sudo chmod -R 500 /etc/ssl/etcd", - "sudo mv $HOME/assets /opt/bootstrap/assets", - "sudo mkdir -p /etc/kubernetes/manifests", - "sudo mkdir -p /etc/kubernetes/bootstrap-secrets", - "sudo cp -r /opt/bootstrap/assets/tls/* /etc/kubernetes/bootstrap-secrets/", - "sudo cp /opt/bootstrap/assets/auth/kubeconfig /etc/kubernetes/bootstrap-secrets/", - "sudo cp -r /opt/bootstrap/assets/static-manifests/* /etc/kubernetes/manifests/", + "sudo /opt/bootstrap/layout", ] } } diff --git a/bare-metal/container-linux/kubernetes/bootstrap.tf b/bare-metal/container-linux/kubernetes/bootstrap.tf index f04bc00e5..cb751a163 100644 --- a/bare-metal/container-linux/kubernetes/bootstrap.tf +++ b/bare-metal/container-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=0f1f16c612a6877d25a3fedcb476b3087a3de999" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=dce49114a083436c5af6d9174b9c1248786ba3b6" cluster_name = var.cluster_name api_servers = [var.k8s_domain_name] diff --git a/bare-metal/container-linux/kubernetes/cl/controller.yaml.tmpl b/bare-metal/container-linux/kubernetes/cl/controller.yaml.tmpl index a6c1beced..2a6b32e49 100644 --- a/bare-metal/container-linux/kubernetes/cl/controller.yaml.tmpl +++ b/bare-metal/container-linux/kubernetes/cl/controller.yaml.tmpl @@ -121,6 +121,8 @@ systemd: ExecStartPre=-/usr/bin/bash -c 'set -x && [ -n "$(ls /opt/bootstrap/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootstrap/assets/manifests-*/* /opt/bootstrap/assets/manifests && rm -rf /opt/bootstrap/assets/manifests-*' ExecStart=/usr/bin/rkt run \ --trust-keys-from-https \ + --volume config,kind=host,source=/etc/kubernetes/bootstrap-secrets \ + --mount volume=config,target=/etc/kubernetes/secrets \ --volume assets,kind=host,source=/opt/bootstrap/assets \ --mount volume=assets,target=/assets \ --volume script,kind=host,source=/opt/bootstrap/apply \ @@ -148,13 +150,35 @@ storage: contents: inline: ${domain_name} + - path: /opt/bootstrap/layout + filesystem: root + mode: 0544 + contents: + inline: | + #!/bin/bash -e + mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking + awk '/#####/ {filename=$2; next} {print > filename}' assets + mkdir -p /etc/ssl/etcd/etcd + mkdir -p /etc/kubernetes/bootstrap-secrets + mv tls/etcd/{peer*,server*} /etc/ssl/etcd/etcd/ + mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ + chown -R etcd:etcd /etc/ssl/etcd + chmod -R 500 /etc/ssl/etcd + mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ + sudo mkdir -p /etc/kubernetes/manifests + sudo mv static-manifests/* /etc/kubernetes/manifests/ + sudo mkdir -p /opt/bootstrap/assets + sudo mv manifests /opt/bootstrap/assets/manifests + sudo mv manifests-networking /opt/bootstrap/assets/manifests-networking + rm -rf assets auth static-manifests tls - path: /opt/bootstrap/apply filesystem: root mode: 0544 contents: inline: | #!/bin/bash -e - export KUBECONFIG=/assets/auth/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/bare-metal/container-linux/kubernetes/ssh.tf b/bare-metal/container-linux/kubernetes/ssh.tf index 5edea88e4..fcab47358 100644 --- a/bare-metal/container-linux/kubernetes/ssh.tf +++ b/bare-metal/container-linux/kubernetes/ssh.tf @@ -1,3 +1,12 @@ +locals { + # format assets for distribution + assets_bundle = [ + # header with the unpack location + for key, value in module.bootstrap.assets_dist: + format("##### %s\n%s", key, value) + ] +} + # Secure copy assets to controllers. Activates kubelet.service resource "null_resource" "copy-controller-secrets" { count = length(var.controllers) @@ -24,64 +33,14 @@ resource "null_resource" "copy-controller-secrets" { } provisioner "file" { - content = module.bootstrap.etcd_ca_cert - destination = "$HOME/etcd-client-ca.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_client_cert - destination = "$HOME/etcd-client.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_client_key - destination = "$HOME/etcd-client.key" - } - - provisioner "file" { - content = module.bootstrap.etcd_server_cert - destination = "$HOME/etcd-server.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_server_key - destination = "$HOME/etcd-server.key" - } - - provisioner "file" { - content = module.bootstrap.etcd_peer_cert - destination = "$HOME/etcd-peer.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_peer_key - destination = "$HOME/etcd-peer.key" - } - - provisioner "file" { - source = var.asset_dir + content = join("\n", local.assets_bundle) destination = "$HOME/assets" } provisioner "remote-exec" { inline = [ - "sudo mkdir -p /etc/ssl/etcd/etcd", - "sudo mv etcd-client* /etc/ssl/etcd/", - "sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/server-ca.crt", - "sudo mv etcd-server.crt /etc/ssl/etcd/etcd/server.crt", - "sudo mv etcd-server.key /etc/ssl/etcd/etcd/server.key", - "sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/peer-ca.crt", - "sudo mv etcd-peer.crt /etc/ssl/etcd/etcd/peer.crt", - "sudo mv etcd-peer.key /etc/ssl/etcd/etcd/peer.key", - "sudo chown -R etcd:etcd /etc/ssl/etcd", - "sudo chmod -R 500 /etc/ssl/etcd", - "sudo mv $HOME/assets /opt/bootstrap/assets", - "sudo mkdir -p /etc/kubernetes/manifests", - "sudo mkdir -p /etc/kubernetes/bootstrap-secrets", "sudo mv $HOME/kubeconfig /etc/kubernetes/kubeconfig", - "sudo cp -r /opt/bootstrap/assets/tls/* /etc/kubernetes/bootstrap-secrets/", - "sudo cp /opt/bootstrap/assets/auth/kubeconfig /etc/kubernetes/bootstrap-secrets/", - "sudo cp -r /opt/bootstrap/assets/static-manifests/* /etc/kubernetes/manifests/", + "sudo /opt/bootstrap/layout", ] } } diff --git a/bare-metal/fedora-coreos/kubernetes/bootstrap.tf b/bare-metal/fedora-coreos/kubernetes/bootstrap.tf index eeb55a8b3..d04849434 100644 --- a/bare-metal/fedora-coreos/kubernetes/bootstrap.tf +++ b/bare-metal/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=0f1f16c612a6877d25a3fedcb476b3087a3de999" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=dce49114a083436c5af6d9174b9c1248786ba3b6" cluster_name = var.cluster_name api_servers = [var.k8s_domain_name] diff --git a/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml b/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml index a88013b8d..2132bb247 100644 --- a/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml @@ -130,6 +130,7 @@ systemd: ExecStartPre=-/usr/bin/bash -c 'set -x && [ -n "$(ls /opt/bootstrap/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootstrap/assets/manifests-*/* /opt/bootstrap/assets/manifests && rm -rf /opt/bootstrap/assets/manifests-*' ExecStart=/usr/bin/podman run --name bootstrap \ --network host \ + --volume /etc/kubernetes/bootstrap-secrets:/etc/kubernetes/secrets:ro,Z \ --volume /opt/bootstrap/assets:/assets:ro,Z \ --volume /opt/bootstrap/apply:/apply:ro,Z \ k8s.gcr.io/hyperkube:v1.16.3 \ @@ -146,12 +147,33 @@ storage: contents: inline: ${domain_name} + - path: /opt/bootstrap/layout + mode: 0544 + contents: + inline: | + #!/bin/bash -e + mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking + awk '/#####/ {filename=$2; next} {print > filename}' assets + mkdir -p /etc/ssl/etcd/etcd + mkdir -p /etc/kubernetes/bootstrap-secrets + mv tls/etcd/{peer*,server*} /etc/ssl/etcd/etcd/ + mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ + chown -R etcd:etcd /etc/ssl/etcd + chmod -R 500 /etc/ssl/etcd + mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ + sudo mkdir -p /etc/kubernetes/manifests + sudo mv static-manifests/* /etc/kubernetes/manifests/ + sudo mkdir -p /opt/bootstrap/assets + sudo mv manifests /opt/bootstrap/assets/manifests + sudo mv manifests-networking /opt/bootstrap/assets/manifests-networking + rm -rf assets auth static-manifests tls - path: /opt/bootstrap/apply mode: 0544 contents: inline: | #!/bin/bash -e - export KUBECONFIG=/assets/auth/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/bare-metal/fedora-coreos/kubernetes/ssh.tf b/bare-metal/fedora-coreos/kubernetes/ssh.tf index 8ad6d0d1e..560d96fe8 100644 --- a/bare-metal/fedora-coreos/kubernetes/ssh.tf +++ b/bare-metal/fedora-coreos/kubernetes/ssh.tf @@ -1,3 +1,12 @@ +locals { + # format assets for distribution + assets_bundle = [ + # header with the unpack location + for key, value in module.bootstrap.assets_dist: + format("##### %s\n%s", key, value) + ] +} + # Secure copy assets to controllers. Activates kubelet.service resource "null_resource" "copy-controller-secrets" { count = length(var.controllers) @@ -23,62 +32,14 @@ resource "null_resource" "copy-controller-secrets" { } provisioner "file" { - content = module.bootstrap.etcd_ca_cert - destination = "$HOME/etcd-client-ca.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_client_cert - destination = "$HOME/etcd-client.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_client_key - destination = "$HOME/etcd-client.key" - } - - provisioner "file" { - content = module.bootstrap.etcd_server_cert - destination = "$HOME/etcd-server.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_server_key - destination = "$HOME/etcd-server.key" - } - - provisioner "file" { - content = module.bootstrap.etcd_peer_cert - destination = "$HOME/etcd-peer.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_peer_key - destination = "$HOME/etcd-peer.key" - } - - provisioner "file" { - source = var.asset_dir + content = join("\n", local.assets_bundle) destination = "$HOME/assets" } provisioner "remote-exec" { inline = [ - "sudo mkdir -p /etc/ssl/etcd/etcd", - "sudo mv etcd-client* /etc/ssl/etcd/", - "sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/server-ca.crt", - "sudo mv etcd-server.crt /etc/ssl/etcd/etcd/server.crt", - "sudo mv etcd-server.key /etc/ssl/etcd/etcd/server.key", - "sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/peer-ca.crt", - "sudo mv etcd-peer.crt /etc/ssl/etcd/etcd/peer.crt", - "sudo mv etcd-peer.key /etc/ssl/etcd/etcd/peer.key", - "sudo mv $HOME/assets /opt/bootstrap/assets", - "sudo mkdir -p /etc/kubernetes/manifests", - "sudo mkdir -p /etc/kubernetes/bootstrap-secrets", "sudo mv $HOME/kubeconfig /etc/kubernetes/kubeconfig", - "sudo cp -r /opt/bootstrap/assets/tls/* /etc/kubernetes/bootstrap-secrets/", - "sudo cp /opt/bootstrap/assets/auth/kubeconfig /etc/kubernetes/bootstrap-secrets/", - "sudo cp -r /opt/bootstrap/assets/static-manifests/* /etc/kubernetes/manifests/" + "sudo /opt/bootstrap/layout", ] } } diff --git a/digital-ocean/container-linux/kubernetes/bootstrap.tf b/digital-ocean/container-linux/kubernetes/bootstrap.tf index 9a762a5c1..196ae533d 100644 --- a/digital-ocean/container-linux/kubernetes/bootstrap.tf +++ b/digital-ocean/container-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=0f1f16c612a6877d25a3fedcb476b3087a3de999" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=dce49114a083436c5af6d9174b9c1248786ba3b6" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/digital-ocean/container-linux/kubernetes/cl/controller.yaml.tmpl b/digital-ocean/container-linux/kubernetes/cl/controller.yaml.tmpl index ffc8cf329..8c94dd65a 100644 --- a/digital-ocean/container-linux/kubernetes/cl/controller.yaml.tmpl +++ b/digital-ocean/container-linux/kubernetes/cl/controller.yaml.tmpl @@ -118,6 +118,8 @@ systemd: ExecStartPre=-/usr/bin/bash -c 'set -x && [ -n "$(ls /opt/bootstrap/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootstrap/assets/manifests-*/* /opt/bootstrap/assets/manifests && rm -rf /opt/bootstrap/assets/manifests-*' ExecStart=/usr/bin/rkt run \ --trust-keys-from-https \ + --volume config,kind=host,source=/etc/kubernetes/bootstrap-secrets \ + --mount volume=config,target=/etc/kubernetes/secrets \ --volume assets,kind=host,source=/opt/bootstrap/assets \ --mount volume=assets,target=/assets \ --volume script,kind=host,source=/opt/bootstrap/apply \ @@ -139,13 +141,35 @@ storage: inline: | KUBELET_IMAGE_URL=docker://k8s.gcr.io/hyperkube KUBELET_IMAGE_TAG=v1.16.3 + - path: /opt/bootstrap/layout + filesystem: root + mode: 0544 + contents: + inline: | + #!/bin/bash -e + mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking + awk '/#####/ {filename=$2; next} {print > filename}' assets + mkdir -p /etc/ssl/etcd/etcd + mkdir -p /etc/kubernetes/bootstrap-secrets + mv tls/etcd/{peer*,server*} /etc/ssl/etcd/etcd/ + mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ + chown -R etcd:etcd /etc/ssl/etcd + chmod -R 500 /etc/ssl/etcd + mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ + sudo mkdir -p /etc/kubernetes/manifests + sudo mv static-manifests/* /etc/kubernetes/manifests/ + sudo mkdir -p /opt/bootstrap/assets + sudo mv manifests /opt/bootstrap/assets/manifests + sudo mv manifests-networking /opt/bootstrap/assets/manifests-networking + rm -rf assets auth static-manifests tls - path: /opt/bootstrap/apply filesystem: root mode: 0544 contents: inline: | #!/bin/bash -e - export KUBECONFIG=/assets/auth/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/digital-ocean/container-linux/kubernetes/ssh.tf b/digital-ocean/container-linux/kubernetes/ssh.tf index 12f5bcb90..469fc947d 100644 --- a/digital-ocean/container-linux/kubernetes/ssh.tf +++ b/digital-ocean/container-linux/kubernetes/ssh.tf @@ -1,3 +1,12 @@ +locals { + # format assets for distribution + assets_bundle = [ + # header with the unpack location + for key, value in module.bootstrap.assets_dist: + format("##### %s\n%s", key, value) + ] +} + # Secure copy assets to controllers. Activates kubelet.service resource "null_resource" "copy-controller-secrets" { count = var.controller_count @@ -20,64 +29,14 @@ resource "null_resource" "copy-controller-secrets" { } provisioner "file" { - content = module.bootstrap.etcd_ca_cert - destination = "$HOME/etcd-client-ca.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_client_cert - destination = "$HOME/etcd-client.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_client_key - destination = "$HOME/etcd-client.key" - } - - provisioner "file" { - content = module.bootstrap.etcd_server_cert - destination = "$HOME/etcd-server.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_server_key - destination = "$HOME/etcd-server.key" - } - - provisioner "file" { - content = module.bootstrap.etcd_peer_cert - destination = "$HOME/etcd-peer.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_peer_key - destination = "$HOME/etcd-peer.key" - } - - provisioner "file" { - source = var.asset_dir + content = join("\n", local.assets_bundle) destination = "$HOME/assets" } provisioner "remote-exec" { inline = [ - "sudo mkdir -p /etc/ssl/etcd/etcd", - "sudo mv etcd-client* /etc/ssl/etcd/", - "sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/server-ca.crt", - "sudo mv etcd-server.crt /etc/ssl/etcd/etcd/server.crt", - "sudo mv etcd-server.key /etc/ssl/etcd/etcd/server.key", - "sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/peer-ca.crt", - "sudo mv etcd-peer.crt /etc/ssl/etcd/etcd/peer.crt", - "sudo mv etcd-peer.key /etc/ssl/etcd/etcd/peer.key", - "sudo chown -R etcd:etcd /etc/ssl/etcd", - "sudo chmod -R 500 /etc/ssl/etcd", - "sudo mv $HOME/assets /opt/bootstrap/assets", - "sudo mkdir -p /etc/kubernetes/manifests", - "sudo mkdir -p /etc/kubernetes/bootstrap-secrets", "sudo mv $HOME/kubeconfig /etc/kubernetes/kubeconfig", - "sudo cp -r /opt/bootstrap/assets/tls/* /etc/kubernetes/bootstrap-secrets/", - "sudo cp /opt/bootstrap/assets/auth/kubeconfig /etc/kubernetes/bootstrap-secrets/", - "sudo cp -r /opt/bootstrap/assets/static-manifests/* /etc/kubernetes/manifests/", + "sudo /opt/bootstrap/layout", ] } } diff --git a/google-cloud/container-linux/kubernetes/bootstrap.tf b/google-cloud/container-linux/kubernetes/bootstrap.tf index 157944f53..36ae40e33 100644 --- a/google-cloud/container-linux/kubernetes/bootstrap.tf +++ b/google-cloud/container-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=0f1f16c612a6877d25a3fedcb476b3087a3de999" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=dce49114a083436c5af6d9174b9c1248786ba3b6" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/google-cloud/container-linux/kubernetes/cl/controller.yaml.tmpl b/google-cloud/container-linux/kubernetes/cl/controller.yaml.tmpl index 49ed0fc25..caf120ee9 100644 --- a/google-cloud/container-linux/kubernetes/cl/controller.yaml.tmpl +++ b/google-cloud/container-linux/kubernetes/cl/controller.yaml.tmpl @@ -107,6 +107,8 @@ systemd: ExecStartPre=-/usr/bin/bash -c 'set -x && [ -n "$(ls /opt/bootstrap/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootstrap/assets/manifests-*/* /opt/bootstrap/assets/manifests && rm -rf /opt/bootstrap/assets/manifests-*' ExecStart=/usr/bin/rkt run \ --trust-keys-from-https \ + --volume config,kind=host,source=/etc/kubernetes/bootstrap-secrets \ + --mount volume=config,target=/etc/kubernetes/secrets \ --volume assets,kind=host,source=/opt/bootstrap/assets \ --mount volume=assets,target=/assets \ --volume script,kind=host,source=/opt/bootstrap/apply \ @@ -134,13 +136,35 @@ storage: inline: | KUBELET_IMAGE_URL=docker://k8s.gcr.io/hyperkube KUBELET_IMAGE_TAG=v1.16.3 + - path: /opt/bootstrap/layout + filesystem: root + mode: 0544 + contents: + inline: | + #!/bin/bash -e + mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking + awk '/#####/ {filename=$2; next} {print > filename}' assets + mkdir -p /etc/ssl/etcd/etcd + mkdir -p /etc/kubernetes/bootstrap-secrets + mv tls/etcd/{peer*,server*} /etc/ssl/etcd/etcd/ + mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ + chown -R etcd:etcd /etc/ssl/etcd + chmod -R 500 /etc/ssl/etcd + mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ + sudo mkdir -p /etc/kubernetes/manifests + sudo mv static-manifests/* /etc/kubernetes/manifests/ + sudo mkdir -p /opt/bootstrap/assets + sudo mv manifests /opt/bootstrap/assets/manifests + sudo mv manifests-networking /opt/bootstrap/assets/manifests-networking + rm -rf assets auth static-manifests tls - path: /opt/bootstrap/apply filesystem: root mode: 0544 contents: inline: | #!/bin/bash -e - export KUBECONFIG=/assets/auth/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/google-cloud/container-linux/kubernetes/ssh.tf b/google-cloud/container-linux/kubernetes/ssh.tf index a85e23d1e..f6983447e 100644 --- a/google-cloud/container-linux/kubernetes/ssh.tf +++ b/google-cloud/container-linux/kubernetes/ssh.tf @@ -1,3 +1,12 @@ +locals { + # format assets for distribution + assets_bundle = [ + # header with the unpack location + for key, value in module.bootstrap.assets_dist: + format("##### %s\n%s", key, value) + ] +} + # Secure copy assets to controllers. resource "null_resource" "copy-controller-secrets" { count = var.controller_count @@ -12,65 +21,15 @@ resource "null_resource" "copy-controller-secrets" { user = "core" timeout = "15m" } - - provisioner "file" { - content = module.bootstrap.etcd_ca_cert - destination = "$HOME/etcd-client-ca.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_client_cert - destination = "$HOME/etcd-client.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_client_key - destination = "$HOME/etcd-client.key" - } - - provisioner "file" { - content = module.bootstrap.etcd_server_cert - destination = "$HOME/etcd-server.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_server_key - destination = "$HOME/etcd-server.key" - } - - provisioner "file" { - content = module.bootstrap.etcd_peer_cert - destination = "$HOME/etcd-peer.crt" - } - - provisioner "file" { - content = module.bootstrap.etcd_peer_key - destination = "$HOME/etcd-peer.key" - } - + provisioner "file" { - source = var.asset_dir + content = join("\n", local.assets_bundle) destination = "$HOME/assets" } provisioner "remote-exec" { inline = [ - "sudo mkdir -p /etc/ssl/etcd/etcd", - "sudo mv etcd-client* /etc/ssl/etcd/", - "sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/server-ca.crt", - "sudo mv etcd-server.crt /etc/ssl/etcd/etcd/server.crt", - "sudo mv etcd-server.key /etc/ssl/etcd/etcd/server.key", - "sudo cp /etc/ssl/etcd/etcd-client-ca.crt /etc/ssl/etcd/etcd/peer-ca.crt", - "sudo mv etcd-peer.crt /etc/ssl/etcd/etcd/peer.crt", - "sudo mv etcd-peer.key /etc/ssl/etcd/etcd/peer.key", - "sudo chown -R etcd:etcd /etc/ssl/etcd", - "sudo chmod -R 500 /etc/ssl/etcd", - "sudo mv $HOME/assets /opt/bootstrap/assets", - "sudo mkdir -p /etc/kubernetes/manifests", - "sudo mkdir -p /etc/kubernetes/bootstrap-secrets", - "sudo cp -r /opt/bootstrap/assets/tls/* /etc/kubernetes/bootstrap-secrets/", - "sudo cp /opt/bootstrap/assets/auth/kubeconfig /etc/kubernetes/bootstrap-secrets/", - "sudo cp -r /opt/bootstrap/assets/static-manifests/* /etc/kubernetes/manifests/", + "sudo /opt/bootstrap/layout", ] } }