Add/update docs for asset_dir and kubeconfig usage

* Original tutorials favored including the platform (e.g.
google-cloud) in modules (e.g. google-cloud-yavin). Prefer
naming conventions where each module / cluster has a simple
name (e.g. yavin) since the platform is usually redundant
* Retain the example cluster naming themes per platform

CHANGES.md

@@ -4,9 +4,15 @@ Notable changes between versions.
 
 ## Latest
 
+* Manage clusters without using a local `asset_dir` ([#595](https://github.com/poseidon/typhoon/pull/595))
+  * Change `asset_dir` to be optional. Default to "" to skip writing assets locally
+  * Keep cluster assets (TLS materials, kubeconfig) only in Terraform state, which supports different [remote backends](https://www.terraform.io/docs/backends/types/remote.html) and optional encryption at rest
+  * Allow `terraform apply` from stateless automation systems
+  * Improve asset unpacking on controllers to remove unused materials
+  * Obtain a kubeconfig from Terraform module outputs
 * Update CoreDNS from v1.6.2 to v1.6.5 ([#588](https://github.com/poseidon/typhoon/pull/588))
   * Add health `lameduck` option to wait before shutdown
-* Add CPU requests to control plane static pods ([#589](https://github.com/poseidon/typhoon/pull/589))
+* Add CPU requests for control plane static pods ([#589](https://github.com/poseidon/typhoon/pull/589))
   * May provide slight edge case benefits and aligns with upstream
 * Replace usage of `template_dir` with `templatefile` function ([#587](https://github.com/poseidon/typhoon/pull/587))
   * Require Terraform version v0.12.6+ (action required)

README.md

@@ -47,7 +47,7 @@ A preview of Typhoon for [Fedora CoreOS](https://getfedora.org/coreos/) is avail
 Define a Kubernetes cluster by using the Terraform module for your chosen platform and operating system. Here's a minimal example:
 
 ```tf
-module "google-cloud-yavin" {
+module "yavin" {
   source = "git::https://github.com/poseidon/typhoon//google-cloud/container-linux/kubernetes?ref=v1.16.3"
 
   # Google Cloud
@@ -58,12 +58,17 @@ module "google-cloud-yavin" {
 
   # configuration
   ssh_authorized_key = "ssh-rsa AAAAB3Nz..."
-  asset_dir          = "/home/user/.secrets/clusters/yavin"
   
   # optional
   worker_count = 2
   worker_preemptible = true
 }
+
+# Obtain cluster kubeconfig
+resource "local_file" "kubeconfig-yavin" {
+  content  = module.yavin.kubeconfig-admin
+  filename = "/home/user/.kube/configs/yavin-config"
+}
 ```
 
 Initialize modules, plan the changes to be made, and apply the changes.
@@ -79,7 +84,7 @@ Apply complete! Resources: 64 added, 0 changed, 0 destroyed.
 In 4-8 minutes (varies by platform), the cluster will be ready. This Google Cloud example creates a `yavin.example.com` DNS record to resolve to a network load balancer across controller nodes.
 
 ```sh
-$ export KUBECONFIG=/home/user/.secrets/clusters/yavin/auth/kubeconfig
+$ export KUBECONFIG=/home/user/.kube/configs/yavin-config
 $ kubectl get nodes
 NAME                                       ROLES    STATUS  AGE  VERSION
 yavin-controller-0.c.example-com.internal  <none>   Ready   6m   v1.16.3

aws/container-linux/kubernetes/variables.tf

@@ -99,6 +99,7 @@ variable "ssh_authorized_key" {
 variable "asset_dir" {
   type        = string
   description = "Absolute path to a directory where generated assets should be placed (contains secrets)"
+  default     = ""
 }
 
 variable "networking" {

aws/fedora-coreos/kubernetes/variables.tf

@@ -99,6 +99,7 @@ variable "ssh_authorized_key" {
 variable "asset_dir" {
   type        = string
   description = "Absolute path to a directory where generated assets should be placed (contains secrets)"
+  default     = ""
 }
 
 variable "networking" {

azure/container-linux/kubernetes/variables.tf

@@ -86,6 +86,7 @@ variable "ssh_authorized_key" {
 variable "asset_dir" {
   type        = string
   description = "Absolute path to a directory where generated assets should be placed (contains secrets)"
+  default     = ""
 }
 
 variable "networking" {

bare-metal/container-linux/kubernetes/variables.tf

@@ -70,6 +70,7 @@ variable "ssh_authorized_key" {
 variable "asset_dir" {
   type        = string
   description = "Absolute path to a directory where generated assets should be placed (contains secrets)"
+  default     = ""
 }
 
 variable "networking" {

bare-metal/fedora-coreos/kubernetes/variables.tf

@@ -71,6 +71,7 @@ variable "ssh_authorized_key" {
 variable "asset_dir" {
   type        = string
   description = "Absolute path to a directory where generated assets should be placed (contains secrets)"
+  default     = ""
 }
 
 variable "networking" {

digital-ocean/container-linux/kubernetes/variables.tf

@@ -69,6 +69,7 @@ variable "ssh_fingerprints" {
 variable "asset_dir" {
   type        = string
   description = "Absolute path to a directory where generated assets should be placed (contains secrets)"
+  default     = ""
 }
 
 variable "networking" {

docs/addons/ingress.md

@@ -31,7 +31,7 @@ resource "google_dns_record_set" "some-application" {
   name    = "app.example.com."
   type    = "CNAME"
   ttl     = 300
-  rrdatas = ["${module.aws-tempest.ingress_dns_name}."]
+  rrdatas = ["${module.tempest.ingress_dns_name}."]
 }
 ```
 
@@ -64,7 +64,7 @@ resource "google_dns_record_set" "some-application" {
   name    = "app.example.com."
   type    = "A"
   ttl     = 300
-  rrdatas = [module.azure-ramius.ingress_static_ipv4]
+  rrdatas = [module.ramius.ingress_static_ipv4]
 }
 ```
 
@@ -120,7 +120,7 @@ resource "google_dns_record_set" "some-application" {
   name    = "app.example.com."
   type    = "CNAME"
   ttl     = 300
-  rrdatas = ["${module.digital-ocean-nemo.workers_dns}."]
+  rrdatas = ["${module.nemo.workers_dns}."]
 }
 ```
 
@@ -158,7 +158,7 @@ resource "google_dns_record_set" "app-record-a" {
   name    = "app.example.com."
   type    = "A"
   ttl     = 300
-  rrdatas = [module.google-cloud-yavin.ingress_static_ipv4]
+  rrdatas = [module.yavin.ingress_static_ipv4]
 }
 
 resource "google_dns_record_set" "app-record-aaaa" {
@@ -169,6 +169,6 @@ resource "google_dns_record_set" "app-record-aaaa" {
   name    = "app.example.com."
   type    = "AAAA"
   ttl     = 300
-  rrdatas = [module.google-cloud-yavin.ingress_static_ipv6]
+  rrdatas = [module.yavin.ingress_static_ipv6]
 }
 ```

docs/advanced/customization.md

@@ -72,7 +72,7 @@ Write Container Linux Configs *snippets* as files in the repository where you ke
 [AWS](/cl/aws/#cluster), [Azure](/cl/azure/#cluster), [DigitalOcean](/cl/digital-ocean/#cluster), and [Google Cloud](/cl/google-cloud/#cluster) clusters allow populating a list of `controller_clc_snippets` or `worker_clc_snippets`.
 
 ```
-module "digital-ocean-nemo" {
+module "nemo" {
   ...
 
   controller_count        = 1
@@ -92,7 +92,7 @@ module "digital-ocean-nemo" {
 [Bare-Metal](/cl/bare-metal/#cluster) clusters allow different Container Linux snippets to be used for each node (since hardware may be heterogeneous). Populate the optional `clc_snippets` map variable with any controller or worker name keys and lists of snippets.
 
 ```
-module "bare-metal-mercury" {
+module "mercury" {
   ...
   controller_names = ["node1"]
   worker_names = [
@@ -141,7 +141,7 @@ Container Linux Configs (and the CoreOS Ignition system) create immutable infras
 Typhoon chooses variables to expose with purpose. If you must customize clusters in ways that aren't supported by input variables, fork Typhoon and maintain a repository with customizations. Reference the repository by changing the username.
 
 ```
-module "digital-ocean-nemo" {
+module "nemo" {
   source = "git::https://github.com/USERNAME/typhoon//digital-ocean/container-linux/kubernetes?ref=myspecialcase"
   ...
 }

docs/advanced/worker-pools.md

@@ -17,13 +17,13 @@ module "tempest-worker-pool" {
   source = "git::https://github.com/poseidon/typhoon//aws/container-linux/kubernetes/workers?ref=v1.14.3"
 
   # AWS
-  vpc_id          = module.aws-tempest.vpc_id
-  subnet_ids      = module.aws-tempest.subnet_ids
-  security_groups = module.aws-tempest.worker_security_groups
+  vpc_id          = module.tempest.vpc_id
+  subnet_ids      = module.tempest.subnet_ids
+  security_groups = module.tempest.worker_security_groups
   
   # configuration
   name               = "tempest-pool"
-  kubeconfig         = module.aws-tempest.kubeconfig
+  kubeconfig         = module.tempest.kubeconfig
   ssh_authorized_key = var.ssh_authorized_key
 
   # optional
@@ -82,15 +82,15 @@ module "ramius-worker-pool" {
   source = "git::https://github.com/poseidon/typhoon//azure/container-linux/kubernetes/workers?ref=v1.16.3"
   
   # Azure
-  region                  = module.azure-ramius.region
-  resource_group_name     = module.azure-ramius.resource_group_name
-  subnet_id               = module.azure-ramius.subnet_id
-  security_group_id       = module.azure-ramius.security_group_id
-  backend_address_pool_id = module.azure-ramius.backend_address_pool_id
+  region                  = module.ramius.region
+  resource_group_name     = module.ramius.resource_group_name
+  subnet_id               = module.ramius.subnet_id
+  security_group_id       = module.ramius.security_group_id
+  backend_address_pool_id = module.ramius.backend_address_pool_id
 
   # configuration
   name               = "ramius-low-priority"
-  kubeconfig         = module.azure-ramius.kubeconfig
+  kubeconfig         = module.ramius.kubeconfig
   ssh_authorized_key = var.ssh_authorized_key
 
   # optional
@@ -149,12 +149,12 @@ module "yavin-worker-pool" {
 
   # Google Cloud
   region       = "europe-west2"
-  network      = module.google-cloud-yavin.network_name
+  network      = module.yavin.network_name
   cluster_name = "yavin"
 
   # configuration
   name               = "yavin-16x"
-  kubeconfig         = module.google-cloud-yavin.kubeconfig
+  kubeconfig         = module.yavin.kubeconfig
   ssh_authorized_key = var.ssh_authorized_key
   
   # optional

docs/architecture/concepts.md

@@ -47,7 +47,7 @@ Terraform [modules](https://www.terraform.io/docs/modules/usage.html) allow a co
 Clusters are declared in Terraform by referencing the module.
 
 ```tf
-module "google-cloud-yavin" {
+module "yavin" {
   source = "git::https://github.com/poseidon/typhoon//google-cloud/container-linux/kubernetes"
   cluster_name = "yavin"
   ...

docs/cl/aws.md

@@ -79,7 +79,6 @@ module "tempest" {
 
   # configuration
   ssh_authorized_key = "ssh-rsa AAAAB3Nz..."
-  asset_dir          = "/home/user/.secrets/clusters/tempest"
 
   # optional
   worker_count = 2
@@ -118,9 +117,9 @@ Apply the changes to create the cluster.
 ```sh
 $ terraform apply
 ...
-module.aws-tempest.null_resource.bootstrap: Still creating... (4m50s elapsed)
-module.aws-tempest.null_resource.bootstrap: Still creating... (5m0s elapsed)
-module.aws-tempest.null_resource.bootstrap: Creation complete after 11m8s (ID: 3961816482286168143)
+module.tempest.null_resource.bootstrap: Still creating... (4m50s elapsed)
+module.tempest.null_resource.bootstrap: Still creating... (5m0s elapsed)
+module.tempest.null_resource.bootstrap: Creation complete after 11m8s (ID: 3961816482286168143)
 
 Apply complete! Resources: 98 added, 0 changed, 0 destroyed.
 ```
@@ -129,10 +128,19 @@ In 4-8 minutes, the Kubernetes cluster will be ready.
 
 ## Verify
 
-[Install kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) on your system. Use the generated `kubeconfig` credentials to access the Kubernetes cluster and list nodes.
+[Install kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) on your system. Obtain the generated cluster `kubeconfig` from module outputs (e.g. write to a local file).
 
 ```
-$ export KUBECONFIG=/home/user/.secrets/clusters/tempest/auth/kubeconfig
+resource "local_file" "kubeconfig-tempest" {
+  content  = module.tempest.kubeconfig-admin
+  filename = "/home/user/.kube/configs/tempest-config"
+}
+```
+
+List nodes in the cluster.
+
+```
+$ export KUBECONFIG=/home/user/.kube/configs/tempest-config
 $ kubectl get nodes
 NAME           STATUS  ROLES   AGE  VERSION
 ip-10-0-3-155  Ready   <none>  10m  v1.16.3
@@ -177,7 +185,6 @@ Check the [variables.tf](https://github.com/poseidon/typhoon/blob/master/aws/con
 | dns_zone | AWS Route53 DNS zone | "aws.example.com" |
 | dns_zone_id | AWS Route53 DNS zone id | "Z3PAABBCFAKEC0" |
 | ssh_authorized_key | SSH public key for user 'core' | "ssh-rsa AAAAB3NZ..." |
-| asset_dir | Absolute path to a directory where generated assets should be placed (contains secrets) | "/home/user/.secrets/clusters/tempest" |
 
 #### DNS Zone
 
@@ -200,6 +207,7 @@ Reference the DNS zone id with `aws_route53_zone.zone-for-clusters.zone_id`.
 
 | Name | Description | Default | Example |
 |:-----|:------------|:--------|:--------|
+| asset_dir | Absolute path to a directory where generated assets should be placed (contains secrets) | "" (disabled) | "/home/user/.secrets/clusters/tempest" |
 | controller_count | Number of controllers (i.e. masters) | 1 | 1 |
 | worker_count | Number of workers | 1 | 3 |
 | controller_type | EC2 instance type for controllers | "t3.small" | See below |

docs/cl/azure.md

@@ -76,7 +76,6 @@ module "ramius" {
 
   # configuration
   ssh_authorized_key = "ssh-rsa AAAAB3Nz..."
-  asset_dir          = "/home/user/.secrets/clusters/ramius"
 
   # optional
   worker_count    = 2
@@ -115,9 +114,9 @@ Apply the changes to create the cluster.
 ```sh
 $ terraform apply
 ...
-module.azure-ramius.null_resource.bootstrap: Still creating... (6m50s elapsed)
-module.azure-ramius.null_resource.bootstrap: Still creating... (7m0s elapsed)
-module.azure-ramius.null_resource.bootstrap: Creation complete after 7m8s (ID: 3961816482286168143)
+module.ramius.null_resource.bootstrap: Still creating... (6m50s elapsed)
+module.ramius.null_resource.bootstrap: Still creating... (7m0s elapsed)
+module.ramius.null_resource.bootstrap: Creation complete after 7m8s (ID: 3961816482286168143)
 
 Apply complete! Resources: 86 added, 0 changed, 0 destroyed.
 ```
@@ -126,10 +125,19 @@ In 4-8 minutes, the Kubernetes cluster will be ready.
 
 ## Verify
 
-[Install kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) on your system. Use the generated `kubeconfig` credentials to access the Kubernetes cluster and list nodes.
+[Install kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) on your system. Obtain the generated cluster `kubeconfig` from module outputs (e.g. write to a local file).
 
 ```
-$ export KUBECONFIG=/home/user/.secrets/clusters/ramius/auth/kubeconfig
+resource "local_file" "kubeconfig-ramius" {
+  content  = module.ramius.kubeconfig-admin
+  filename = "/home/user/.kube/configs/ramius-config"
+}
+```
+
+List nodes in the cluster.
+
+```
+$ export KUBECONFIG=/home/user/.kube/configs/ramius-config
 $ kubectl get nodes
 NAME                  STATUS  ROLES   AGE  VERSION
 ramius-controller-0   Ready   <none>  24m  v1.16.3
@@ -175,7 +183,6 @@ Check the [variables.tf](https://github.com/poseidon/typhoon/blob/master/azure/c
 | dns_zone | Azure DNS zone | "azure.example.com" |
 | dns_zone_group | Resource group where the Azure DNS zone resides | "global" |
 | ssh_authorized_key | SSH public key for user 'core' | "ssh-rsa AAAAB3NZ..." |
-| asset_dir | Absolute path to a directory where generated assets should be placed (contains secrets) | "/home/user/.secrets/clusters/ramius" |
 
 !!! tip
     Regions are shown in [docs](https://azure.microsoft.com/en-us/global-infrastructure/regions/) or with `az account list-locations --output table`.
@@ -211,6 +218,7 @@ Reference the DNS zone with `azurerm_dns_zone.clusters.name` and its resource gr
 
 | Name | Description | Default | Example |
 |:-----|:------------|:--------|:--------|
+| asset_dir | Absolute path to a directory where generated assets should be placed (contains secrets) | "" (disabled) | "/home/user/.secrets/clusters/ramius" |
 | controller_count | Number of controllers (i.e. masters) | 1 | 1 |
 | worker_count | Number of workers | 1 | 3 |
 | controller_type | Machine type for controllers | "Standard_B2s" | See below |