-
Notifications
You must be signed in to change notification settings - Fork 1
/
node-common.tf
145 lines (121 loc) · 4.33 KB
/
node-common.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
// All nodes should belong to system:nodes group
data "template_file" "node-cfssl-new-cert" {
template = file("${path.module}/resources/cfssl-new-cert.sh")
vars = {
cert_name = "node"
user = "root"
group = "root"
profile = "client"
path = "/etc/kubernetes/ssl"
cn = "system:node:$(${var.node_name_command[var.cloud_provider]})"
org = "system:nodes"
get_ip = var.get_ip_command[var.cloud_provider]
get_hostname = var.node_name_command[var.cloud_provider]
extra_names = ""
}
}
data "ignition_file" "node-cfssl-new-cert" {
mode = 493
filesystem = "root"
path = "/opt/bin/cfssl-new-cert"
content {
content = data.template_file.node-cfssl-new-cert.rendered
}
}
// Get a cert for to kubelet serve
data "template_file" "node-kubelet-cfssl-new-cert" {
template = file("${path.module}/resources/cfssl-new-cert.sh")
vars = {
cert_name = "kubelet"
user = "root"
group = "root"
profile = "client-server"
path = "/etc/kubernetes/ssl"
cn = "system:kubelet:$(${var.node_name_command[var.cloud_provider]})"
org = "system:kubelets"
get_ip = var.get_ip_command[var.cloud_provider]
get_hostname = var.node_name_command[var.cloud_provider]
extra_names = ""
}
}
data "ignition_file" "node-kubelet-cfssl-new-cert" {
mode = 493
filesystem = "root"
path = "/opt/bin/cfssl-new-kubelet-cert"
content {
content = data.template_file.node-kubelet-cfssl-new-cert.rendered
}
}
// Kubeconfig will be the same for all kubernetes nodes as it only
// contains master address and certs
data "template_file" "node-kubeconfig" {
template = file("${path.module}/resources/node-kubeconfig")
vars = {
master_address = var.master_address
}
}
data "ignition_file" "node-kubeconfig" {
mode = 420
filesystem = "root"
path = "/var/lib/kubelet/kubeconfig"
content {
content = data.template_file.node-kubeconfig.rendered
}
}
// Kubelet config
data "template_file" "node-kubelet-conf" {
template = file("${path.module}/resources/node-kubelet-conf.yaml")
vars = {
cluster_dns = local.cluster_dns_yaml
feature_gates = local.feature_gates_yaml_fragment
kubelet_cgroup_v2_runtime_enabled = var.kubelet_cgroup_v2_runtime_enabled
system_reserved_cpu = var.system_reserved_cpu
system_reserved_memory = var.system_reserved_memory
use_deprecated_docker_runtime = var.use_deprecated_docker_runtime
}
}
data "ignition_file" "node-kubelet-conf" {
mode = 420
filesystem = "root"
path = "/etc/kubernetes/config/node-kubelet-conf.yaml"
content {
content = data.template_file.node-kubelet-conf.rendered
}
}
// Common prometheus text-collector metrics for nodes
data "template_file" "prometheus-tmpfs-dir" {
template = file("${path.module}/resources/prometheus-tmpfs-dir.service")
}
data "ignition_systemd_unit" "prometheus-tmpfs-dir" {
name = "prometheus-tmpfs-dir.service"
enabled = false # not enabled because this service is started by prometheus-ro-rootfs.timer
content = data.template_file.prometheus-tmpfs-dir.rendered
}
data "template_file" "prometheus-ro-rootfs" {
template = file("${path.module}/resources/prometheus-ro-rootfs.service")
}
data "ignition_systemd_unit" "prometheus-ro-rootfs" {
name = "prometheus-ro-rootfs.service"
enabled = false # not enabled because this service is started by prometheus-ro-rootfs.timer
content = data.template_file.prometheus-ro-rootfs.rendered
}
data "template_file" "prometheus-ro-rootfs-timer" {
template = file("${path.module}/resources/prometheus-ro-rootfs.timer")
}
data "ignition_systemd_unit" "prometheus-ro-rootfs-timer" {
name = "prometheus-ro-rootfs.timer"
content = data.template_file.prometheus-ro-rootfs-timer.rendered
}
data "ignition_file" "prometheus-ro-rootfs" {
mode = 493
filesystem = "root"
path = "/opt/bin/prometheus-ro-rootfs"
content {
content = file("${path.module}/resources/prometheus-ro-rootfs")
}
}
module "cert-refresh-node" {
source = "./modules/cert-refresh-node"
on_calendar = var.cfssl_node_renew_timer
use_deprecated_docker_runtime = var.use_deprecated_docker_runtime
}