Skip to content
This repository has been archived by the owner on Feb 5, 2020. It is now read-only.

Commit

Permalink
Merge pull request #1342 from amrutac/cp-etcd-certs-fix
Browse files Browse the repository at this point in the history
Cherry pick certs to standalone etcd fix
  • Loading branch information
amrutac authored Jul 10, 2017
2 parents 90274ed + 3d2dc33 commit 2891af1
Show file tree
Hide file tree
Showing 11 changed files with 244 additions and 92 deletions.
80 changes: 25 additions & 55 deletions modules/aws/etcd/ignition.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,12 @@ data "ignition_config" "etcd" {
systemd = [
"${data.ignition_systemd_unit.locksmithd.*.id[count.index]}",
"${data.ignition_systemd_unit.etcd3.*.id[count.index]}",
"${data.ignition_systemd_unit.etcd_unzip_tls.id}",
]

files = [
"${data.ignition_file.node_hostname.*.id[count.index]}",
"${data.ignition_file.etcd_ca.id}",
"${data.ignition_file.etcd_server_crt.id}",
"${data.ignition_file.etcd_server_key.id}",
"${data.ignition_file.etcd_peer_crt.id}",
"${data.ignition_file.etcd_peer_key.id}",
"${data.ignition_file.etcd_tls_zip.id}",
]
}

Expand All @@ -27,64 +24,37 @@ data "ignition_file" "node_hostname" {
}
}

data "ignition_file" "etcd_ca" {
path = "/etc/ssl/etcd/ca.crt"
mode = 0644
uid = 232
gid = 232
filesystem = "root"

content {
content = "${var.tls_ca_crt_pem}"
}
}

data "ignition_file" "etcd_server_key" {
path = "/etc/ssl/etcd/server.key"
mode = 0400
uid = 232
gid = 232
filesystem = "root"

content {
content = "${var.tls_server_key_pem}"
}
}

data "ignition_file" "etcd_server_crt" {
path = "/etc/ssl/etcd/server.crt"
data "ignition_file" "etcd_tls_zip" {
path = "/etc/ssl/etcd/tls.zip"
mode = 0400
uid = 232
gid = 232
uid = 0
gid = 0
filesystem = "root"

content {
content = "${var.tls_server_crt_pem}"
mime = "application/octet-stream"
content = "${var.tls_zip}"
}
}

data "ignition_file" "etcd_peer_key" {
path = "/etc/ssl/etcd/peer.key"
mode = 0400
uid = 232
gid = 232
filesystem = "root"

content {
content = "${var.tls_peer_key_pem}"
}
}

data "ignition_file" "etcd_peer_crt" {
path = "/etc/ssl/etcd/peer.crt"
mode = 0400
uid = 232
gid = 232
filesystem = "root"
data "ignition_systemd_unit" "etcd_unzip_tls" {
name = "etcd-unzip-tls.service"
enable = true

content {
content = "${var.tls_peer_crt_pem}"
}
content = <<EOF
[Unit]
ConditionPathExists=!/etc/ssl/etcd/ca.crt
[Service]
Type=oneshot
WorkingDirectory=/etc/ssl/etcd
ExecStart=/usr/bin/bash -c 'unzip /etc/ssl/etcd/tls.zip && \
chown etcd:etcd /etc/ssl/etcd/peer.* && \
chown etcd:etcd /etc/ssl/etcd/server.* && \
chmod 0400 /etc/ssl/etcd/peer.* /etc/ssl/etcd/server.* /etc/ssl/etcd/client.*'
[Install]
WantedBy=multi-user.target
RequiredBy=etcd-member.service locksmithd.service
EOF
}

data "ignition_systemd_unit" "locksmithd" {
Expand Down
20 changes: 2 additions & 18 deletions modules/aws/etcd/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -79,22 +79,6 @@ variable "tls_enabled" {
default = false
}

variable "tls_ca_crt_pem" {
default = ""
}

variable "tls_server_key_pem" {
default = ""
}

variable "tls_server_crt_pem" {
default = ""
}

variable "tls_peer_key_pem" {
default = ""
}

variable "tls_peer_crt_pem" {
default = ""
variable "tls_zip" {
type = "string"
}
41 changes: 41 additions & 0 deletions modules/bootkube/assets.tf
Original file line number Diff line number Diff line change
Expand Up @@ -238,3 +238,44 @@ resource "local_file" "etcd_peer_key" {
content = "${join("", tls_private_key.etcd_peer.*.private_key_pem)}"
filename = "./generated/tls/etcd/peer.key"
}

data "archive_file" "etcd_tls_zip" {
type = "zip"

output_path = "./.terraform/etcd_tls.zip"

source {
filename = "ca.crt"
content = "${data.template_file.etcd_ca_cert_pem.rendered}"
}

source {
filename = "server.crt"
content = "${join("", tls_locally_signed_cert.etcd_server.*.cert_pem)}"
}

source {
filename = "server.key"
content = "${join("", tls_private_key.etcd_server.*.private_key_pem)}"
}

source {
filename = "peer.crt"
content = "${join("", tls_locally_signed_cert.etcd_peer.*.cert_pem)}"
}

source {
filename = "peer.key"
content = "${join("", tls_private_key.etcd_peer.*.private_key_pem)}"
}

source {
filename = "client.crt"
content = "${data.template_file.etcd_client_crt.rendered}"
}

source {
filename = "client.key"
content = "${data.template_file.etcd_client_key.rendered}"
}
}
5 changes: 5 additions & 0 deletions modules/bootkube/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
# interpolated once the assets have all been created.
output "id" {
value = "${sha1("
${data.archive_file.etcd_tls_zip.id}
${local_file.kubeconfig.id}
${local_file.bootkube-sh.id}
${template_dir.bootkube.id} ${template_dir.bootkube-bootstrap.id}
Expand All @@ -35,6 +36,10 @@ output "id" {
")}"
}

output "etcd_tls_zip" {
value = "${data.archive_file.etcd_tls_zip.id != "" ? file("./.terraform/etcd_tls.zip") : ""}"
}

output "kubeconfig" {
value = "${data.template_file.kubeconfig.rendered}"
}
Expand Down
28 changes: 28 additions & 0 deletions modules/openstack/etcd/ignition.tf
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ data "ignition_config" "etcd" {
"${data.ignition_file.etcd_ca.id}",
"${data.ignition_file.etcd_server_crt.id}",
"${data.ignition_file.etcd_server_key.id}",
"${data.ignition_file.etcd_client_crt.id}",
"${data.ignition_file.etcd_client_key.id}",
"${data.ignition_file.etcd_peer_crt.id}",
"${data.ignition_file.etcd_peer_key.id}",
]
Expand All @@ -30,6 +32,30 @@ data "ignition_file" "etcd_ca" {
}
}

data "ignition_file" "etcd_client_key" {
path = "/etc/ssl/etcd/client.key"
mode = 0400
uid = 0
gid = 0
filesystem = "root"

content {
content = "${var.tls_client_key_pem}"
}
}

data "ignition_file" "etcd_client_crt" {
path = "/etc/ssl/etcd/client.crt"
mode = 0400
uid = 0
gid = 0
filesystem = "root"

content {
content = "${var.tls_client_crt_pem}"
}
}

data "ignition_file" "etcd_server_key" {
path = "/etc/ssl/etcd/server.key"
mode = 0400
Expand Down Expand Up @@ -57,6 +83,8 @@ data "ignition_file" "etcd_server_crt" {
data "ignition_file" "etcd_peer_key" {
path = "/etc/ssl/etcd/peer.key"
mode = 0400
uid = 232
gid = 232
filesystem = "root"

content {
Expand Down
10 changes: 9 additions & 1 deletion modules/openstack/etcd/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ variable "container_image" {
type = "string"
}

variable core_public_keys {
variable "core_public_keys" {
type = "list"
}

Expand Down Expand Up @@ -43,6 +43,14 @@ variable "tls_server_crt_pem" {
default = ""
}

variable "tls_client_key_pem" {
default = ""
}

variable "tls_client_crt_pem" {
default = ""
}

variable "tls_peer_key_pem" {
default = ""
}
Expand Down
Loading

0 comments on commit 2891af1

Please sign in to comment.