Merge pull request #2713 from kalmog/kalmog_iscsi_master

modules/ignition,platforms/*: Add option to start iscsid service => master
coreos · Jan 16, 2018 · 3c7f949 · 3c7f949
2 parents bfd0dd6 + 3c17ba9
commit 3c7f949
Show file tree

Hide file tree

Showing 33 changed files with 98 additions and 0 deletions.
diff --git a/Documentation/variables/config.md b/Documentation/variables/config.md
@@ -32,6 +32,7 @@ This document gives an overview of variables used in all platforms of the Tecton
 | tectonic_etcd_servers | (optional) List of external etcd v3 servers to connect with (hostnames/IPs only). Needs to be set if using an external etcd cluster. Note: If this variable is defined, the installer will not create self-signed certs. To provide a CA certificate to trust the etcd servers, set "tectonic_etcd_ca_cert_path".<br><br>Example: `["etcd1", "etcd2", "etcd3"]` | list | `<list>` |
 | tectonic_etcd_tls_enabled | (optional) If set to `true`, all etcd endpoints will be configured to use the "https" scheme.<br><br>Note: If `tectonic_experimental` is set to `true` this variable has no effect, because the experimental self-hosted etcd always uses TLS. | string | `true` |
 | tectonic_image_re | (internal) Regular expression used to extract repo and tag components | string | `/^([^/]+/[^/]+/[^/]+):(.*)$/` |
+| tectonic_iscsi_enabled | (optional) Start iscsid.service to enable iscsi volume attachment. | string | `false` |
 | tectonic_kubelet_debug_config | (internal) debug flags for the kubelet (used in CI only) | string | `` |
 | tectonic_license_path | The path to the tectonic licence file. You can download the Tectonic license file from your Account overview page at [1].<br><br>[1] https://account.coreos.com/overview | string | `` |
 | tectonic_master_count | The number of master nodes to be created. This applies only to cloud platforms. | string | `1` |

diff --git a/config.tf b/config.tf
@@ -482,3 +482,9 @@ variable "tectonic_custom_ca_pem_list" {
 (optional) A list of PEM encoded CA files that will be installed in /etc/ssl/certs on etcd, master, and worker nodes.
 EOF
 }
+
+variable "tectonic_iscsi_enabled" {
+  type        = "string"
+  default     = "false"
+  description = "(optional) Start iscsid.service to enable iscsi volume attachment."
+}
diff --git a/examples/terraform.tfvars.aws b/examples/terraform.tfvars.aws
@@ -267,6 +267,9 @@ tectonic_etcd_count = "0"
 // Note: If `tectonic_experimental` is set to `true` this variable has no effect, because the experimental self-hosted etcd always uses TLS.
 // tectonic_etcd_tls_enabled = true
 
+// (optional) Start iscsid.service to enable iscsi volume attachment.
+// tectonic_iscsi_enabled = "false"
+
 // The path to the tectonic licence file.
 // You can download the Tectonic license file from your Account overview page at [1].
 // 

diff --git a/examples/terraform.tfvars.azure b/examples/terraform.tfvars.azure
@@ -215,6 +215,9 @@ tectonic_etcd_count = "0"
 // Note: If `tectonic_experimental` is set to `true` this variable has no effect, because the experimental self-hosted etcd always uses TLS.
 // tectonic_etcd_tls_enabled = true
 
+// (optional) Start iscsid.service to enable iscsi volume attachment.
+// tectonic_iscsi_enabled = "false"
+
 // The path to the tectonic licence file.
 // You can download the Tectonic license file from your Account overview page at [1].
 // 

diff --git a/examples/terraform.tfvars.gcp b/examples/terraform.tfvars.gcp
@@ -146,6 +146,9 @@ tectonic_gcp_worker_disktype = "pd-standard"
 // Instance size for the worker node(s). Example: `n1-standard-2`.
 tectonic_gcp_worker_gce_type = "n1-standard-2"
 
+// (optional) Start iscsid.service to enable iscsi volume attachment.
+// tectonic_iscsi_enabled = "false"
+
 // The path to the tectonic licence file.
 // You can download the Tectonic license file from your Account overview page at [1].
 // 

diff --git a/examples/terraform.tfvars.govcloud b/examples/terraform.tfvars.govcloud
@@ -257,6 +257,9 @@ tectonic_govcloud_worker_root_volume_size = "30"
 // The type of volume for the root block device of worker nodes.
 tectonic_govcloud_worker_root_volume_type = "gp2"
 
+// (optional) Start iscsid.service to enable iscsi volume attachment.
+// tectonic_iscsi_enabled = "false"
+
 // The path to the tectonic licence file.
 // You can download the Tectonic license file from your Account overview page at [1].
 // 

diff --git a/examples/terraform.tfvars.metal b/examples/terraform.tfvars.metal
@@ -106,6 +106,9 @@ tectonic_etcd_count = "0"
 // Note: If `tectonic_experimental` is set to `true` this variable has no effect, because the experimental self-hosted etcd always uses TLS.
 // tectonic_etcd_tls_enabled = true
 
+// (optional) Start iscsid.service to enable iscsi volume attachment.
+// tectonic_iscsi_enabled = "false"
+
 // The path to the tectonic licence file.
 // You can download the Tectonic license file from your Account overview page at [1].
 // 

diff --git a/examples/terraform.tfvars.openstack-neutron b/examples/terraform.tfvars.openstack-neutron
@@ -106,6 +106,9 @@ tectonic_etcd_count = "0"
 // Note: If `tectonic_experimental` is set to `true` this variable has no effect, because the experimental self-hosted etcd always uses TLS.
 // tectonic_etcd_tls_enabled = true
 
+// (optional) Start iscsid.service to enable iscsi volume attachment.
+// tectonic_iscsi_enabled = "false"
+
 // The path to the tectonic licence file.
 // You can download the Tectonic license file from your Account overview page at [1].
 // 

diff --git a/examples/terraform.tfvars.vmware b/examples/terraform.tfvars.vmware
@@ -106,6 +106,9 @@ tectonic_etcd_count = "0"
 // Note: If `tectonic_experimental` is set to `true` this variable has no effect, because the experimental self-hosted etcd always uses TLS.
 // tectonic_etcd_tls_enabled = true
 
+// (optional) Start iscsid.service to enable iscsi volume attachment.
+// tectonic_iscsi_enabled = "false"
+
 // The path to the tectonic licence file.
 // You can download the Tectonic license file from your Account overview page at [1].
 // 

diff --git a/modules/aws/master-asg/ignition.tf b/modules/aws/master-asg/ignition.tf
@@ -23,6 +23,7 @@ data "ignition_config" "main" {
     var.ign_tectonic_path_unit_id,
     var.ign_rm_assets_path_unit_id,
     var.ign_update_ca_certificates_dropin_id,
+    var.ign_iscsi_service_id,
    ))}"]
 }
 

diff --git a/modules/aws/worker-asg/ignition.tf b/modules/aws/worker-asg/ignition.tf
@@ -13,5 +13,6 @@ data "ignition_config" "main" {
     "${var.ign_kubelet_service_id}",
     "${var.ign_locksmithd_service_id}",
     "${var.ign_update_ca_certificates_dropin_id}",
+    "${var.ign_iscsi_service_id}",
   ]
 }
diff --git a/modules/azure/master-as/ignition-master.tf b/modules/azure/master-as/ignition-master.tf
@@ -20,6 +20,7 @@ data "ignition_config" "master" {
     var.ign_bootkube_path_unit_id,
     var.ign_tectonic_path_unit_id,
     var.ign_update_ca_certificates_dropin_id,
+    var.ign_iscsi_service_id,
    ))}"]
 
   users = [

diff --git a/modules/azure/worker-as/ignition-worker.tf b/modules/azure/worker-as/ignition-worker.tf
@@ -16,6 +16,7 @@ data "ignition_config" "worker" {
     "${var.ign_kubelet_service_id}",
     "${var.ign_tx_off_service_id}",
     "${var.ign_update_ca_certificates_dropin_id}",
+    "${var.ign_iscsi_service_id}",
   ]
 
   users = [

diff --git a/modules/gcp/master-igm/ignition.tf b/modules/gcp/master-igm/ignition.tf
@@ -21,6 +21,7 @@ data "ignition_config" "main" {
     var.ign_bootkube_path_unit_id,
     var.ign_tectonic_path_unit_id,
     var.ign_update_ca_certificates_dropin_id,
+    var.ign_iscsi_service_id,
    ))}"]
 }
 

diff --git a/modules/gcp/worker-igm/ignition.tf b/modules/gcp/worker-igm/ignition.tf
@@ -13,6 +13,7 @@ data "ignition_config" "main" {
     "${var.ign_locksmithd_service_id}",
     "${var.ign_kubelet_service_id}",
     "${var.ign_update_ca_certificates_dropin_id}",
+    "${var.ign_iscsi_service_id}",
   ]
 }
 

diff --git a/modules/govcloud/master-asg/variables.tf b/modules/govcloud/master-asg/variables.tf
@@ -147,3 +147,7 @@ variable "dns_server_ip" {
   type    = "string"
   default = ""
 }
+
+variable "ign_iscsi_service_id" {
+  type = "string"
+}
diff --git a/modules/govcloud/worker-asg/variables.tf b/modules/govcloud/worker-asg/variables.tf
@@ -91,3 +91,7 @@ variable "dns_server_ip" {
   type    = "string"
   default = ""
 }
+
+variable "ign_iscsi_service_id" {
+  type = "string"
+}
diff --git a/modules/ignition/assets.tf b/modules/ignition/assets.tf
@@ -202,3 +202,8 @@ data "ignition_file" "gcs_puller" {
     content = "${data.template_file.gcs_puller.rendered}"
   }
 }
+
+data "ignition_systemd_unit" "iscsi" {
+  name    = "iscsid.service"
+  enabled = "${var.iscsi_enabled ? true : false}"
+}
diff --git a/modules/ignition/outputs.import b/modules/ignition/outputs.import
@@ -36,3 +36,7 @@ variable "ign_ca_cert_id_list" {
   type        = "list"
   description = "The list of public CA certificate ignition file IDs."
 }
+
+variable "ign_iscsi_service_id" {
+  type = "string"
+}
diff --git a/modules/ignition/outputs.tf b/modules/ignition/outputs.tf
@@ -143,3 +143,7 @@ output "etcd_crt_id_list" {
     "${data.ignition_file.etcd_peer_crt.*.id}",
   ]
 }
+
+output "iscsi_service_id" {
+  value = "${data.ignition_systemd_unit.iscsi.id}"
+}
diff --git a/modules/ignition/variables.tf b/modules/ignition/variables.tf
@@ -151,3 +151,8 @@ variable "custom_ca_cert_pem_list" {
   type        = "list"
   description = "(optional) A list of custom CAs in PEM format."
 }
+
+variable "iscsi_enabled" {
+  type    = "string"
+  default = "false"
+}
diff --git a/modules/openstack/nodes/ignition.tf b/modules/openstack/nodes/ignition.tf
@@ -26,6 +26,7 @@ data "ignition_config" "node" {
     var.ign_bootkube_path_unit_id,
     var.ign_tectonic_path_unit_id,
     var.ign_update_ca_certificates_dropin_id,
+    var.ign_iscsi_service_id,
    ))}"]
 }
 

diff --git a/modules/openstack/nodes/variables.tf b/modules/openstack/nodes/variables.tf
@@ -47,3 +47,7 @@ variable "ign_tectonic_path_unit_id" {
   type    = "string"
   default = ""
 }
+
+variable "ign_iscsi_service_id" {
+  type = "string"
+}
diff --git a/modules/vmware/node/ignition.tf b/modules/vmware/node/ignition.tf
@@ -23,6 +23,7 @@ data "ignition_config" "node" {
     var.ign_bootkube_path_unit_id,
     var.ign_tectonic_path_unit_id,
     var.ign_update_ca_certificates_dropin_id,
+    var.ign_iscsi_service_id,
    ))}"]
 
   networkd = [

diff --git a/platforms/aws/main.tf b/platforms/aws/main.tf
@@ -111,6 +111,7 @@ module "ignition_masters" {
   etcd_tls_enabled          = "${var.tectonic_etcd_tls_enabled}"
   image_re                  = "${var.tectonic_image_re}"
   ingress_ca_cert_pem       = "${module.ingress_certs.ca_cert_pem}"
+  iscsi_enabled             = "${var.tectonic_iscsi_enabled}"
   kube_ca_cert_pem          = "${module.kube_certs.ca_cert_pem}"
   kube_dns_service_ip       = "${module.bootkube.kube_dns_service_ip}"
   kubeconfig_fetch_cmd      = "/opt/s3-puller.sh ${aws_s3_bucket_object.kubeconfig.bucket}/${aws_s3_bucket_object.kubeconfig.key} /etc/kubernetes/kubeconfig"
@@ -140,6 +141,7 @@ module "masters" {
   ign_init_assets_service_id           = "${module.ignition_masters.init_assets_service_id}"
   ign_installer_kubelet_env_id         = "${module.ignition_masters.installer_kubelet_env_id}"
   ign_installer_runtime_mappings_id    = "${module.ignition_masters.installer_runtime_mappings_id}"
+  ign_iscsi_service_id                 = "${module.ignition_masters.iscsi_service_id}"
   ign_k8s_node_bootstrap_service_id    = "${module.ignition_masters.k8s_node_bootstrap_service_id}"
   ign_kubelet_service_id               = "${module.ignition_masters.kubelet_service_id}"
   ign_locksmithd_service_id            = "${module.ignition_masters.locksmithd_service_id}"
@@ -174,6 +176,7 @@ module "ignition_workers" {
   etcd_ca_cert_pem        = "${module.etcd_certs.etcd_ca_crt_pem}"
   image_re                = "${var.tectonic_image_re}"
   ingress_ca_cert_pem     = "${module.ingress_certs.ca_cert_pem}"
+  iscsi_enabled           = "${var.tectonic_iscsi_enabled}"
   kube_ca_cert_pem        = "${module.kube_certs.ca_cert_pem}"
   kube_dns_service_ip     = "${module.bootkube.kube_dns_service_ip}"
   kubeconfig_fetch_cmd    = "/opt/s3-puller.sh ${aws_s3_bucket_object.kubeconfig.bucket}/${aws_s3_bucket_object.kubeconfig.key} /etc/kubernetes/kubeconfig"
@@ -196,6 +199,7 @@ module "workers" {
   ign_docker_dropin_id                 = "${module.ignition_workers.docker_dropin_id}"
   ign_installer_kubelet_env_id         = "${module.ignition_workers.installer_kubelet_env_id}"
   ign_installer_runtime_mappings_id    = "${module.ignition_workers.installer_runtime_mappings_id}"
+  ign_iscsi_service_id                 = "${module.ignition_workers.iscsi_service_id}"
   ign_k8s_node_bootstrap_service_id    = "${module.ignition_workers.k8s_node_bootstrap_service_id}"
   ign_kubelet_service_id               = "${module.ignition_workers.kubelet_service_id}"
   ign_locksmithd_service_id            = "${module.ignition_workers.locksmithd_service_id}"

diff --git a/platforms/azure/main.tf b/platforms/azure/main.tf
@@ -123,6 +123,7 @@ module "ignition_masters" {
   etcd_tls_enabled          = "${var.tectonic_etcd_tls_enabled}"
   image_re                  = "${var.tectonic_image_re}"
   ingress_ca_cert_pem       = "${module.ingress_certs.ca_cert_pem}"
+  iscsi_enabled             = "${var.tectonic_iscsi_enabled}"
   kube_ca_cert_pem          = "${module.kube_certs.ca_cert_pem}"
   kube_dns_service_ip       = "${module.bootkube.kube_dns_service_ip}"
   kubelet_debug_config      = "${var.tectonic_kubelet_debug_config}"
@@ -147,6 +148,7 @@ module "masters" {
   ign_docker_dropin_id                 = "${module.ignition_masters.docker_dropin_id}"
   ign_installer_kubelet_env_id         = "${module.ignition_masters.installer_kubelet_env_id}"
   ign_installer_runtime_mappings_id    = "${module.ignition_masters.installer_runtime_mappings_id}"
+  ign_iscsi_service_id                 = "${module.ignition_masters.iscsi_service_id}"
   ign_k8s_node_bootstrap_service_id    = "${module.ignition_masters.k8s_node_bootstrap_service_id}"
   ign_kubelet_service_id               = "${module.ignition_masters.kubelet_service_id}"
   ign_locksmithd_service_id            = "${module.ignition_masters.locksmithd_service_id}"
@@ -177,6 +179,7 @@ module "ignition_workers" {
   etcd_ca_cert_pem        = "${module.etcd_certs.etcd_ca_crt_pem}"
   ingress_ca_cert_pem     = "${module.ingress_certs.ca_cert_pem}"
   image_re                = "${var.tectonic_image_re}"
+  iscsi_enabled           = "${var.tectonic_iscsi_enabled}"
   kube_dns_service_ip     = "${module.bootkube.kube_dns_service_ip}"
   kube_ca_cert_pem        = "${module.kube_certs.ca_cert_pem}"
   kubelet_debug_config    = "${var.tectonic_kubelet_debug_config}"
@@ -199,6 +202,7 @@ module "workers" {
   ign_docker_dropin_id                 = "${module.ignition_workers.docker_dropin_id}"
   ign_installer_kubelet_env_id         = "${module.ignition_workers.installer_kubelet_env_id}"
   ign_installer_runtime_mappings_id    = "${module.ignition_workers.installer_runtime_mappings_id}"
+  ign_iscsi_service_id                 = "${module.ignition_workers.iscsi_service_id}"
   ign_k8s_node_bootstrap_service_id    = "${module.ignition_workers.k8s_node_bootstrap_service_id}"
   ign_kubelet_service_id               = "${module.ignition_workers.kubelet_service_id}"
   ign_locksmithd_service_id            = "${module.ignition_workers.locksmithd_service_id}"

diff --git a/platforms/gcp/main.tf b/platforms/gcp/main.tf
@@ -92,6 +92,7 @@ module "masters" {
   ign_docker_dropin_id                 = "${module.ignition_masters.docker_dropin_id}"
   ign_installer_kubelet_env_id         = "${module.ignition_masters.installer_kubelet_env_id}"
   ign_installer_runtime_mappings_id    = "${module.ignition_masters.installer_runtime_mappings_id}"
+  ign_iscsi_service_id                 = "${module.ignition_masters.iscsi_service_id}"
   ign_k8s_node_bootstrap_service_id    = "${module.ignition_masters.k8s_node_bootstrap_service_id}"
   ign_kubelet_service_id               = "${module.ignition_masters.kubelet_service_id}"
   ign_locksmithd_service_id            = "${module.ignition_masters.locksmithd_service_id}"
@@ -121,6 +122,7 @@ module "workers" {
   ign_docker_dropin_id                 = "${module.ignition_workers.docker_dropin_id}"
   ign_installer_kubelet_env_id         = "${module.ignition_workers.installer_kubelet_env_id}"
   ign_installer_runtime_mappings_id    = "${module.ignition_masters.installer_runtime_mappings_id}"
+  ign_iscsi_service_id                 = "${module.ignition_workers.iscsi_service_id}"
   ign_k8s_node_bootstrap_service_id    = "${module.ignition_workers.k8s_node_bootstrap_service_id}"
   ign_kubelet_service_id               = "${module.ignition_workers.kubelet_service_id}"
   ign_locksmithd_service_id            = "${module.ignition_workers.locksmithd_service_id}"
@@ -152,6 +154,7 @@ module "ignition_masters" {
   etcd_server_key_pem       = "${module.etcd_certs.etcd_server_key_pem}"
   etcd_tls_enabled          = "${var.tectonic_etcd_tls_enabled}"
   image_re                  = "${var.tectonic_image_re}"
+  iscsi_enabled             = "${var.tectonic_iscsi_enabled}"
   kube_dns_service_ip       = "${module.bootkube.kube_dns_service_ip}"
   kubelet_debug_config      = "${var.tectonic_kubelet_debug_config}"
   kubelet_node_label        = "node-role.kubernetes.io/master"
@@ -169,6 +172,7 @@ module "ignition_workers" {
   cluster_name            = "${var.tectonic_cluster_name}"
   container_images        = "${var.tectonic_container_images}"
   image_re                = "${var.tectonic_image_re}"
+  iscsi_enabled           = "${var.tectonic_iscsi_enabled}"
   kube_dns_service_ip     = "${module.bootkube.kube_dns_service_ip}"
   kubelet_debug_config    = "${var.tectonic_kubelet_debug_config}"
   kubelet_node_label      = "node-role.kubernetes.io/node"

diff --git a/platforms/govcloud/main.tf b/platforms/govcloud/main.tf
@@ -111,6 +111,7 @@ module "ignition_masters" {
   etcd_tls_enabled          = "${var.tectonic_etcd_tls_enabled}"
   image_re                  = "${var.tectonic_image_re}"
   ingress_ca_cert_pem       = "${module.ingress_certs.ca_cert_pem}"
+  iscsi_enabled             = "${var.tectonic_iscsi_enabled}"
   kube_ca_cert_pem          = "${module.kube_certs.ca_cert_pem}"
   kube_dns_service_ip       = "${module.bootkube.kube_dns_service_ip}"
   kubeconfig_fetch_cmd      = "/opt/s3-puller.sh ${aws_s3_bucket_object.kubeconfig.bucket}/${aws_s3_bucket_object.kubeconfig.key} /etc/kubernetes/kubeconfig"
@@ -140,6 +141,7 @@ module "masters" {
   ign_init_assets_service_id           = "${module.ignition_masters.init_assets_service_id}"
   ign_installer_kubelet_env_id         = "${module.ignition_masters.installer_kubelet_env_id}"
   ign_installer_runtime_mappings_id    = "${module.ignition_masters.installer_runtime_mappings_id}"
+  ign_iscsi_service_id                 = "${module.ignition_masters.iscsi_service_id}"
   ign_k8s_node_bootstrap_service_id    = "${module.ignition_masters.k8s_node_bootstrap_service_id}"
   ign_kubelet_service_id               = "${module.ignition_masters.kubelet_service_id}"
   ign_locksmithd_service_id            = "${module.ignition_masters.locksmithd_service_id}"
@@ -175,6 +177,7 @@ module "ignition_workers" {
   etcd_ca_cert_pem        = "${module.etcd_certs.etcd_ca_crt_pem}"
   image_re                = "${var.tectonic_image_re}"
   ingress_ca_cert_pem     = "${module.ingress_certs.ca_cert_pem}"
+  iscsi_enabled           = "${var.tectonic_iscsi_enabled}"
   kube_ca_cert_pem        = "${module.kube_certs.ca_cert_pem}"
   kube_dns_service_ip     = "${module.bootkube.kube_dns_service_ip}"
   kubeconfig_fetch_cmd    = "/opt/s3-puller.sh ${aws_s3_bucket_object.kubeconfig.bucket}/${aws_s3_bucket_object.kubeconfig.key} /etc/kubernetes/kubeconfig"
@@ -197,6 +200,7 @@ module "workers" {
   ign_docker_dropin_id                 = "${module.ignition_workers.docker_dropin_id}"
   ign_installer_kubelet_env_id         = "${module.ignition_workers.installer_kubelet_env_id}"
   ign_installer_runtime_mappings_id    = "${module.ignition_workers.installer_runtime_mappings_id}"
+  ign_iscsi_service_id                 = "${module.ignition_workers.iscsi_service_id}"
   ign_k8s_node_bootstrap_service_id    = "${module.ignition_workers.k8s_node_bootstrap_service_id}"
   ign_kubelet_service_id               = "${module.ignition_workers.kubelet_service_id}"
   ign_locksmithd_service_id            = "${module.ignition_workers.locksmithd_service_id}"

diff --git a/platforms/metal/cl/bootkube-controller.yaml.tmpl b/platforms/metal/cl/bootkube-controller.yaml.tmpl
@@ -49,6 +49,8 @@ systemd:
     - name: tectonic.service
       enable: false
       contents: {{.ign_tectonic_service_json}}
+    - name: iscsid.service
+      enable: {{.iscsi.enabled}}
 storage:
   files:
     - path: /etc/hostname

diff --git a/platforms/metal/cl/bootkube-worker.yaml.tmpl b/platforms/metal/cl/bootkube-worker.yaml.tmpl
@@ -32,6 +32,8 @@ systemd:
       dropins:
         - name: 10-alwaysrun.conf
           contents: {{.ign_update_ca_certificates_dropin_json}}
+    - name: iscsid.service
+      enable: {{.iscsi.enabled}}
 
 storage:
   files:

diff --git a/platforms/metal/matchers.tf b/platforms/metal/matchers.tf
@@ -39,6 +39,7 @@ module "ignition_masters" {
   etcd_initial_cluster_list = "${var.tectonic_metal_controller_domains}"
   image_re                  = "${var.tectonic_image_re}"
   ingress_ca_cert_pem       = "${module.ingress_certs.ca_cert_pem}"
+  iscsi_enabled             = "${var.tectonic_iscsi_enabled}"
   kube_ca_cert_pem          = "${module.kube_certs.ca_cert_pem}"
   kube_dns_service_ip       = "${module.bootkube.kube_dns_service_ip}"
   kubelet_debug_config      = "${var.tectonic_kubelet_debug_config}"
@@ -60,6 +61,7 @@ resource "matchbox_group" "controller" {
   metadata {
     domain_name        = "${element(var.tectonic_metal_controller_domains, count.index)}"
     etcd_enabled       = "${length(compact(var.tectonic_etcd_servers)) != 0 ? "false" : "true"}"
+    iscsi_enabled      = "${var.tectonic_iscsi_enabled ? true : false}"
     ssh_authorized_key = "${var.tectonic_ssh_authorized_key}"
 
     ign_bootkube_path_unit_json            = "${jsonencode(module.bootkube.systemd_path_unit_rendered)}"
@@ -87,6 +89,7 @@ module "ignition_workers" {
   etcd_ca_cert_pem        = "${module.etcd_certs.etcd_ca_crt_pem}"
   image_re                = "${var.tectonic_image_re}"
   ingress_ca_cert_pem     = "${module.ingress_certs.ca_cert_pem}"
+  iscsi_enabled           = "${var.tectonic_iscsi_enabled}"
   kube_ca_cert_pem        = "${module.kube_certs.ca_cert_pem}"
   kube_dns_service_ip     = "${module.bootkube.kube_dns_service_ip}"
   kubelet_debug_config    = "${var.tectonic_kubelet_debug_config}"
@@ -106,6 +109,7 @@ resource "matchbox_group" "worker" {
 
   metadata {
     domain_name        = "${element(var.tectonic_metal_worker_domains, count.index)}"
+    iscsi_enabled      = "${var.tectonic_iscsi_enabled ? true : false}"
     ssh_authorized_key = "${var.tectonic_ssh_authorized_key}"
 
     # extra data