-
Notifications
You must be signed in to change notification settings - Fork 1
/
node-common.tf
111 lines (93 loc) · 3.19 KB
/
node-common.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
// All nodes should belong to system:nodes group
data "template_file" "node-cfssl-new-cert" {
template = file("${path.module}/resources/cfssl-new-cert.sh")
vars = {
cert_name = "node"
user = "root"
group = "root"
profile = "client"
path = "/etc/kubernetes/ssl"
cn = "system:node:$(${var.node_name_command[var.cloud_provider]})"
org = "system:nodes"
get_ip = var.get_ip_command[var.cloud_provider]
get_hostname = var.node_name_command[var.cloud_provider]
extra_names = ""
}
}
data "ignition_file" "node-cfssl-new-cert" {
mode = 493
path = "/opt/bin/cfssl-new-cert"
content {
content = data.template_file.node-cfssl-new-cert.rendered
}
}
// Get a cert for to kubelet serve
data "template_file" "node-kubelet-cfssl-new-cert" {
template = file("${path.module}/resources/cfssl-new-cert.sh")
vars = {
cert_name = "kubelet"
user = "root"
group = "root"
profile = "client-server"
path = "/etc/kubernetes/ssl"
cn = "system:kubelet:$(${var.node_name_command[var.cloud_provider]})"
org = "system:kubelets"
get_ip = var.get_ip_command[var.cloud_provider]
get_hostname = var.node_name_command[var.cloud_provider]
extra_names = ""
}
}
data "ignition_file" "node-kubelet-cfssl-new-cert" {
mode = 493
path = "/opt/bin/cfssl-new-kubelet-cert"
content {
content = data.template_file.node-kubelet-cfssl-new-cert.rendered
}
}
// Kubeconfig will be the same for all kubernetes nodes as it only
// contains master address and certs
data "template_file" "node-kubeconfig" {
template = file("${path.module}/resources/node-kubeconfig")
vars = {
master_address = var.master_address
}
}
data "ignition_file" "node-kubeconfig" {
mode = 420
path = "/var/lib/kubelet/kubeconfig"
content {
content = data.template_file.node-kubeconfig.rendered
}
}
// Kubelet config
data "template_file" "node-kubelet-conf" {
template = file("${path.module}/resources/node-kubelet-conf.yaml")
vars = {
cluster_dns = local.cluster_dns_yaml
eviction_threshold_memory_hard = var.eviction_threshold_memory_hard
eviction_threshold_memory_soft = var.eviction_threshold_memory_soft
feature_gates = local.feature_gates_yaml_fragment
system_reserved_cpu = var.system_reserved_cpu
system_reserved_memory = var.system_reserved_memory
}
}
data "ignition_file" "node-kubelet-conf" {
mode = 420
path = "/etc/kubernetes/config/node-kubelet-conf.yaml"
content {
content = data.template_file.node-kubelet-conf.rendered
}
}
// Common prometheus text-collector metrics for nodes
data "template_file" "prometheus-tmpfs-dir" {
template = file("${path.module}/resources/prometheus-tmpfs-dir.service")
}
data "ignition_systemd_unit" "prometheus-tmpfs-dir" {
name = "prometheus-tmpfs-dir.service"
enabled = false # not enabled because this service is started by other services
content = data.template_file.prometheus-tmpfs-dir.rendered
}
module "cert-refresh-node" {
source = "./modules/cert-refresh-node"
on_calendar = var.cfssl_node_renew_timer
}