-
Notifications
You must be signed in to change notification settings - Fork 12
/
control_plane.tf
132 lines (109 loc) · 4.45 KB
/
control_plane.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
locals {
control_plane_endpoint_v6 = var.control_plane_endpoint != "" ? var.control_plane_endpoint : (local.use_load_balancer ? hcloud_load_balancer.control_plane[0].ipv6 : module.control_plane[0].ipv6_address)
control_plane_endpoint_v4 = var.control_plane_endpoint != "" ? var.control_plane_endpoint : (local.use_load_balancer ? hcloud_load_balancer.control_plane[0].ipv4 : module.control_plane[0].ipv4_address)
control_plane_endpoint = var.control_plane_endpoint != "" ? var.control_plane_endpoint : (local.use_load_balancer ? "[${hcloud_load_balancer.control_plane[0].ipv6}]" : "[${module.control_plane[0].ipv6_address}]")
adverise_addresses = var.primary_ip_family == "ipv6" ? module.control_plane.*.ipv6_address : module.control_plane.*.ipv4_address
# If using IP as an apiserver endpoint, add also the IPv4 SAN to the TLS certificate
apiserver_cert_sans = concat(var.control_plane_endpoint != "" ? [
var.control_plane_endpoint
] : [
local.control_plane_endpoint_v4,
local.control_plane_endpoint_v6
], var.apiserver_extra_sans)
kubeadm_host = var.kubeadm_host != "" ? var.kubeadm_host : module.control_plane[0].ipv4_address
}
module "control_plane" {
count = var.node_count
source = "./modules/kubernetes-node"
name = "${var.name}-control-plane-${count.index}"
hcloud_ssh_key = var.hcloud_ssh_key
server_type = var.server_type
image = var.image
location = var.location
kubernetes_version = var.kubernetes_version
labels = merge(var.labels, { cluster = var.name, role = "control-plane" })
firewall_ids = var.firewall_ids
ssh_private_key_path = var.ssh_private_key_path
}
resource "random_id" "certificate_key" {
byte_length = 32
}
resource "null_resource" "cluster_bootstrap" {
connection {
host = module.control_plane[0].ipv4_address
type = "ssh"
timeout = "5m"
user = "root"
private_key = file(var.ssh_private_key_path)
}
provisioner "file" {
source = "${path.module}/scripts/cluster-join.sh"
destination = "/root/cluster-join.sh"
}
provisioner "file" {
content = templatefile("${path.module}/templates/kubeadm.yaml.tpl", {
apiserver_cert_sans = local.apiserver_cert_sans
certificate_key = random_id.certificate_key.hex
control_plane_endpoint = local.control_plane_endpoint
advertise_address = local.adverise_addresses[0]
pod_cidr_ipv4 = var.pod_cidr_ipv4
service_cidr_ipv4 = var.service_cidr_ipv4
service_cidr_ipv6 = var.service_cidr_ipv6
primary_ip_family = var.primary_ip_family
kubernetes_version = var.kubernetes_version
})
destination = "/root/cluster.yaml"
}
provisioner "remote-exec" {
inline = [
"chmod +x /root/cluster-join.sh",
"/root/cluster-join.sh",
]
}
}
resource "null_resource" "control_plane_join" {
count = var.node_count
depends_on = [
null_resource.cluster_bootstrap
]
triggers = {
instance_id = module.control_plane[count.index].id
}
connection {
host = module.control_plane[count.index].ipv4_address
type = "ssh"
timeout = "5m"
user = "root"
private_key = file(var.ssh_private_key_path)
}
provisioner "local-exec" {
command = <<EOT
ssh -i ${var.ssh_private_key_path} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
root@${local.kubeadm_host} 'kubeadm init phase upload-certs \
--upload-certs \
--certificate-key ${random_id.certificate_key.hex}'
EOT
}
provisioner "local-exec" {
command = <<EOT
ssh -i ${var.ssh_private_key_path} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
root@${local.kubeadm_host} \
'echo $(kubeadm token create --print-join-command --ttl=60m) \
--apiserver-advertise-address ${local.adverise_addresses[count.index]} \
--control-plane \
--certificate-key ${random_id.certificate_key.hex}' | \
ssh -i ${var.ssh_private_key_path} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
root@${module.control_plane[count.index].ipv4_address} 'tee /root/join-command.sh >/dev/null'
EOT
}
provisioner "file" {
source = "${path.module}/scripts/cluster-join.sh"
destination = "/root/cluster-join.sh"
}
provisioner "remote-exec" {
inline = [
"chmod +x /root/cluster-join.sh",
"/root/cluster-join.sh",
]
}
}