From 1102273ab7cedb0fc1911cacc49fe6af48a9ec51 Mon Sep 17 00:00:00 2001 From: Colin Wilson Date: Thu, 21 Jul 2022 04:05:53 +0100 Subject: [PATCH] =?UTF-8?q?=E2=9A=A1=20add=20kubeconfig=20to=20output=20(s?= =?UTF-8?q?ensitive)=20=F0=9F=94=A5=20disable=20kubeconfig=20local=5Ffile?= =?UTF-8?q?=20resource?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- kubeconfig_file_output.tf | 8 ++++---- locals.tf | 38 +++++++++++++++++++++++++++++++++----- outputs.tf | 6 ++++++ server_init.tf | 6 +++--- 4 files changed, 46 insertions(+), 12 deletions(-) diff --git a/kubeconfig_file_output.tf b/kubeconfig_file_output.tf index ba17ca7..fb9cd00 100644 --- a/kubeconfig_file_output.tf +++ b/kubeconfig_file_output.tf @@ -1,4 +1,4 @@ -resource "local_file" "k3s_kubeconfig" { - content = local.kubeconfig - filename = "${path.root}/k3s.yaml" -} \ No newline at end of file +# resource "local_sensitive_file" "k3s_kubeconfig" { +# content = local.kubeconfig +# filename = "${path.root}/k3s.yaml" +# } \ No newline at end of file diff --git a/locals.tf b/locals.tf index fc6e650..a19f7a4 100644 --- a/locals.tf +++ b/locals.tf @@ -66,11 +66,39 @@ locals { client-key-data = tls_private_key.keys["client-admin"].private_key_pem - kubeconfig = templatefile("${path.module}/kubeconfig.yaml.tftpl", { - certificate-authority-data = base64encode(local.certificate-authority-data) - client-certificate-data = base64encode(local.client-certificate-data) - client-key-data = base64encode(local.client-key-data) - k3s_lb_ip = hcloud_load_balancer.k3s_api_lb.ipv4 + # kubeconfig = templatefile("${path.module}/kubeconfig.yaml.tftpl", { + # certificate-authority-data = base64encode(local.certificate-authority-data) + # client-certificate-data = base64encode(local.client-certificate-data) + # client-key-data = base64encode(local.client-key-data) + # k3s_lb_ip = hcloud_load_balancer.k3s_api_lb.ipv4 + # }) + + kubeconfig = yamlencode({ + "apiVersion" : "v1", + "clusters" : [{ + "cluster" : { + "certificate-authority-data" : base64encode(local.certificate-authority-data), + "server" : "https://${hcloud_load_balancer.k3s_api_lb.ipv4}:6443" + }, + "name" : "default" + }] + "contexts" : [{ + "context" : { + "cluster" : "default", + "user" : "default" + }, + "name" : "default" + }] + "current-context" : "default", + "kind" : "Config", + "preferences" : {}, + "users" : [{ + "name" : "default", + "user" : { + "client-certificate-data" : base64encode(local.client-certificate-data), + "client-key-data" : base64encode(local.client-key-data) + } + }] }) # The following IPs are important to be whitelisted because they communicate with Hetzner services and enable the CCM and CSI to work properly. diff --git a/outputs.tf b/outputs.tf index 76b8097..41236a3 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,3 +1,9 @@ output "local_agent_nodepools" { value = local.agent_nodes +} + +output "kubeconfig" { + description = "Kube Config for cluster" + value = local.kubeconfig + sensitive = true } \ No newline at end of file diff --git a/server_init.tf b/server_init.tf index 4942f31..68f7bdf 100644 --- a/server_init.tf +++ b/server_init.tf @@ -34,9 +34,9 @@ resource "hcloud_server" "server_node_init" { ca_keys = { for ca_name, key in tls_private_key.keys : ca_name => base64gzip(key.private_key_pem) if contains(local.ca_names, ca_name) } ca_certs = { for ca_name, cert in tls_self_signed_cert.ca_certs : ca_name => base64gzip(cert.cert_pem) } # --- END k3s generated keys & certs --- - hcloud_token = var.hcloud_token - k3s_net_id = hcloud_network.k3s_net.id - flannel_backend = var.flannel_backend + hcloud_token = var.hcloud_token + k3s_net_id = hcloud_network.k3s_net.id + flannel_backend = var.flannel_backend k8s_dashboard = local.k8s_dash_yaml_tpl sys_upgrade_ctrl = local.sys_upgrade_ctrl_yaml_tpl cert_manager = local.cert_manager_yaml_tpl