modules/bootkube: generate etcd tls zip content and reuse in aws

Currently when distributing all keys via userdata we hit the AWS limit of 19k. This solves it by distributing zipped content reducing the userdata payload to 14k.
coreos · Jul 10, 2017 · 34db444 · 34db444
1 parent cd4ef9b
commit 34db444
Show file tree

Hide file tree

Showing 5 changed files with 72 additions and 112 deletions.
diff --git a/modules/aws/etcd/ignition.tf b/modules/aws/etcd/ignition.tf
@@ -4,17 +4,12 @@ data "ignition_config" "etcd" {
   systemd = [
     "${data.ignition_systemd_unit.locksmithd.*.id[count.index]}",
     "${data.ignition_systemd_unit.etcd3.*.id[count.index]}",
+    "${data.ignition_systemd_unit.etcd_unzip_tls.id}",
   ]
 
   files = [
     "${data.ignition_file.node_hostname.*.id[count.index]}",
-    "${data.ignition_file.etcd_ca.id}",
-    "${data.ignition_file.etcd_server_crt.id}",
-    "${data.ignition_file.etcd_server_key.id}",
-    "${data.ignition_file.etcd_client_crt.id}",
-    "${data.ignition_file.etcd_client_key.id}",
-    "${data.ignition_file.etcd_peer_crt.id}",
-    "${data.ignition_file.etcd_peer_key.id}",
+    "${data.ignition_file.etcd_tls_zip.id}",
   ]
 }
 
@@ -29,88 +24,37 @@ data "ignition_file" "node_hostname" {
   }
 }
 
-data "ignition_file" "etcd_ca" {
-  path       = "/etc/ssl/etcd/ca.crt"
-  mode       = 0644
-  uid        = 232
-  gid        = 232
-  filesystem = "root"
-
-  content {
-    content = "${var.tls_ca_crt_pem}"
-  }
-}
-
-data "ignition_file" "etcd_client_key" {
-  path       = "/etc/ssl/etcd/client.key"
-  mode       = 0400
-  uid        = 0
-  gid        = 0
-  filesystem = "root"
-
-  content {
-    content = "${var.tls_client_key_pem}"
-  }
-}
-
-data "ignition_file" "etcd_client_crt" {
-  path       = "/etc/ssl/etcd/client.crt"
+data "ignition_file" "etcd_tls_zip" {
+  path       = "/etc/ssl/etcd/tls.zip"
   mode       = 0400
   uid        = 0
   gid        = 0
   filesystem = "root"
 
   content {
-    content = "${var.tls_client_crt_pem}"
-  }
-}
-
-data "ignition_file" "etcd_server_key" {
-  path       = "/etc/ssl/etcd/server.key"
-  mode       = 0400
-  uid        = 232
-  gid        = 232
-  filesystem = "root"
-
-  content {
-    content = "${var.tls_server_key_pem}"
-  }
-}
-
-data "ignition_file" "etcd_server_crt" {
-  path       = "/etc/ssl/etcd/server.crt"
-  mode       = 0400
-  uid        = 232
-  gid        = 232
-  filesystem = "root"
-
-  content {
-    content = "${var.tls_server_crt_pem}"
-  }
-}
-
-data "ignition_file" "etcd_peer_key" {
-  path       = "/etc/ssl/etcd/peer.key"
-  mode       = 0400
-  uid        = 232
-  gid        = 232
-  filesystem = "root"
-
-  content {
-    content = "${var.tls_peer_key_pem}"
+    mime    = "application/octet-stream"
+    content = "${var.tls_zip}"
   }
 }
 
-data "ignition_file" "etcd_peer_crt" {
-  path       = "/etc/ssl/etcd/peer.crt"
-  mode       = 0400
-  uid        = 232
-  gid        = 232
-  filesystem = "root"
+data "ignition_systemd_unit" "etcd_unzip_tls" {
+  name   = "etcd-unzip-tls.service"
+  enable = true
 
-  content {
-    content = "${var.tls_peer_crt_pem}"
-  }
+  content = <<EOF
+[Unit]
+ConditionPathExists=!/etc/ssl/etcd/ca.crt
+[Service]
+Type=oneshot
+WorkingDirectory=/etc/ssl/etcd
+ExecStart=/usr/bin/bash -c 'unzip /etc/ssl/etcd/tls.zip && \
+chown etcd:etcd /etc/ssl/etcd/peer.* && \
+chown etcd:etcd /etc/ssl/etcd/server.* && \
+chmod 0400 /etc/ssl/etcd/peer.* /etc/ssl/etcd/server.* /etc/ssl/etcd/client.*'
+[Install]
+WantedBy=multi-user.target
+RequiredBy=etcd-member.service locksmithd.service
+EOF
 }
 
 data "ignition_systemd_unit" "locksmithd" {

diff --git a/modules/aws/etcd/variables.tf b/modules/aws/etcd/variables.tf
@@ -79,30 +79,6 @@ variable "tls_enabled" {
   default = false
 }
 
-variable "tls_ca_crt_pem" {
-  default = ""
-}
-
-variable "tls_client_key_pem" {
-  default = ""
-}
-
-variable "tls_client_crt_pem" {
-  default = ""
-}
-
-variable "tls_server_key_pem" {
-  default = ""
-}
-
-variable "tls_server_crt_pem" {
-  default = ""
-}
-
-variable "tls_peer_key_pem" {
-  default = ""
-}
-
-variable "tls_peer_crt_pem" {
-  default = ""
+variable "tls_zip" {
+  type = "string"
 }
diff --git a/modules/bootkube/assets.tf b/modules/bootkube/assets.tf
@@ -238,3 +238,44 @@ resource "local_file" "etcd_peer_key" {
   content  = "${join("", tls_private_key.etcd_peer.*.private_key_pem)}"
   filename = "./generated/tls/etcd/peer.key"
 }
+
+data "archive_file" "etcd_tls_zip" {
+  type = "zip"
+
+  output_path = "./.terraform/etcd_tls.zip"
+
+  source {
+    filename = "ca.crt"
+    content  = "${data.template_file.etcd_ca_cert_pem.rendered}"
+  }
+
+  source {
+    filename = "server.crt"
+    content  = "${join("", tls_locally_signed_cert.etcd_server.*.cert_pem)}"
+  }
+
+  source {
+    filename = "server.key"
+    content  = "${join("", tls_private_key.etcd_server.*.private_key_pem)}"
+  }
+
+  source {
+    filename = "peer.crt"
+    content  = "${join("", tls_locally_signed_cert.etcd_peer.*.cert_pem)}"
+  }
+
+  source {
+    filename = "peer.key"
+    content  = "${join("", tls_private_key.etcd_peer.*.private_key_pem)}"
+  }
+
+  source {
+    filename = "client.crt"
+    content  = "${data.template_file.etcd_client_crt.rendered}"
+  }
+
+  source {
+    filename = "client.key"
+    content  = "${data.template_file.etcd_client_key.rendered}"
+  }
+}
diff --git a/modules/bootkube/outputs.tf b/modules/bootkube/outputs.tf
@@ -17,6 +17,7 @@
 # interpolated once the assets have all been created.
 output "id" {
   value = "${sha1("
+  ${data.archive_file.etcd_tls_zip.id}
   ${local_file.kubeconfig.id}
   ${local_file.bootkube-sh.id}
   ${template_dir.bootkube.id} ${template_dir.bootkube-bootstrap.id}
@@ -35,6 +36,10 @@ output "id" {
   ")}"
 }
 
+output "etcd_tls_zip" {
+  value = "${data.archive_file.etcd_tls_zip.id != "" ? file("./.terraform/etcd_tls.zip") : ""}"
+}
+
 output "kubeconfig" {
   value = "${data.template_file.kubeconfig.rendered}"
 }

diff --git a/platforms/aws/main.tf b/platforms/aws/main.tf
@@ -78,13 +78,7 @@ module "etcd" {
   dns_enabled = "${!var.tectonic_experimental && length(compact(var.tectonic_etcd_servers)) == 0}"
   tls_enabled = "${var.tectonic_etcd_tls_enabled}"
 
-  tls_ca_crt_pem     = "${module.bootkube.etcd_ca_crt_pem}"
-  tls_server_crt_pem = "${module.bootkube.etcd_server_crt_pem}"
-  tls_server_key_pem = "${module.bootkube.etcd_server_key_pem}"
-  tls_client_crt_pem = "${module.bootkube.etcd_client_crt_pem}"
-  tls_client_key_pem = "${module.bootkube.etcd_client_key_pem}"
-  tls_peer_crt_pem   = "${module.bootkube.etcd_peer_crt_pem}"
-  tls_peer_key_pem   = "${module.bootkube.etcd_peer_key_pem}"
+  tls_zip = "${module.bootkube.etcd_tls_zip}"
 }
 
 module "ignition-masters" {