This repository has been archived by the owner on Feb 5, 2020. It is now read-only.
modules/*: trust CA certificates on the nodes #2362
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Can one of the admins verify this patch? |
s-urbaniak
force-pushed
the
inst-67-new
branch
from
2740e4e
to
552ecfd
Compare
s-urbaniak
changed the title
|
@squat PTAL |
squat
suggested changes
Nov 15, 2017
modules/gcp/worker-igm/ignition.tf
Outdated
| @@ -3,6 +3,7 @@ data "ignition_config" "main" { | |||
| "${data.ignition_file.kubeconfig.id}", | |||
| "${var.ign_max_user_watches_id}", | |||
| "${var.ign_installer_kubelet_env_id}", | |||
| "${var.ign_ca_cert_id_list}", | |||
| ] | |||
|
|
|||
| systemd = [ | |||
There was a problem hiding this comment.
The worker is missing the var.ign_update_ca_certificates_dropin_id service
| @@ -38,6 +38,11 @@ systemd: | |||
| - name: bootkube.service | |||
| enable: false | |||
| contents: {{.ign_bootkube_service_json}} | |||
| - name: update-ca-certificates.service | |||
There was a problem hiding this comment.
not for this pr but we really need to refactor this platform so that it uses the same ignition format as all the other platforms
There was a problem hiding this comment.
totally agreed 👍
s-urbaniak
force-pushed
the
inst-67-new
branch
from
552ecfd
to
c82dfb9
Compare
|
ok to test |
s-urbaniak
force-pushed
the
inst-67-new
branch
from
c82dfb9
to
bcffef6
Compare
|
This builds on top of #2421 |
s-urbaniak
changed the title
added 9 commits
November 21, 2017 12:20
This also bumps the ignition provider to 1.0.0 to support S3 downloads via ignition. Fixes #INST-67
Currently etcd certificate ignition files are created in their respective platform module. This unifies it by declaring the ignition file units centrally in the ignition module.
Currently the etcd TLS module also generates a zip file which is only used on AWS to reduce the userdata size to be <20k (hard limit on AWS). Since the etcd TLS assets will be provisioned via S3 this optimization/hack is not needed any more.
We hit the limits of the AWS userdata limit (20k) constantly. This fixes it by provisioning a minimal ignition configuration only which points to a replacement ignition configuration hosted on S3. This also removes workarounds/hacks to keep the userdata size small, especially for provisioning TLS assets on etcd nodes.
s-urbaniak
force-pushed
the
inst-67-new
branch
from
bcffef6
to
6d66b86
Compare
s-urbaniak
changed the title
|
retest this please |
s-urbaniak
commented
Nov 21, 2017
|
|
||
| [Service] | ||
| ExecStart= | ||
| ExecStart=/usr/sbin/update-ca-certificates |
There was a problem hiding this comment.
/cc @lucab This works, because we are enforcing rehashing all files. Rather the default service should work, but openssl is pointing to the wrong default bundle.
|
all green, merging |
sym3tri
reviewed
Dec 11, 2017
| "Action": [ | ||
| "ecr:DescribeRepositories", | ||
| "ecr:ListImages", | ||
| "ecr:BatchGetImage" |
There was a problem hiding this comment.
@s-urbaniak Why did you need to add ECR permissions?
There was a problem hiding this comment.
It might've been a copy&pasta oversight, but without this the machine didn't seem to boot.
enxebre
pushed a commit
to enxebre/tectonic-installer
that referenced
this pull request
Dec 18, 2017
* modules/*: trust CA certificates on the nodes This also bumps the ignition provider to 1.0.0 to support S3 downloads via ignition. Fixes #INST-67 * modules/ignition: unify etcd certificate generation Currently etcd certificate ignition files are created in their respective platform module. This unifies it by declaring the ignition file units centrally in the ignition module. * modules/tls/etcd: remove zip generation Currently the etcd TLS module also generates a zip file which is only used on AWS to reduce the userdata size to be <20k (hard limit on AWS). Since the etcd TLS assets will be provisioned via S3 this optimization/hack is not needed any more. * */aws: use S3 for ignition provisioning We hit the limits of the AWS userdata limit (20k) constantly. This fixes it by provisioning a minimal ignition configuration only which points to a replacement ignition configuration hosted on S3. This also removes workarounds/hacks to keep the userdata size small, especially for provisioning TLS assets on etcd nodes. * Documentation/examples: regenerate * */azure: use unified etcd TLS ignition files * */gcp: use unified etcd TLS ignition files * */openstack: use unified etcd TLS ignition files * */vmware: use unified etcd TLS ignition files
enxebre
pushed a commit
to enxebre/tectonic-installer
that referenced
this pull request
Dec 19, 2017
* modules/*: trust CA certificates on the nodes This also bumps the ignition provider to 1.0.0 to support S3 downloads via ignition. Fixes #INST-67 * modules/ignition: unify etcd certificate generation Currently etcd certificate ignition files are created in their respective platform module. This unifies it by declaring the ignition file units centrally in the ignition module. * modules/tls/etcd: remove zip generation Currently the etcd TLS module also generates a zip file which is only used on AWS to reduce the userdata size to be <20k (hard limit on AWS). Since the etcd TLS assets will be provisioned via S3 this optimization/hack is not needed any more. * */aws: use S3 for ignition provisioning We hit the limits of the AWS userdata limit (20k) constantly. This fixes it by provisioning a minimal ignition configuration only which points to a replacement ignition configuration hosted on S3. This also removes workarounds/hacks to keep the userdata size small, especially for provisioning TLS assets on etcd nodes. * Documentation/examples: regenerate * */azure: use unified etcd TLS ignition files * */gcp: use unified etcd TLS ignition files * */openstack: use unified etcd TLS ignition files * */vmware: use unified etcd TLS ignition files
Closed
wking
reviewed
Jul 23, 2018
| @@ -0,0 +1,25 @@ | |||
| resource "aws_s3_bucket_object" "ignition_etcd" { | |||
| count = "${length(var.external_endpoints) == 0 ? var.instance_count : 0}" | |||
There was a problem hiding this comment.
I'm new to Terraform and was scratching my head about this after not finding count in the aws_s3_bucket_object docs. It turns out it is a meta-parameter (more here). I thought I'd add this note in case it helps any other Terraform newbies ;).
wking
added a commit
to wking/openshift-installer
that referenced
this pull request
Jul 23, 2018
The local variable is from cd71f30 (Ignition assets, 2018-02-14, coreos/tectonic-installer#2940), but it doesn't scale beyond three etcd nodes. This commit pivots to an approach that scales to an arbitrary number of nodes, matching the scalable generation logic we've had since 0c7ac90 (modules/*: trust CA certificates on the nodes, 2017-11-22, coreos/tectonic-installer#2362).
yifan-gu
pushed a commit
to yifan-gu/installer
that referenced
this pull request
Jul 25, 2018
The local variable is from cd71f30 (Ignition assets, 2018-02-14, coreos/tectonic-installer#2940), but it doesn't scale beyond three etcd nodes. This commit pivots to an approach that scales to an arbitrary number of nodes, matching the scalable generation logic we've had since 0c7ac90 (modules/*: trust CA certificates on the nodes, 2017-11-22, coreos/tectonic-installer#2362).
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This also bumps the ignition provider to 1.0.0 to support S3 downloads
via ignition.
Fixes #INST-67