MVP

[blurrcat]

• reuse terraform community modules to setup basic vpc
• create tls artifacts with terraform tls provider
• generate cloudconfig for the controller
  • tls artifacts
  • launch CoreOS system services: etcd, flannel
  • launch kube-controller components: kubelet, apiserver, kube-proxy, scheduler, controller-manager
  • launch kube-addons: SkyDNS, dashboard
• generate cloudconfig for the workers
  • tls artifacts
  • launch kube-worker components: kubelet, kube-proxy, kubeconfig
• provision instance profiles for kube-controller: grant access to ec2 and elb
• provision instance profiles for kube-worker: grant access to ebs volumes

PKI

Use terraform tls provider to manage certificates.

etcd

Use one instance for now.
In the future, we might let the etcd instances auto-join a cluster.

networking

No need for calico. Generally assume the internal network is safe.

Expected Outcome

Artifacts:

• tls artifacts: ca, worker, admin
• terraform modules: make every part modular - for example, the generation of cloudconfig should only care about the services, it does not know how the vpc is structured exactly.

[blurrcat]

blocked by

• Restore tls_cert_request to being a managed resource hashicorp/terraform#9035: csr is generated every time terraform applies, which forces re-creation of stream resources.
• implements gzip interpolation func hashicorp/terraform#3858: without gzip, controller user-data hits size limit. template_cloudinit_config does not help here since CoreOS does not support multi-part cloud-init config.