-
Notifications
You must be signed in to change notification settings - Fork 0
/
certs.tf
137 lines (127 loc) · 4.94 KB
/
certs.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# https://kubernetes.io/docs/setup/best-practices/certificates/
locals {
cert_uses = {
server = ["key_encipherment", "digital_signature", "server_auth"]
client = ["key_encipherment", "digital_signature", "client_auth"]
}
}
module "kubernetes_certs" {
for_each = {
apiserver_cert = {
cert_hostnames = ["localhost", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local"]
cert_ip_addresses = ["127.0.0.1", "192.168.6.101", "192.168.6.102"]
common_name = "kube-apiserver"
organization = "kube-master"
validity_period_hours = "26280"
cert_uses = ["server"]
},
kube_apiserver_kubelet_client = {
common_name = "kube-apiserver-kubelet-client"
organization = "system:masters"
validity_period_hours = "26280"
cert_uses = ["client"]
},
admin = {
common_name = "kubernetes-admin"
organization = "system:masters"
validity_period_hours = "26280"
cert_uses = ["client"]
},
controller_manager = {
common_name = "system:kube-controller-manager"
organization = ""
validity_period_hours = "26280"
cert_uses = ["client"]
},
scheduler = {
common_name = "system:kube-scheduler"
organization = ""
validity_period_hours = "26280"
cert_uses = ["client"]
},
}
source = "git::github.com/edsoncsouza/vishwakarma.git//modules/tls/certificate"
ca_config = {
key_pem = module.ca["kubernetes_ca"].private_key_pem
cert_pem = module.ca["kubernetes_ca"].cert_pem
}
self_signed = false
cert_config = {
common_name = lookup(each.value, "common_name", "")
organization = lookup(each.value, "organization", "")
validity_period_hours = lookup(each.value, "validity_period_hours", "26280")
}
cert_hostnames = lookup(each.value, "cert_hostnames", [])
cert_ip_addresses = lookup(each.value, "cert_ip_addresses", [])
cert_uses = distinct(concat([for use in lookup(each.value, "cert_uses", []) : local.cert_uses[use]]...))
}
module "etcd_certs" {
for_each = {
kube_etcd = {
common_name = "kube-etcd"
validity_period_hours = "26280"
cert_uses = ["client", "server"]
cert_hostnames = ["localhost", ]
cert_ip_addresses = ["127.0.0.1", "192.168.6.101", "192.168.6.102"]
},
kube_etcd_peer = {
common_name = "kube-etcd-peer"
validity_period_hours = "26280"
cert_uses = ["client", "server"]
cert_hostnames = ["localhost"]
cert_ip_addresses = ["127.0.0.1", "192.168.6.101", "192.168.6.102"]
},
kube_etcd_healthcheck_client = {
common_name = "kube-etcd-healthcheck-client"
validity_period_hours = "26280"
cert_uses = ["client"]
},
kube_apiserver_kubelet_client = {
common_name = "kube-apiserver-kubelet-client"
cert_uses = ["client"]
}
}
source = "git::github.com/edsoncsouza/vishwakarma.git//modules/tls/certificate"
ca_config = {
key_pem = module.ca["etcd_ca"].private_key_pem
cert_pem = module.ca["etcd_ca"].cert_pem
}
self_signed = false
cert_config = {
common_name = lookup(each.value, "common_name", "")
organization = lookup(each.value, "organization", "")
validity_period_hours = lookup(each.value, "validity_period_hours", "26280")
}
cert_hostnames = lookup(each.value, "cert_hostnames", [])
cert_ip_addresses = lookup(each.value, "cert_ip_addresses", [])
cert_uses = distinct(concat([for use in lookup(each.value, "cert_uses", []) : local.cert_uses[use]]...))
}
module "kubernetes_front_proxy_certs" {
for_each = {
front_proxy_client = {
common_name = "front-proxy-client"
organization = ""
validity_period_hours = "26280"
cert_uses = ["client"] },
}
source = "git::github.com/edsoncsouza/vishwakarma.git//modules/tls/certificate"
ca_config = {
key_pem = module.ca["kubernetes_front_proxy_ca"].private_key_pem
cert_pem = module.ca["kubernetes_front_proxy_ca"].cert_pem
}
self_signed = false
cert_config = {
common_name = lookup(each.value, "common_name", "")
organization = lookup(each.value, "organization", "")
validity_period_hours = lookup(each.value, "validity_period_hours", "26280")
}
cert_hostnames = lookup(each.value, "cert_hostnames", [])
cert_ip_addresses = lookup(each.value, "cert_ip_addresses", [])
cert_uses = distinct(concat([for use in lookup(each.value, "cert_uses", []) : local.cert_uses[use]]...))
}
module "kubernetes_service_accounts_certs" {
for_each = {
sa = {},
}
source = "git::github.com/edsoncsouza/vishwakarma.git//modules/tls/private-key"
}