{"id":23590789,"url":"https://github.com/utilitywarehouse/tf_kube_ignition","last_synced_at":"2025-06-29T12:37:23.335Z","repository":{"id":24958496,"uuid":"101763376","full_name":"utilitywarehouse/tf_kube_ignition","owner":"utilitywarehouse","description":"Flatcar Linux Ignition config for a Kubernetes cluster, in the form of a Terraform module.","archived":false,"fork":false,"pushed_at":"2025-06-26T06:05:30.000Z","size":467,"stargazers_count":16,"open_issues_count":1,"forks_count":1,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-06-26T07:20:45.856Z","etag":null,"topics":["container-linux","flatcar-linux","ignition","k8s","kubernetes","terraform","uw-owner-system"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/utilitywarehouse.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2017-08-29T13:17:19.000Z","updated_at":"2025-06-26T06:05:33.000Z","dependencies_parsed_at":"2024-04-10T07:26:32.571Z","dependency_job_id":"eafe5108-2d05-442f-89a6-9c110184e0ce","html_url":"https://github.com/utilitywarehouse/tf_kube_ignition","commit_stats":null,"previous_names":[],"tags_count":94,"template":false,"template_full_name":null,"purl":"pkg:github/utilitywarehouse/tf_kube_ignition","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/utilitywarehouse%2Ftf_kube_ignition","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/utilitywarehouse%2Ftf_kube_ignition/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/utilitywarehouse%2Ftf_kube_ignition/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/utilitywarehouse%2Ftf_kube_ignition/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/utilitywarehouse","download_url":"https://codeload.github.com/utilitywarehouse/tf_kube_ignition/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/utilitywarehouse%2Ftf_kube_ignition/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262596532,"owners_count":23334625,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["container-linux","flatcar-linux","ignition","k8s","kubernetes","terraform","uw-owner-system"],"created_at":"2024-12-27T07:15:24.993Z","updated_at":"2025-06-29T12:37:23.311Z","avatar_url":"https://github.com/utilitywarehouse.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# tf_kube_ignition\n\nThis terraform module generates ignition configuration for Container Linux to help with the bootstrapping of kubernetes nodes. It requires at least Kubernetes v1.9.\n\n## Input Variables\n\nThe input variables are documented in their description and it's best to refer to [variables.tf](variables.tf).\n\n## Ouputs\n\n- `master` - the rendered ignition config for master nodes\n- `worker` - the rendered ignition config for worker nodes\n- `etcd` - the rendered ignition config for etcd nodes\n- `cfssl` - the rendered ignition config for cfssl server\n\n## Usage\n\nBelow is an example of how you might use this terraform module:\n\n```hcl\nmodule \"ignition\" {\n  source = \"github.com/utilitywarehouse/tf_kube_ignition?ref=1.0.0\"\n\n  cloud_provider                           = \"aws\"\n  enable_container_linux_update-engine     = true\n  enable_container_linux_locksmithd_master = false\n  enable_container_linux_locksmithd_worker = false\n  dns_domain                               = \"${var.role_name}.${var.account}.${var.vpc_dns_zone_name}\"\n  cluster_dns                              = \"10.3.0.10\"\n  master_instance_count                    = \"3\"\n  master_address                           = \"master.kube.example.com\"\n  etcd_addresses                           = [\"10.10.0.6\", \"10.10.0.7\", \"10.10.0.8\"]\n  oidc_issuer_url                          = \"https://accounts.google.com\"\n  oidc_client_id                           = \"000000000000-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com\"\n  cfssl_ca_cn                              = \"Example CA\"\n  cfssl_server_address                     = \"${var.cfssl_instance_address}\"\n  cfssl_node_renew_timer                   = \"*-*-* 00/6:00:00\"\n  cfssl_data_volumeid                      = \"${module.cluster.cfssl_data_volumeid}\"\n  etcd_data_volumeids                      = \"${module.cluster.etcd_data_volumeids}\"\n  etcd_additional_files                    = [\"${data.ignition_file.if.rendered}\"]\n  etcd_additional_systemd_units            = [\"${data.ignition_systemd_unit.isu.rendered}\", \"${data.ignition_systemd_unit.isu2.rendered}\"]\n  master_additional_systemd_units          = [\"${data.ignition_systemd_unit.isu.rendered}\"]\n  worker_additional_systemd_units          = [\"${data.ignition_systemd_unit.isu.rendered}\"]\n  cfssl_additional_systemd_units           = [\"${data.ignition_systemd_unit.isu.rendered}\"]\n}\n```\n\n## Certificates\n\nCertificates for the cluster components are fetched from the `cfssl` server, and they all use the same `CA`.\n\nAs part of `kubelet` systemd service pre start processes we fetch all the needed certificates, following `kubeadm` [docs](https://kubernetes.io/docs/reference/setup-tools/kubeadm/implementation-details/#generate-the-necessary-certificates). All kube components authenticate against apiservers using a client certificate and in particular `CN` as RBAC user and `ORG` as RBAC group.\n\nWe get the following certificates on every `kubelet` service restart:\n\n### Master\n\n#### Kubelet\n\n- A `node` certificate to be used by kubelet kubeconfig to authenticate against apiserver\n```\nCN=system:node:\u003cnode_name\u003e\nORG=system:master-nodes\n```\n\n- A `kubelet` certificate to serve apiserver requests on port `:10250`, based on [doc](https://kubernetes.io/docs/concepts/architecture/master-node-communication/#apiserver-to-kubelet)\n```\nCN=system:kubelet:\u003cnode_name\u003e\nORG=system:kubelets\n```\n\n#### Apiserver\n\n- A serving certificate for the API server (`apiserver`)\nCommon Name and Organisation are not important here as the cert will not be used to authenticate against apiservers, but the certificate need to specify all the alternative DNS names that the apiservers listen to.\n\n- A client certificate for the API server to connect to the kubelets securely (`apiserver-kubelet-client`)\n```\nCN=system:node:\u003cnode_name\u003e\nORG=system:masters\n```\n\n#### Kube Scheduler\n\n- A `scheduler` certificate to be used in kube-scheduler's kubeconfig file to communicate with apiservers.\n```\nCN=system:kube-scheduler\nORG=\n```\n\n#### Kube Controller Manager\n\n- A `controller-manager` certificate to be used in kube-controller-manager's kubeconfig file to communicate with apiservers.\n```\nCN=system:kube-controller-manager\nORG=\n```\n\n### Node\n\n#### Kubelet\n\n- A `node` certificate to be used by kubelet kubeconfig to authenticate against apiserver\n```\nCN=system:node:\u003cnode_name\u003e\nORG=system:nodes\n```\n\n- A `kubelet` certificate to serve apiserver requests on port `:10250`, based on [doc](https://kubernetes.io/docs/concepts/architecture/master-node-communication/#apiserver-to-kubelet)\n```\nCN=system:kubelet:\u003cnode_name\u003e\nORG=system:kubelets\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Futilitywarehouse%2Ftf_kube_ignition","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Futilitywarehouse%2Ftf_kube_ignition","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Futilitywarehouse%2Ftf_kube_ignition/lists"}