-
Notifications
You must be signed in to change notification settings - Fork 2
/
kube-apiserver.tf
96 lines (86 loc) · 2.97 KB
/
kube-apiserver.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
locals {
merged_apiserver_flags = merge(
local.apiserver_flags,
local.audit_log_flags,
{
audit-policy-file = "${local.etc_path}/config/policy.yaml"
audit-log-path = "${local.log_path}/kube-apiserver-audit.log"
encryption-provider-config = "${local.etc_path}/config/encryption.yaml"
},
var.enable_iam_auth ? {
authentication-token-webhook-config-file = var.auth_webhook_config_path,
} : {},
var.enable_irsa ? {
service-account-signing-key-file = "${local.etc_path}/pki/sa.key",
api-audiences = local.oidc_config.api_audiences
service-account-issuer = local.oidc_config.issuer
} : {},
)
}
data "ignition_file" "bootstrap_token_secret" {
mode = 420
path = "${local.etc_path}/addons/bootstrap-token-secret.yaml"
overwrite = true
content {
content = templatefile("${path.module}/templates/bootstrap-token/secret.yaml.tpl", {
id = var.tls_bootstrap_token.id
secret = var.tls_bootstrap_token.secret
})
mime = "text/yaml"
}
}
data "ignition_file" "bootstrap_token_rbac" {
mode = 420
path = "${local.etc_path}/addons/bootstrap-token-rbac.yaml"
overwrite = true
content {
content = templatefile("${path.module}/templates/bootstrap-token/rbac.yaml.tpl", {})
mime = "text/yaml"
}
}
data "ignition_file" "audit_log_policy" {
mode = 420
path = "${local.etc_path}/config/policy.yaml"
overwrite = true
content {
content = templatefile("${path.module}/templates/configs/audit-policy.yaml.tpl", {
content = var.audit_log_policy_content
})
mime = "text/yaml"
}
}
data "ignition_file" "encryption_config" {
mode = 420
path = "${local.etc_path}/config/encryption.yaml"
overwrite = true
content {
content = templatefile("${path.module}/templates/configs/encryption.yaml.tpl", {
secret = base64encode(var.encryption_secret)
})
mime = "text/yaml"
}
}
data "ignition_file" "kube_apiserver" {
mode = 420
path = "${local.etc_path}/manifests/kube-apiserver.yaml"
overwrite = true
content {
content = templatefile("${path.module}/templates/manifests/kube-apiserver.yaml.tpl", {
image = "${local.containers["kube_apiserver"].repo}:${local.containers["kube_apiserver"].tag}"
pki_path = "${local.etc_path}/pki"
etcd_pki_path = "${local.etc_path}/pki/etcd"
log_path = local.log_path
config_path = "${local.etc_path}/config"
secure_port = var.apiserver_secure_port
etcd_endpoints = var.etcd_endpoints
cluster_cidr = var.pod_network_cidr
service_cidr = var.service_network_cidr
resources = local.components_resource["kube_apiserver"]
// TODO: move to merged_apiserver_flags
cloud_provider = local.cloud_provider
extra_flags = local.merged_apiserver_flags
log_level = var.log_level["kube_apiserver"]
})
mime = "text/yaml"
}
}