-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathcerts_kubelet.tf
127 lines (104 loc) · 3.01 KB
/
certs_kubelet.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
resource "tls_private_key" "server_kubelet" {
algorithm = "RSA"
rsa_bits = 2048
}
resource "tls_cert_request" "server_kubelet" {
key_algorithm = "${tls_private_key.server_kubelet.algorithm}"
private_key_pem = "${tls_private_key.server_kubelet.private_key_pem}"
subject {
common_name = "*.${data.aws_region.current.name}.k8s.audios.cloud"
organization = "Audios Ventures, Inc"
organizational_unit = "Department of Infrastructure"
street_address = [
"24 4th Street",
"Suite #1007",
]
locality = "Troy"
province = "NY"
country = "US"
postal_code = "12180"
}
}
resource "tls_locally_signed_cert" "server_kubelet" {
ca_key_algorithm = "${var.ca_root_algo}"
ca_cert_pem = "${var.ca_root_cert}"
ca_private_key_pem = "${var.ca_root_priv}"
cert_request_pem = "${tls_cert_request.server_kubelet.cert_request_pem}"
validity_period_hours = 87600
early_renewal_hours = 8760
allowed_uses = [
"server_auth",
]
}
resource "tls_private_key" "client_kubelet" {
algorithm = "RSA"
rsa_bits = 2048
}
resource "tls_cert_request" "client_kubelet" {
key_algorithm = "${tls_private_key.client_kubelet.algorithm}"
private_key_pem = "${tls_private_key.client_kubelet.private_key_pem}"
subject {
common_name = "*.${data.aws_region.current.name}.k8s.audios.cloud"
organization = "Audios Ventures, Inc"
organizational_unit = "Department of Infrastructure"
street_address = [
"24 4th Street",
"Suite #1007",
]
locality = "Troy"
province = "NY"
country = "US"
postal_code = "12180"
}
}
resource "tls_locally_signed_cert" "client_kubelet" {
ca_key_algorithm = "${var.ca_root_algo}"
ca_cert_pem = "${var.ca_root_cert}"
ca_private_key_pem = "${var.ca_root_priv}"
cert_request_pem = "${tls_cert_request.client_kubelet.cert_request_pem}"
validity_period_hours = 87600
early_renewal_hours = 8760
allowed_uses = [
"client_auth",
]
}
data "ignition_file" "kubelet_server_cert" {
path = "/etc/ssl/certs/kubelet_server.pem"
filesystem = "root"
mode = 0644
uid = 0
gid = 0
content {
content = "${tls_locally_signed_cert.server_kubelet.cert_pem}"
}
}
data "ignition_file" "kubelet_server_key" {
path = "/etc/ssl/private/kubelet_server.pem"
filesystem = "root"
mode = 0644
uid = 0
gid = 0
content {
content = "${tls_private_key.server_kubelet.private_key_pem}"
}
}
data "ignition_file" "kubelet_client_cert" {
path = "/etc/ssl/certs/kubelet_client.pem"
filesystem = "root"
mode = 0644
uid = 0
gid = 0
content {
content = "${tls_locally_signed_cert.client_kubelet.cert_pem}"
}
}
data "ignition_file" "kubelet_client_key" {
path = "/etc/ssl/private/kubelet_client.pem"
filesystem = "root"
mode = 0644
uid = 0
gid = 0
content {
content = "${tls_private_key.client_kubelet.private_key_pem}"
}
}