Trust the Kubernetes CA on nodes

modules/aws/ignition/ignition.tf

@@ -4,6 +4,7 @@ data "ignition_config" "main" {
     "${data.ignition_file.s3-puller.id}",
     "${data.ignition_file.init-assets.id}",
     "${data.ignition_file.detect-master.id}",
+    "${data.ignition_file.kube_ca.id}",
   ]
 
   systemd = [
@@ -14,6 +15,38 @@ data "ignition_config" "main" {
     "${data.ignition_systemd_unit.init-assets.id}",
     "${data.ignition_systemd_unit.bootkube.id}",
     "${data.ignition_systemd_unit.tectonic.id}",
+    "${data.ignition_systemd_unit.update-ca-certificates.id}",
+  ]
+}
+
+data "ignition_file" "kube_ca" {
+  path       = "/etc/ssl/certs/kube_ca.pem"
+  mode       = 0400
+  uid        = 0
+  gid        = 0
+  filesystem = "root"
+
+  content {
+    content = "${var.kube_ca_crt_pem}"
+  }
+}
+
+data "ignition_systemd_unit" "update-ca-certificates" {
+  name   = "update-ca-certificates.service"
+  enable = true
+
+  dropin = [
+    {
+      name    = "10-alwaysrun.conf"
+      content = <<EOF
+[Unit]
+ConditionPathIsSymbolicLink=
+
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/update-ca-certificates
+EOF
+    },
   ]
 }
 

modules/aws/ignition/variables.tf

@@ -58,3 +58,7 @@ EOF
 
   type = "string"
 }
+
+variable "kube_ca_crt_pem" {
+  type = "string"
+}

modules/azure/master-as/ignition-master.tf

@@ -4,6 +4,7 @@ data "ignition_config" "master" {
     "${data.ignition_file.kubelet-env.id}",
     "${data.ignition_file.max-user-watches.id}",
     "${data.ignition_file.cloud-provider-config.id}",
+    "${data.ignition_file.kube_ca.id}",
   ]
 
   systemd = [
@@ -12,6 +13,7 @@ data "ignition_config" "master" {
     "${data.ignition_systemd_unit.kubelet-master.id}",
     "${data.ignition_systemd_unit.tectonic.id}",
     "${data.ignition_systemd_unit.bootkube.id}",
+    "${data.ignition_systemd_unit.update-ca-certificates.id}",
   ]
 
   users = [
@@ -27,6 +29,37 @@ data "ignition_user" "core" {
   ]
 }
 
+data "ignition_file" "kube_ca" {
+  path       = "/etc/ssl/certs/kube_ca.pem"
+  mode       = 0400
+  uid        = 0
+  gid        = 0
+  filesystem = "root"
+
+  content {
+    content = "${var.kube_ca_crt_pem}"
+  }
+}
+
+data "ignition_systemd_unit" "update-ca-certificates" {
+  name   = "update-ca-certificates.service"
+  enable = true
+
+  dropin = [
+    {
+      name    = "10-alwaysrun.conf"
+      content = <<EOF
+[Unit]
+ConditionPathIsSymbolicLink=
+
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/update-ca-certificates
+EOF
+    },
+  ]
+}
+
 data "ignition_systemd_unit" "docker" {
   name   = "docker.service"
   enable = true

modules/azure/master-as/variables.tf

@@ -107,3 +107,7 @@ variable "versions" {
 variable "cl_channel" {
   type = "string"
 }
+
+variable "kube_ca_crt_pem" {
+  type = "string"
+}

modules/azure/master-ss/ignition-master.tf

@@ -3,6 +3,7 @@ data "ignition_config" "master" {
     "${data.ignition_file.kubeconfig.id}",
     "${data.ignition_file.kubelet-env.id}",
     "${data.ignition_file.max-user-watches.id}",
+    "${data.ignition_file.kube_ca.id}",
   ]
 
   systemd = [
@@ -11,6 +12,7 @@ data "ignition_config" "master" {
     "${data.ignition_systemd_unit.kubelet-master.id}",
     "${data.ignition_systemd_unit.tectonic.id}",
     "${data.ignition_systemd_unit.bootkube.id}",
+    "${data.ignition_systemd_unit.update-ca-certificates.id}",
   ]
 
   users = [
@@ -26,6 +28,37 @@ data "ignition_user" "core" {
   ]
 }
 
+data "ignition_file" "kube_ca" {
+  path       = "/etc/ssl/certs/kube_ca.pem"
+  mode       = 0400
+  uid        = 0
+  gid        = 0
+  filesystem = "root"
+
+  content {
+    content = "${var.kube_ca_crt_pem}"
+  }
+}
+
+data "ignition_systemd_unit" "update-ca-certificates" {
+  name   = "update-ca-certificates.service"
+  enable = true
+
+  dropin = [
+    {
+      name    = "10-alwaysrun.conf"
+      content = <<EOF
+[Unit]
+ConditionPathIsSymbolicLink=
+
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/update-ca-certificates
+EOF
+    },
+  ]
+}
+
 data "ignition_systemd_unit" "docker" {
   name   = "docker.service"
   enable = true

modules/azure/master-ss/variables.tf

@@ -92,3 +92,7 @@ variable "tectonic_service_disabled" {
   description = "Specifies whether the tectonic installer systemd unit will be disabled. If true, no tectonic assets will be deployed"
   default     = false
 }
+
+variable "kube_ca_crt_pem" {
+  type = "string"
+}

modules/azure/worker-as/ignition-worker.tf

@@ -4,19 +4,52 @@ data "ignition_config" "worker" {
     "${data.ignition_file.kubelet-env.id}",
     "${data.ignition_file.max-user-watches.id}",
     "${data.ignition_file.cloud-provider-config.id}",
+    "${data.ignition_file.kube_ca.id}",
   ]
 
   systemd = [
     "${data.ignition_systemd_unit.docker.id}",
     "${data.ignition_systemd_unit.locksmithd.id}",
     "${data.ignition_systemd_unit.kubelet-worker.id}",
+    "${data.ignition_systemd_unit.update-ca-certificates.id}",
   ]
 
   users = [
     "${data.ignition_user.core.id}",
   ]
 }
 
+data "ignition_file" "kube_ca" {
+  path       = "/etc/ssl/certs/kube_ca.pem"
+  mode       = 0400
+  uid        = 0
+  gid        = 0
+  filesystem = "root"
+
+  content {
+    content = "${var.kube_ca_crt_pem}"
+  }
+}
+
+data "ignition_systemd_unit" "update-ca-certificates" {
+  name   = "update-ca-certificates.service"
+  enable = true
+
+  dropin = [
+    {
+      name    = "10-alwaysrun.conf"
+      content = <<EOF
+[Unit]
+ConditionPathIsSymbolicLink=
+
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/update-ca-certificates
+EOF
+    },
+  ]
+}
+
 data "ignition_systemd_unit" "docker" {
   name   = "docker.service"
   enable = true

modules/azure/worker-as/variables.tf

@@ -83,3 +83,7 @@ variable "cl_channel" {
 variable "kubelet_cni_bin_dir" {
   type = "string"
 }
+
+variable "kube_ca_crt_pem" {
+  type = "string"
+}

modules/openstack/nodes/ignition.tf

@@ -11,6 +11,7 @@ data "ignition_config" "node" {
     "${data.ignition_file.max-user-watches.id}",
     "${data.ignition_file.resolv_conf.id}",
     "${data.ignition_file.hostname.*.id[count.index]}",
+    "${data.ignition_file.kube_ca.id}",
   ]
 
   systemd = [
@@ -19,6 +20,38 @@ data "ignition_config" "node" {
     "${data.ignition_systemd_unit.kubelet.id}",
     "${data.ignition_systemd_unit.bootkube.id}",
     "${data.ignition_systemd_unit.tectonic.id}",
+    "${data.ignition_systemd_unit.update-ca-certificates.id}",
+  ]
+}
+
+data "ignition_file" "kube_ca" {
+  path       = "/etc/ssl/certs/kube_ca.pem"
+  mode       = 0400
+  uid        = 0
+  gid        = 0
+  filesystem = "root"
+
+  content {
+    content = "${var.kube_ca_crt_pem}"
+  }
+}
+
+data "ignition_systemd_unit" "update-ca-certificates" {
+  name   = "update-ca-certificates.service"
+  enable = true
+
+  dropin = [
+    {
+      name    = "10-alwaysrun.conf"
+      content = <<EOF
+[Unit]
+ConditionPathIsSymbolicLink=
+
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/update-ca-certificates
+EOF
+    },
   ]
 }
 

modules/openstack/nodes/variables.tf

@@ -70,3 +70,7 @@ variable "tectonic_service_disabled" {
   description = "Specifies whether the tectonic installer systemd unit will be disabled. If true, no tectonic assets will be deployed"
   default     = false
 }
+
+variable "kube_ca_crt_pem" {
+  type = "string"
+}

modules/vmware/node/ignition.tf

@@ -9,6 +9,7 @@ data "ignition_config" "node" {
     "${data.ignition_file.max-user-watches.id}",
     "${data.ignition_file.node_hostname.*.id[count.index]}",
     "${data.ignition_file.kubelet-env.id}",
+    "${data.ignition_file.kube_ca.id}",
   ]
 
   systemd = [
@@ -18,6 +19,8 @@ data "ignition_config" "node" {
     "${data.ignition_systemd_unit.kubelet-env.id}",
     "${data.ignition_systemd_unit.bootkube.id}",
     "${data.ignition_systemd_unit.tectonic.id}",
+    "${data.ignition_systemd_unit.vmtoolsd_member.id}",
+    "${data.ignition_systemd_unit.update-ca-certificates.id}",
   ]
 
   networkd = [
@@ -30,6 +33,37 @@ data "ignition_user" "core" {
   ssh_authorized_keys = ["${var.core_public_keys}"]
 }
 
+data "ignition_file" "kube_ca" {
+  path       = "/etc/ssl/certs/kube_ca.pem"
+  mode       = 0400
+  uid        = 0
+  gid        = 0
+  filesystem = "root"
+
+  content {
+    content = "${var.kube_ca_crt_pem}"
+  }
+}
+
+data "ignition_systemd_unit" "update-ca-certificates" {
+  name   = "update-ca-certificates.service"
+  enable = true
+
+  dropin = [
+    {
+      name    = "10-alwaysrun.conf"
+      content = <<EOF
+[Unit]
+ConditionPathIsSymbolicLink=
+
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/update-ca-certificates
+EOF
+    },
+  ]
+}
+
 data "ignition_systemd_unit" "docker" {
   name   = "docker.service"
   enable = true

modules/vmware/node/variables.tf

@@ -142,3 +142,7 @@ EOF
 
   type = "string"
 }
+
+variable "kube_ca_crt_pem" {
+  type = "string"
+}

platforms/aws/main.tf

@@ -96,6 +96,7 @@ module "ignition-masters" {
   tectonic_service_disabled = "${var.tectonic_vanilla_k8s}"
   cluster_name              = "${var.tectonic_cluster_name}"
   image_re                  = "${var.tectonic_image_re}"
+  kube_ca_crt_pem           = "${module.bootkube.ca_cert}"
 }
 
 module "masters" {
@@ -144,6 +145,7 @@ module "ignition-workers" {
   tectonic_service       = ""
   cluster_name           = ""
   image_re               = "${var.tectonic_image_re}"
+  kube_ca_crt_pem        = "${module.bootkube.ca_cert}"
 }
 
 module "workers" {

platforms/azure/main.tf

@@ -112,6 +112,7 @@ module "masters" {
   tectonic_service_disabled    = "${var.tectonic_vanilla_k8s}"
   versions                     = "${var.tectonic_versions}"
   cl_channel                   = "${var.tectonic_cl_channel}"
+  kube_ca_crt_pem              = "${module.bootkube.ca_cert}"
 }
 
 module "workers" {
@@ -137,6 +138,7 @@ module "workers" {
   kubelet_cni_bin_dir          = "${var.tectonic_calico_network_policy ? "/var/lib/cni/bin" : "" }"
   versions                     = "${var.tectonic_versions}"
   cl_channel                   = "${var.tectonic_cl_channel}"
+  kube_ca_crt_pem              = "${module.bootkube.ca_cert}"
 }
 
 module "dns" {