Skip to content

Commit bdae0af

Browse files
alpe5tefan
alpe
authored and
5tefan
committed
Private Network Interfaces (kubernetes-digitalocean-terraform#18)
* Access etcd via private network * Use private network for master-cluster
1 parent 33782cb commit bdae0af

File tree

4 files changed

+16
-14
lines changed

4 files changed

+16
-14
lines changed

00-etcd.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
coreos:
44
etcd2:
5-
advertise-client-urls: https://$public_ipv4:2379
5+
advertise-client-urls: https://$private_ipv4:2379 # multi-region and multi-cloud deployments need to use $public_ipv4
66
listen-client-urls: https://0.0.0.0:2379
77
client-cert-auth: true
88
trusted-ca-file: /etc/kubernetes/ssl/ca.pem

01-master.yaml

+3-3
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ write_files:
44
- path: "/etc/flannel/options.env"
55
permissions: "0755"
66
content: |
7-
FLANNELD_IFACE=$public_ipv4
7+
FLANNELD_IFACE=$private_ipv4
88
FLANNELD_ETCD_ENDPOINTS=https://${ETCD_IP}:2379
99
FLANNELD_ETCD_CAFILE=/etc/ssl/etcd/ca.pem
1010
FLANNELD_ETCD_CERTFILE=/etc/ssl/etcd/client.pem
@@ -39,7 +39,7 @@ write_files:
3939
--register-schedulable=false \
4040
--allow-privileged=true \
4141
--config=/etc/kubernetes/manifests \
42-
--hostname-override=$public_ipv4 \
42+
--hostname-override=$private_ipv4 \
4343
--cluster-dns=${DNS_SERVICE_IP} \
4444
--cluster-domain=cluster.local
4545
Restart=always
@@ -70,7 +70,7 @@ write_files:
7070
- --allow-privileged=true
7171
- --service-cluster-ip-range=${SERVICE_IP_RANGE}
7272
- --secure-port=443
73-
- --advertise-address=$public_ipv4
73+
- --advertise-address=$private_ipv4
7474
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota
7575
- --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem
7676
- --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem

02-worker.yaml

+2-2
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ write_files:
55
- path: "/etc/flannel/options.env"
66
permissions: "0755"
77
content: |
8-
FLANNELD_IFACE=$public_ipv4
8+
FLANNELD_IFACE=$private_ipv4
99
FLANNELD_ETCD_ENDPOINTS=https://${ETCD_IP}:2379
1010
FLANNELD_ETCD_CAFILE=/etc/ssl/etcd/ca.pem
1111
FLANNELD_ETCD_CERTFILE=/etc/ssl/etcd/worker.pem
@@ -40,7 +40,7 @@ write_files:
4040
--register-node=true \
4141
--allow-privileged=true \
4242
--config=/etc/kubernetes/manifests \
43-
--hostname-override=$public_ipv4 \
43+
--hostname-override=$private_ipv4 \
4444
--cluster-dns=${DNS_SERVICE_IP} \
4545
--cluster-domain=cluster.local \
4646
--kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml \

deploy.tf

+10-8
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,7 @@ resource "digitalocean_droplet" "k8s_etcd" {
4444
image = "coreos-stable"
4545
name = "k8s-etcd"
4646
region = "${var.do_region}"
47+
private_networking = true
4748
size = "512mb"
4849
user_data = "${file("00-etcd.yaml")}"
4950
ssh_keys = [
@@ -60,7 +61,7 @@ EOF
6061
# Generate k8s-etcd server certificate
6162
provisioner "local-exec" {
6263
command = <<EOF
63-
$PWD/cfssl/generate_server.sh k8s_etcd ${digitalocean_droplet.k8s_etcd.ipv4_address}
64+
$PWD/cfssl/generate_server.sh k8s_etcd ${digitalocean_droplet.k8s_etcd.ipv4_address_private}
6465
EOF
6566
}
6667

@@ -122,7 +123,7 @@ data "template_file" "master_yaml" {
122123
template = "${file("01-master.yaml")}"
123124
vars {
124125
DNS_SERVICE_IP = "10.3.0.10"
125-
ETCD_IP = "${digitalocean_droplet.k8s_etcd.ipv4_address}"
126+
ETCD_IP = "${digitalocean_droplet.k8s_etcd.ipv4_address_private}"
126127
POD_NETWORK = "10.2.0.0/16"
127128
SERVICE_IP_RANGE = "10.3.0.0/24"
128129
HYPERCUBE_VERSION = "${var.hypercube_version}"
@@ -141,6 +142,7 @@ resource "digitalocean_droplet" "k8s_master" {
141142
image = "coreos-stable"
142143
name = "k8s-master"
143144
region = "${var.do_region}"
145+
private_networking = true
144146
size = "512mb"
145147
user_data = "${data.template_file.master_yaml.rendered}"
146148
ssh_keys = [
@@ -150,7 +152,7 @@ resource "digitalocean_droplet" "k8s_master" {
150152
# Generate k8s_master server certificate
151153
provisioner "local-exec" {
152154
command = <<EOF
153-
$PWD/cfssl/generate_server.sh k8s_master "${digitalocean_droplet.k8s_master.ipv4_address},10.3.0.1,kubernetes.default,kubernetes"
155+
$PWD/cfssl/generate_server.sh k8s_master "${digitalocean_droplet.k8s_master.ipv4_address},${digitalocean_droplet.k8s_master.ipv4_address_private},10.3.0.1,kubernetes.default,kubernetes"
154156
EOF
155157
}
156158

@@ -177,7 +179,7 @@ EOF
177179
}
178180
}
179181

180-
# Generate k9s_master client certificate
182+
# Generate k8s_master client certificate
181183
provisioner "local-exec" {
182184
command = <<EOF
183185
$PWD/cfssl/generate_client.sh k8s_master
@@ -218,7 +220,7 @@ EOF
218220
provisioner "remote-exec" {
219221
inline = [
220222
"sudo systemctl daemon-reload",
221-
"curl --cacert /etc/kubernetes/ssl/ca.pem --cert /etc/kubernetes/ssl/client.pem --key /etc/kubernetes/ssl/client-key.pem -X PUT -d 'value={\"Network\":\"10.2.0.0/16\",\"Backend\":{\"Type\":\"vxlan\"}}' https://${digitalocean_droplet.k8s_etcd.ipv4_address}:2379/v2/keys/coreos.com/network/config",
223+
"curl --cacert /etc/kubernetes/ssl/ca.pem --cert /etc/kubernetes/ssl/client.pem --key /etc/kubernetes/ssl/client-key.pem -X PUT -d 'value={\"Network\":\"10.2.0.0/16\",\"Backend\":{\"Type\":\"vxlan\"}}' https://${digitalocean_droplet.k8s_etcd.ipv4_address_private}:2379/v2/keys/coreos.com/network/config",
222224
"sudo systemctl start flanneld",
223225
"sudo systemctl enable flanneld",
224226
"sudo systemctl start kubelet",
@@ -244,8 +246,8 @@ data "template_file" "worker_yaml" {
244246
template = "${file("02-worker.yaml")}"
245247
vars {
246248
DNS_SERVICE_IP = "10.3.0.10"
247-
ETCD_IP = "${digitalocean_droplet.k8s_etcd.ipv4_address}"
248-
MASTER_HOST = "${digitalocean_droplet.k8s_master.ipv4_address}"
249+
ETCD_IP = "${digitalocean_droplet.k8s_etcd.ipv4_address_private}"
250+
MASTER_HOST = "${digitalocean_droplet.k8s_master.ipv4_address_private}"
249251
HYPERCUBE_VERSION = "${var.hypercube_version}"
250252
}
251253
}
@@ -260,11 +262,11 @@ data "template_file" "worker_yaml" {
260262

261263
resource "digitalocean_droplet" "k8s_worker" {
262264
count = "${var.number_of_workers}"
263-
264265
image = "coreos-stable"
265266
name = "${format("k8s-worker-%02d", count.index + 1)}"
266267
region = "${var.do_region}"
267268
size = "512mb"
269+
private_networking = true
268270
user_data = "${data.template_file.worker_yaml.rendered}"
269271
ssh_keys = [
270272
"${var.ssh_fingerprint}"

0 commit comments

Comments
 (0)