From 4b47f8e84ace4a85c7059cc00396acc9cea07663 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joost=20D=C3=B6bken?= <joost@dobken.nl>
Date: Mon, 1 Mar 2021 21:14:16 +0100
Subject: [PATCH] output TLS certificate credentials (#16)

---
 README.md                     | 26 ++++++++++++++++++-
 main.tf                       | 16 ++++++++++++
 modules/kubernetes/main.tf    | 48 +++++++++++++++++++++++++++++++++++
 modules/kubernetes/outputs.tf | 16 ++++++++++++
 4 files changed, 105 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index f9aae94..63b067d 100644
--- a/README.md
+++ b/README.md
@@ -50,7 +50,7 @@ resource "hcloud_ssh_key" "demo_cluster" {
 
 # Create a kubernetes cluster
 module "hcloud_kubernetes_cluster" {
-  source          = "git::github.com/JWDobken/terraform-hcloud-kubernetes.git?ref=v0.1.6"
+  source          = "git::github.com/JWDobken/terraform-hcloud-kubernetes.git?ref=v0.1.7"
   cluster_name    = "demo-cluster"
   hcloud_token    = var.hcloud_token
   hcloud_ssh_keys = [hcloud_ssh_key.demo_cluster.id]
@@ -111,6 +111,30 @@ helm upgrade --install nginx-ingress \
     bitnami/nginx-ingress-controller
 ```
 
+## Chaining other terraform modules
+
+TLS certificate credentials form the output can be used to chain other Terraform modules, such as the [Helm provider](https://registry.terraform.io/providers/hashicorp/helm/latest/docs) or the [Kubernetes provider](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs):
+
+```hcl
+provider "helm" {
+  kubernetes {
+    host     = module.hcloud_kubernetes_cluster.endpoint
+
+    cluster_ca_certificate = base64decode(module.hcloud_kubernetes_cluster.certificate_authority_data)
+    client_certificate     = base64decode(module.hcloud_kubernetes_cluster.client_certificate_data)
+    client_key             = base64decode(module.hcloud_kubernetes_cluster.client_key_data)
+  }
+}
+
+provider "kubernetes" {
+  host = module.hcloud_kubernetes_cluster.endpoint
+
+  client_certificate     = base64decode(module.hcloud_kubernetes_cluster.client_certificate_data)
+  client_key             = base64decode(module.hcloud_kubernetes_cluster.client_key_data)
+  cluster_ca_certificate = base64decode(module.hcloud_kubernetes_cluster.client_certificate_data)
+}
+```
+
 ## Considered features:
 
 - When a node is destroyed, I still need to run `kubectl drain <nodename>` and `kubectl delete node <nodename>`. Compare actual list with `kubectl get nodes --output 'jsonpath={.items[*].metadata.name}'`.
diff --git a/main.tf b/main.tf
index 7f4b6d2..ee70fb2 100644
--- a/main.tf
+++ b/main.tf
@@ -132,3 +132,19 @@ output "worker_nodes" {
 output "kubeconfig" {
   value = module.kubernetes.kubeconfig
 }
+
+output "endpoint" {
+  value = module.kubernetes.endpoint
+}
+
+output "certificate_authority_data" {
+  value = module.kubernetes.certificate_authority_data
+}
+
+output "client_certificate_data" {
+  value = module.kubernetes.client_certificate_data
+}
+
+output "client_key_data" {
+  value = module.kubernetes.client_key_data
+}
diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf
index c83cbe9..c1e228d 100644
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@@ -114,3 +114,51 @@ module "kubeconfig" {
       root@${local.master_ip} 'cat /root/.kube/config'
   EOT
 }
+
+module "endpoint" {
+  source     = "matti/resource/shell"
+  depends_on = [null_resource.kubeadm_join]
+
+  trigger = element(var.master_nodes.*.ipv4_address, 0)
+
+  command = <<EOT
+    ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
+      root@${local.master_ip} 'kubectl config --kubeconfig /root/.kube/config view -o jsonpath='{.clusters[0].cluster.server}''
+  EOT
+}
+
+module "certificate_authority_data" {
+  source     = "matti/resource/shell"
+  depends_on = [null_resource.kubeadm_join]
+
+  trigger = element(var.master_nodes.*.ipv4_address, 0)
+
+  command = <<EOT
+    ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
+      root@${local.master_ip} 'kubectl config --kubeconfig /root/.kube/config view --flatten -o jsonpath='{.clusters[0].cluster.certificate-authority-data}''
+  EOT
+}
+
+module "client_certificate_data" {
+  source     = "matti/resource/shell"
+  depends_on = [null_resource.kubeadm_join]
+
+  trigger = element(var.master_nodes.*.ipv4_address, 0)
+
+  command = <<EOT
+    ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
+      root@${local.master_ip} 'kubectl config --kubeconfig /root/.kube/config view --flatten -o jsonpath='{.users[0].user.client-certificate-data}''
+  EOT
+}
+
+module "client_key_data" {
+  source     = "matti/resource/shell"
+  depends_on = [null_resource.kubeadm_join]
+
+  trigger = element(var.master_nodes.*.ipv4_address, 0)
+
+  command = <<EOT
+    ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
+      root@${local.master_ip} 'kubectl config --kubeconfig /root/.kube/config view --flatten -o jsonpath='{.users[0].user.client-key-data}''
+  EOT
+}
diff --git a/modules/kubernetes/outputs.tf b/modules/kubernetes/outputs.tf
index 3418d55..eb45c44 100644
--- a/modules/kubernetes/outputs.tf
+++ b/modules/kubernetes/outputs.tf
@@ -7,3 +7,19 @@ output "connections" {
 output "kubeconfig" {
   value = module.kubeconfig.stdout
 }
+
+output "endpoint" {
+  value = module.endpoint.stdout
+}
+
+output "certificate_authority_data" {
+  value = module.certificate_authority_data.stdout
+}
+
+output "client_certificate_data" {
+  value = module.client_certificate_data.stdout
+}
+
+output "client_key_data" {
+  value = module.client_key_data.stdout
+}