v0.4.0
Modules affected
k8s-tiller[BREAKING]k8s-tiller-tls-certs[NEW]k8s-helm-client-tls-certs[NEW]
Description
This brings in TLS generation into the k8s-tiller module. In particular, k8s-tiller has a new required variable tiller_tls_gen_method which indicates how the module should generate the TLS certificates. Currently there are three options:
kubergrunt: Use the kubergrunt utility to generate the TLS certificates and upload as a KubernetesSecretresource.provider: Use the tls Terraform provider to generate the TLS certs, and then use the kubernetes provider to upload them as a KubernetesSecretresource.none: Don't generate any TLS certs and look them up based on the input variabletiller_tls_secret_name.
The characteristics of the three approaches are summarized in the table below. You can refer to the module README for more details.
| Method | Amount of Control | Terraform Features | Secrets in Terraform State | External Dependencies |
|---|---|---|---|---|
| Direct | Full control | N/A | Only references | Yes (TLS certs must be generated externally) |
| Provider | Limited control | Full support | All Secrets are stored in Terraform State | No |
| Kubergrunt | Limited control | Limited support | Only references | Yes (kubergrunt binary) |
Additionally, this introduces the k8s-tiller-tls-certs and k8s-helm-client-tls-certs modules, which can be used to manually manage the TLS certificates for Tiller using the tls Terraform provider. Refer to the module READMEs for more details.
You can refer to the updated root example for example usage of the new modules.
Migration guide
To replicate the old behavior, pass in tiller_tls_gen_method = "none" to the module block for k8s-tiller.