Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix/cleanup pre commit findings #100

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Fix/cleanup pre commit findings #100

wants to merge 3 commits into from

Conversation

rkage
Copy link
Member

@rkage rkage commented Feb 1, 2021

Description

Cleans up some pre-commit findings.. @anthr76 - have a look since this removes private keys.

@github-actions
Copy link

github-actions bot commented Feb 1, 2021

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Validation 🤖Success! The configuration is valid.

Terraform Plan 📖success

Show Plan 
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

google_compute_network.vpc: Refreshing state... [id=projects/raspbernetes/global/networks/raspbernetes-vpc]
google_compute_subnetwork.subnet: Refreshing state... [id=projects/raspbernetes/regions/us-central1/subnetworks/raspbernetes-subnet]
google_container_cluster.primary: Refreshing state... [id=projects/raspbernetes/locations/us-central1/clusters/raspbernetes-gke]
google_container_node_pool.primary_nodes: Refreshing state... [id=projects/raspbernetes/locations/us-central1/clusters/raspbernetes-gke/nodePools/raspbernetes-gke-node-pool]

------------------------------------------------------------------------

No changes. Infrastructure is up-to-date.

This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, no
actions need to be performed.

Pusher: @rkage, Action: pull_request, Working Directory: infrastructure/gcp, Workflow: terraform-plan

xunholy
xunholy reviewed Feb 1, 2021
View reviewed changes
ansible/roles/cluster/templates/kubeadm-join.yaml.j2
unsafeSkipCAVerification: false
caCertHashes:
- sha256:{{ cluster_ca_sha256 }}
- sha256:{{ cluster_ca_sha256 }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- sha256:{{ cluster_ca_sha256 }}
- sha256: {{ cluster_ca_sha256 }}

ansible/roles/cluster/templates/kubeadm-init.yaml.j2
kind: InitConfiguration
bootstrapTokens:
- token: {{ kubeadm_join_token }}
ttl: 1h
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ttl: 1h
ttl: 24h

ansible/roles/cluster/templates/kubeadm-init.yaml.j2
Comment on lines +8 to +12
groups:
- system:bootstrappers:kubeadm:default-node-token
usages:
- signing
- authentication
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these still requried for 1.20.x?

ansible/roles/cluster/templates/kubeadm-init.yaml.j2
bindPort: {{ cluster_apiserver_bind_port }}
certificateKey: {{ kubeadm_certificate_key }}
nodeRegistration:
{% if inventory_hostname in groups['masters'] and inventory_hostname not in groups['workers'] %}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do you feel about adding labels on worker nodes with node-role.kubernetes.io/worker ?

@anthr76
Copy link
Member

anthr76 commented Feb 1, 2021

The SSH key being dropped is a known shared private key. This allows you to setup a group of vms with terraforms then provide ansible with a identity file. This allows us not having to share our personal SSH public keys on the readily available terraform.

Shown here:

k8s-cluster-installation/infrastructure/libvirt/ubuntu/x86-64/cloud_init.cfg

Line 25 in f062edf

- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2G7k0zGAjd+0LzhbPcGLkdJrJ/LbLrFxtXe+LPAkrphizfRxdZpSC7Dvr5Vewrkd/kfYObiDc6v23DHxzcilVC2HGLQUNeUer/YE1mL4lnXC1M3cb4eU+vJ/Gyr9XVOOReDRDBCwouaL7IzgYNCsm0O5v2z/w9ugnRLryUY180/oIGeE/aOI1HRh6YOsIn7R3Rv55y8CYSqsbmlHWiDC6iZICZtvYLYmUmCgPX2Fg2eT+aRbAStUcUERm8h246fs1KxywdHHI/6o3E1NNIPIQ0LdzIn5aWvTCd6D511L4rf/k5zbdw/Gql0AygHBR/wnngB5gSDERLKfigzeIlCKf Unsafe Shared Key

We can drop it if we want but it makes provisioning quick and easy. It's not unsafe to persist this in the repo as this keypair is only designed for building up local vms and is no longer used after they're torn down

@xunholy
Copy link
Member

xunholy commented Jul 25, 2021

We'll need to update this with the new control-plane/node PR to remove master/worker logic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xunholy xunholy xunholy left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rkage @anthr76 @xunholy