From 524949c8e5ef1641ac73e87157888dfa674f8004 Mon Sep 17 00:00:00 2001
From: Nemo <me@captnemo.in>
Date: Sun, 13 Jan 2019 04:15:12 +0530
Subject: [PATCH] [k8s] Run etcd with bootkube generated certs

---
 modules/etcd/main.tf | 56 +++++++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 41 insertions(+), 15 deletions(-)

diff --git a/modules/etcd/main.tf b/modules/etcd/main.tf
index 26aa193..af677c2 100644
--- a/modules/etcd/main.tf
+++ a/modules/etcd/main.tf
@@ -8,12 +8,39 @@
     host   = ""
   }
 
-  networks = ["${docker_network.etcd.id}"]
-
   volumes = [
     {
       host_path      = "${var.data_dir}"
       container_path = "/etcd-data"
+    },
+    {
+      host_path      = "${var.bootkube_asset_dir}/tls/etcd-client.crt"
+      container_path = "/etc/etcd-client.crt"
+    },
+    {
+      host_path      = "${var.bootkube_asset_dir}/tls/etcd-client.key"
+      container_path = "/etc/etcd-client.key"
+    },
+    {
+      host_path      = "${var.bootkube_asset_dir}/tls/etcd-client-ca.crt"
+      container_path = "/etc/etcd-client-ca.crt"
+    },
+    {
+      host_path      = "${var.bootkube_asset_dir}/tls/etcd"
+      container_path = "/etc/ssl/certs/etcd"
+    },
+  ]
+
+  ports = [
+    {
+      internal = 2379
+      external = 2379
+      ip       = "${var.host_ip}"
+    },
+    {
+      internal = 2380
+      external = 2380
+      ip       = "${var.host_ip}"
     },
   ]
 
@@ -21,18 +48,17 @@
     "/usr/local/bin/etcd",
     "--data-dir=/etcd-data",
     "--name=${var.node_name}",
-    "--advertise-client-urls=http://${var.host_ip}:2379",
-    "--initial-advertise-peer-urls=http://${var.host_ip}:2380",
-    "--initial-cluster=${var.node_name}=http://${var.host_ip}:2380",
+    "--advertise-client-urls=https://${var.host_ip}:2379",
+    "--initial-advertise-peer-urls=https://${var.host_ip}:2380",
+    "--initial-cluster=${var.node_name}=https://${var.host_ip}:2380",
+    "--listen-client-urls=https://0.0.0.0:2379",
+    "--listen-peer-urls=https://0.0.0.0:2380",
+    "--trusted-ca-file=/etc/ssl/certs/etcd/server-ca.crt",
+    "--cert-file=/etc/ssl/certs/etcd/server.crt",
+    "--key-file=/etc/ssl/certs/etcd/server.key",
+    "--client-cert-auth=true",
+    "--peer-trusted-ca-file=/etc/ssl/certs/etcd/peer-ca.crt",
+    "--peer-cert-file=/etc/ssl/certs/etcd/peer.crt",
+    "--peer-key-file=/etc/ssl/certs/etcd/peer.key",
   ]
-}
-
-resource "docker_network" "etcd" {
-  name   = "etcd"
-  driver = "bridge"
-
-  ipam_config {
-    subnet  = "10.10.10.0/25"
-    gateway = "10.10.10.1"
-  }
 }
--
rgit 0.1.5