kinvolk · ipochi · Feb 16, 2021 · Feb 16, 2021
diff --git a/assets/terraform-modules/bare-metal/flatcar-linux/kubernetes/bootkube.tf b/assets/terraform-modules/bare-metal/flatcar-linux/kubernetes/bootkube.tf
@@ -21,8 +21,8 @@ module "bootkube" {
   # Disable the self hosted kubelet.
   disable_self_hosted_kubelet = var.disable_self_hosted_kubelet
 
-  bootstrap_tokens     = var.enable_tls_bootstrap ? [local.controller_bootstrap_token, local.worker_bootstrap_token] : []
-  enable_tls_bootstrap = var.enable_tls_bootstrap
+  bootstrap_tokens     = [local.controller_bootstrap_token, local.worker_bootstrap_token]
+  enable_tls_bootstrap = true
   encrypt_pod_traffic  = var.encrypt_pod_traffic
 
   ignore_x509_cn_check = var.ignore_x509_cn_check

diff --git a/assets/terraform-modules/bare-metal/flatcar-linux/kubernetes/bootstrap-configs.tf b/assets/terraform-modules/bare-metal/flatcar-linux/kubernetes/bootstrap-configs.tf
@@ -1,46 +1,38 @@
 locals {
-  controller_bootstrap_token = var.enable_tls_bootstrap ? {
-    token_id     = random_string.bootstrap_token_id_controller[0].result
-    token_secret = random_string.bootstrap_token_secret_controller[0].result
-  } : {}
-
-  worker_bootstrap_token = var.enable_tls_bootstrap ? {
-    token_id     = random_string.bootstrap_token_id_worker[0].result
-    token_secret = random_string.bootstrap_token_secret_worker[0].result
-  } : {}
+  controller_bootstrap_token = {
+    token_id     = random_string.bootstrap_token_id_controller.result
+    token_secret = random_string.bootstrap_token_secret_controller.result
+  }
+
+  worker_bootstrap_token = {
+    token_id     = random_string.bootstrap_token_id_worker.result
+    token_secret = random_string.bootstrap_token_secret_worker.result
+  }
 }
 
 # Generate a cryptographically random token id (public).
 resource "random_string" "bootstrap_token_id_controller" {
-  count = var.enable_tls_bootstrap == true ? 1 : 0
-
   length  = 6
   upper   = false
   special = false
 }
 
 # Generate a cryptographically random token secret.
 resource "random_string" "bootstrap_token_secret_controller" {
-  count = var.enable_tls_bootstrap == true ? 1 : 0
-
   length  = 16
   upper   = false
   special = false
 }
 
 # Generate a cryptographically random token id (public).
 resource "random_string" "bootstrap_token_id_worker" {
-  count = var.enable_tls_bootstrap == true ? 1 : 0
-
   length  = 6
   upper   = false
   special = false
 }
 
 # Generate a cryptographically random token secret.
 resource "random_string" "bootstrap_token_secret_worker" {
-  count = var.enable_tls_bootstrap == true ? 1 : 0
-
   length  = 16
   upper   = false
   special = false

diff --git a/assets/terraform-modules/bare-metal/flatcar-linux/kubernetes/cl/controller.yaml.tmpl b/assets/terraform-modules/bare-metal/flatcar-linux/kubernetes/cl/controller.yaml.tmpl
@@ -106,13 +106,9 @@ systemd:
           --config=/etc/kubernetes/kubelet.config \
           --exit-on-lock-contention \
           --hostname-override=${domain_name} \
-          %{~ if enable_tls_bootstrap ~}
           --kubeconfig=/var/lib/kubelet/kubeconfig \
           --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
           --rotate-certificates \
-          %{~ else ~}
-          --kubeconfig=/etc/kubernetes/kubeconfig \
-          %{~ endif ~}
           --lock-file=/var/run/lock/kubelet.lock \
           --network-plugin=cni \
           --node-labels=$${NODE_LABELS} \

diff --git a/assets/terraform-modules/bare-metal/flatcar-linux/kubernetes/cl/worker.yaml.tmpl b/assets/terraform-modules/bare-metal/flatcar-linux/kubernetes/cl/worker.yaml.tmpl
@@ -81,13 +81,9 @@ systemd:
           --config=/etc/kubernetes/kubelet.config \
           --exit-on-lock-contention \
           --hostname-override=${domain_name} \
-          %{~ if enable_tls_bootstrap ~}
           --kubeconfig=/var/lib/kubelet/kubeconfig \
           --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
           --rotate-certificates \
-          %{~ else ~}
-          --kubeconfig=/etc/kubernetes/kubeconfig \
-          %{~ endif ~}
           --lock-file=/var/run/lock/kubelet.lock \
           --network-plugin=cni \
           --node-labels=$${NODE_LABELS} \

diff --git a/assets/terraform-modules/bare-metal/flatcar-linux/kubernetes/profiles.tf b/assets/terraform-modules/bare-metal/flatcar-linux/kubernetes/profiles.tf
@@ -100,7 +100,6 @@ data "ct_config" "controller-ignitions" {
     cluster_dns_service_ip = module.bootkube.cluster_dns_service_ip
     cluster_domain_suffix  = var.cluster_domain_suffix
     ssh_keys               = jsonencode(var.ssh_keys)
-    enable_tls_bootstrap   = var.enable_tls_bootstrap
   })
   pretty_print = false
 
@@ -126,7 +125,6 @@ data "ct_config" "worker-ignitions" {
     cluster_domain_suffix  = var.cluster_domain_suffix
     ssh_keys               = jsonencode(var.ssh_keys)
     kubelet_labels         = merge({ "node.kubernetes.io/node" = "" }, var.labels),
-    enable_tls_bootstrap   = var.enable_tls_bootstrap
   })
   pretty_print = false
 

diff --git a/assets/terraform-modules/bare-metal/flatcar-linux/kubernetes/ssh.tf b/assets/terraform-modules/bare-metal/flatcar-linux/kubernetes/ssh.tf
@@ -18,12 +18,12 @@ resource "null_resource" "copy-controller-secrets" {
   }
 
   provisioner "file" {
-    content = var.enable_tls_bootstrap ? templatefile("${path.module}/cl/bootstrap-kubeconfig.yaml.tmpl", {
-      token_id     = random_string.bootstrap_token_id_controller[0].result
-      token_secret = random_string.bootstrap_token_secret_controller[0].result
+    content = templatefile("${path.module}/cl/bootstrap-kubeconfig.yaml.tmpl", {
+      token_id     = random_string.bootstrap_token_id_controller.result
+      token_secret = random_string.bootstrap_token_secret_controller.result
       ca_cert      = module.bootkube.ca_cert
       server       = "https://${var.k8s_domain_name}:6443"
-    }) : module.bootkube.kubeconfig-kubelet
+    })
     destination = "$HOME/kubeconfig"
   }
 
@@ -99,12 +99,12 @@ resource "null_resource" "copy-worker-secrets" {
   }
 
   provisioner "file" {
-    content = var.enable_tls_bootstrap ? templatefile("${path.module}/cl/bootstrap-kubeconfig.yaml.tmpl", {
-      token_id     = random_string.bootstrap_token_id_worker[0].result
-      token_secret = random_string.bootstrap_token_secret_worker[0].result
+    content = templatefile("${path.module}/cl/bootstrap-kubeconfig.yaml.tmpl", {
+      token_id     = random_string.bootstrap_token_id_worker.result
+      token_secret = random_string.bootstrap_token_secret_worker.result
       ca_cert      = module.bootkube.ca_cert
       server       = "https://${var.k8s_domain_name}:6443"
-    }) : module.bootkube.kubeconfig-kubelet
+    })
     destination = "$HOME/kubeconfig"
   }
 

diff --git a/assets/terraform-modules/bare-metal/flatcar-linux/kubernetes/variables.tf b/assets/terraform-modules/bare-metal/flatcar-linux/kubernetes/variables.tf
@@ -167,11 +167,6 @@ variable "disable_self_hosted_kubelet" {
   type        = bool
 }
 
-variable "enable_tls_bootstrap" {
-  description = "Enable TLS Bootstrap for Kubelet."
-  type        = bool
-}
-
 # Certificates
 
 variable "certs_validity_period_hours" {

diff --git a/docs/configuration-reference/platforms/baremetal.md b/docs/configuration-reference/platforms/baremetal.md
@@ -100,8 +100,6 @@ cluster "bare-metal" {
 
   os_channel = "stable"
 
-  enable_tls_bootstrap = true
-
   encrypt_pod_traffic = true
 
   conntrack_max_per_core = 32768
@@ -170,7 +168,6 @@ os_version = var.custom_default_os_version
 | `ssh_pubkeys`                     | List of SSH public keys for user `core`. Each element must be specified in a valid OpenSSH public key format, as defined in RFC 4253 Section 6.6, e.g. "ssh-rsa AAAAB3N...".                                                                                                                                                                                                              | -                      | list(string) | true     |
 | `os_version`                      | Flatcar Container Linux version to install. Version such as "2303.3.1" or "current".                                                                                                                                                                                                                                                                                                      | "current"              | string       | false    |
 | `os_channel`                      | Flatcar Container Linux channel to install from ("stable", "beta", "alpha", "edge").                                                                                                                                                                                                                                                                                                      | "stable"               | string       | false    |
-| `enable_tls_bootstrap`            | Enable TLS bootstraping for Kubelet.                                                                                                                                                                                                                                                                                                                                                      | true                   | bool         | false    |
 | `encrypt_pod_traffic`             | Enable in-cluster pod traffic encryption. If true `network_mtu` is reduced by 60 to make room for the encryption header.                                                                                                                                                                                                                                                                  | false                  | bool         | false    |
 | `ignore_x509_cn_check`            | Ignore check of common name in x509 certificates. If any application is built pre golang 1.15 then API server rejects x509 from such application, enable this to get around apiserver.                                                                                                                                                                                                    | false                  | bool         | false    |
 | `install_to_smallest_disk`        | Installs Flatcar Container Linux to the smallest disk.                                                                                                                                                                                                                                                                                                                                    | false                  | bool         | false    |

diff --git a/pkg/assets/generated_assets.go b/pkg/assets/generated_assets.go
diff --git a/pkg/platform/baremetal/baremetal.go b/pkg/platform/baremetal/baremetal.go
@@ -53,7 +53,6 @@ type config struct {
 	WorkerDomains                []string            `hcl:"worker_domains"`
 	Labels                       map[string]string   `hcl:"labels,optional"`
 	OIDC                         *oidc.Config        `hcl:"oidc,block"`
-	EnableTLSBootstrap           bool                `hcl:"enable_tls_bootstrap,optional"`
 	EncryptPodTraffic            bool                `hcl:"encrypt_pod_traffic,optional"`
 	IgnoreX509CNCheck            bool                `hcl:"ignore_x509_cn_check,optional"`
 	ConntrackMaxPerCore          int                 `hcl:"conntrack_max_per_core,optional"`
@@ -97,7 +96,6 @@ func NewConfig() *config {
 		CachedInstall:                "false",
 		OSChannel:                    "stable",
 		OSVersion:                    "current",
-		EnableTLSBootstrap:           true,
 		NetworkMTU:                   platform.NetworkMTU,
 		ConntrackMaxPerCore:          platform.ConntrackMaxPerCore,
 		DownloadProtocol:             "https",
@@ -223,7 +221,6 @@ func createTerraformConfigFile(cfg *config, terraformPath string) error {
 		DisableSelfHostedKubelet     bool
 		KubeAPIServerExtraFlags      []string
 		Labels                       map[string]string
-		EnableTLSBootstrap           bool
 		EncryptPodTraffic            bool
 		IgnoreX509CNCheck            bool
 		ConntrackMaxPerCore          int
@@ -255,7 +252,6 @@ func createTerraformConfigFile(cfg *config, terraformPath string) error {
 		DisableSelfHostedKubelet:     cfg.DisableSelfHostedKubelet,
 		KubeAPIServerExtraFlags:      cfg.KubeAPIServerExtraFlags,
 		Labels:                       cfg.Labels,
-		EnableTLSBootstrap:           cfg.EnableTLSBootstrap,
 		EncryptPodTraffic:            cfg.EncryptPodTraffic,
 		IgnoreX509CNCheck:            cfg.IgnoreX509CNCheck,
 		ConntrackMaxPerCore:          cfg.ConntrackMaxPerCore,

diff --git a/pkg/platform/baremetal/template.go b/pkg/platform/baremetal/template.go
@@ -27,9 +27,6 @@ module "bare-metal-{{.ClusterName}}" {
   # Disable self hosted kubelet
   disable_self_hosted_kubelet = {{ .DisableSelfHostedKubelet }}
 
-  # Enable TLS Bootstrap
-  enable_tls_bootstrap = {{ .EnableTLSBootstrap }}
-
   {{- if .EncryptPodTraffic }}
   encrypt_pod_traffic = {{ .EncryptPodTraffic }}
   {{- end }}