MVP

[blurrcat]

• [x] reuse terraform community modules to setup basic vpc
• [x] create tls artifacts with terraform tls provider
• [ ] generate cloudconfig for the controller
  • [x] tls artifacts
  • [x] launch CoreOS system services: etcd, flannel
  • [x] launch kube-controller components: kubelet, apiserver, kube-proxy, scheduler, controller-manager
  • [x] launch kube-addons: SkyDNS, dashboard
• [ ] generate cloudconfig for the workers
  • [x] tls artifacts
  • [x] launch kube-worker components: kubelet, kube-proxy, kubeconfig
• [x] provision instance profiles for kube-controller: grant access to ec2 and elb
• [x] provision instance profiles for kube-worker: grant access to ebs volumes

  PKI

Use terraform tls provider to manage certificates.

etcd

Use one instance for now. In the future, we might let the etcd instances auto-join a cluster.

networking

No need for calico. Generally assume the internal network is safe.

Expected Outcome

Artifacts:

• tls artifacts: ca, worker, admin
• terraform modules: make every part modular - for example, the generation of cloudconfig should only care about the services, it does not know how the vpc is structured exactly.

[blurrcat]

blocked by

• https://github.com/hashicorp/terraform/pull/9035: csr is generated every time terraform applies, which forces re-creation of stream resources.
• https://github.com/hashicorp/terraform/pull/3858: without gzip, controller user-data hits size limit. template_cloudinit_config does not help here since CoreOS does not support multi-part cloud-init config.