resource "random_password" "bootstrap_token_id" { special = false upper = false length = 6 } resource "random_password" "bootstrap_token_secret" { special = false upper = false length = 16 } resource "time_rotating" "bootstrap_expiry_base" { rotation_days = 60 } resource "kubernetes_secret" "bootstrap_token" { metadata { name = "bootstrap-token-${random_password.bootstrap_token_id.result}" namespace = "kube-system" } type = "bootstrap.kubernetes.io/token" data = { "token-id" = random_password.bootstrap_token_id.result "token-secret" = random_password.bootstrap_token_secret.result "usage-bootstrap-authentication" = "true" "usage-bootstrap-signing" = "true" "auth-extra-groups" = "system:bootstrappers:worker,system:bootstrappers:ingress" "expiration" = timeadd(time_rotating.bootstrap_expiry_base.id, "${90 * 24}h") } } resource "kubernetes_cluster_role_binding" "auto_approve_node_csrs" { metadata { name = "auto-approve-csrs-for-nodes" } subject { kind = "Group" name = "system:bootstrappers" api_group = "rbac.authorization.k8s.io" } role_ref { kind = "ClusterRole" name = "system:certificates.k8s.io:certificatesigningrequests:nodeclient" api_group = "rbac.authorization.k8s.io" } } resource "kubernetes_cluster_role_binding" "auto_approve_node_renewals" { metadata { name = "auto-approve-renewals-for-nodes" } subject { kind = "Group" name = "system:nodes" api_group = "rbac.authorization.k8s.io" } role_ref { kind = "ClusterRole" name = "system:certificates.k8s.io:certificatesigningrequests:selfnodeclient" api_group = "rbac.authorization.k8s.io" } } resource "kubernetes_cluster_role_binding" "nodes_create_csrs" { metadata { name = "create-csrs-for-node-bootstrappers" } subject { kind = "Group" name = "system:bootstrappers" api_group = "rbac.authorization.k8s.io" } role_ref { kind = "ClusterRole" name = "system:node-bootstrapper" api_group = "rbac.authorization.k8s.io" } }