Skip to content

Terraform Ignition modules for bootstrapping a Kubernetes cluster ☸.


Notifications You must be signed in to change notification settings


Repository files navigation

Terraform test GitHub license

Terraform Kubernetes Ignition module

A terraform Ignition modules to bootstrap a Kubernetes cluster with CoreOS Container Linux/Flatcar Container Linux/Fedora CoreOS.

This repo also contains the following submodules:


  • Kubernetes v1.19.0+.
  • Supported AWS VPC CNI, or flannel networking.
  • RBAC-enabled, Audit log, and etcd data encryption.


Usage example

The following block is show you how to use this module for bootstrapping a cluster:

resource "random_id" "bootstrap_token_id" {
 byte_length = 3

resource "random_id" "bootstrap_token_secret" {
 byte_length = 8

resource "random_password" "encryption_secret" {
 length  = 32
 special = true

module "ignition_kubernetes" {
 source = "git::ssh://[email protected]/getamis/terraform-ignition-kubernetes"

 service_network_cidr = ""
 pod_network_cidr     = ""
 network_plugin       = "flannel"
 internal_endpoint    = ""
 etcd_endpoints       = ""
 encryption_secret    = random_password.encryption_secret.result

 tls_bootstrap_token = {
   id     = random_id.bootstrap_token_id.hex
   secret = random_id.bootstrap_token_secret.hex

 // Create certs through
 certs = {
   etcd_ca_cert = module.etcd_cert.cert_pem

   ca_cert                       = module.kubernetes_ca.cert_pem
   ca_key                        = module.kubernetes_ca.private_key_pem
   admin_cert                    = module.admin_cert.cert_pem
   admin_key                     = module.admin_cert.private_key_pem
   apiserver_cert                = module.apiserver_cert.cert_pem
   apiserver_key                 = module.apiserver_cert.private_key_pem
   apiserver_kubelet_client_cert = module.apiserver_kubelet_client_cert.cert_pem
   apiserver_kubelet_client_key  = module.apiserver_kubelet_client_cert.private_key_pem
   apiserver_etcd_client_cert    = module.apiserver_etcd_client_cert.cert_pem
   apiserver_etcd_client_key     = module.apiserver_etcd_client_cert.private_key_pem
   controller_manager_cert       = module.controller_manager_cert.cert_pem
   controller_manager_key        = module.controller_manager_cert.private_key_pem
   scheduler_cert                = module.scheduler_cert.cert_pem
   scheduler_key                 = module.scheduler_cert.private_key_pem
   front_proxy_ca_cert           = module.front_proxy_ca.cert_pem
   front_proxy_ca_key            = module.front_proxy_ca.private_key_pem
   front_proxy_client_cert       = module.front_proxy_client_cert.cert_pem
   front_proxy_client_key        = module.front_proxy_client_cert.private_key_pem
   sa_pub                        = module.service_account.public_key_pem
   sa_key                        = module.service_account.private_key_pem

See variables/ for the detail variable inputs and outputs.


There are several ways to contribute to this project:

  1. Find bug: create an issue in our Github issue tracker.
  2. Fix a bug: check our issue tracker, leave comments and send a pull request to us to fix a bug.
  3. Make new feature: leave your idea in the issue tracker and discuss with us then send a pull request!


This project is licensed under the Apache 2.0 License - see the LICENSE file for details.