Skip to content

Terraform Ignition modules for bootstrapping a Kubernetes cluster ☸.


Notifications You must be signed in to change notification settings


Folders and files

Last commit message
Last commit date

Latest commit


Repository files navigation

Terraform test GitHub license

Terraform Kubernetes Ignition module

A terraform Ignition modules to bootstrap a Kubernetes cluster with CoreOS Container Linux/Flatcar Container Linux/Fedora CoreOS.

This repo also contains the following submodules:


  • Kubernetes v1.19.0+.
  • Supported AWS VPC CNI, or flannel networking.
  • RBAC-enabled, Audit log, and etcd data encryption.


Usage example

The following block is show you how to use this module for bootstrapping a cluster:

resource "random_id" "bootstrap_token_id" {
 byte_length = 3

resource "random_id" "bootstrap_token_secret" {
 byte_length = 8

resource "random_password" "encryption_secret" {
 length  = 32
 special = true

module "ignition_kubernetes" {
 source = "git::ssh://[email protected]/getamis/terraform-ignition-kubernetes"

 service_network_cidr = ""
 pod_network_cidr     = ""
 network_plugin       = "flannel"
 internal_endpoint    = ""
 etcd_endpoints       = ""
 encryption_secret    = random_password.encryption_secret.result

 tls_bootstrap_token = {
   id     = random_id.bootstrap_token_id.hex
   secret = random_id.bootstrap_token_secret.hex

 // Create certs through
 certs = {
   etcd_ca_cert = module.etcd_cert.cert_pem

   ca_cert                       = module.kubernetes_ca.cert_pem
   ca_key                        = module.kubernetes_ca.private_key_pem
   admin_cert                    = module.admin_cert.cert_pem
   admin_key                     = module.admin_cert.private_key_pem
   apiserver_cert                = module.apiserver_cert.cert_pem
   apiserver_key                 = module.apiserver_cert.private_key_pem
   apiserver_kubelet_client_cert = module.apiserver_kubelet_client_cert.cert_pem
   apiserver_kubelet_client_key  = module.apiserver_kubelet_client_cert.private_key_pem
   apiserver_etcd_client_cert    = module.apiserver_etcd_client_cert.cert_pem
   apiserver_etcd_client_key     = module.apiserver_etcd_client_cert.private_key_pem
   controller_manager_cert       = module.controller_manager_cert.cert_pem
   controller_manager_key        = module.controller_manager_cert.private_key_pem
   scheduler_cert                = module.scheduler_cert.cert_pem
   scheduler_key                 = module.scheduler_cert.private_key_pem
   front_proxy_ca_cert           = module.front_proxy_ca.cert_pem
   front_proxy_ca_key            = module.front_proxy_ca.private_key_pem
   front_proxy_client_cert       = module.front_proxy_client_cert.cert_pem
   front_proxy_client_key        = module.front_proxy_client_cert.private_key_pem
   sa_pub                        = module.service_account.public_key_pem
   sa_key                        = module.service_account.private_key_pem

See variables/ for the detail variable inputs and outputs.


There are several ways to contribute to this project:

  1. Find bug: create an issue in our Github issue tracker.
  2. Fix a bug: check our issue tracker, leave comments and send a pull request to us to fix a bug.
  3. Make new feature: leave your idea in the issue tracker and discuss with us then send a pull request!


This project is licensed under the Apache 2.0 License - see the LICENSE file for details.