Add support for provisioning without logging in as root

[caleb-devops]

The k8s_ca_certificates_install provisioner now uses sudo to create the certificate. This enables a non-root user (with sudo permissions) to create this resource.

In addition to this change, a non-root user must set the following server flags to make the kube config file world readable:

flags = ["--write-kubeconfig-mode '0644'"]

This assumes that the non-root user can sudo with no password.

Relates to: #42

[xunleii]

Hi @caleb-devops,

Thanks for your contribution !
Unfortunately, I don't like using sudo for a module because it is not available by default on all OSes. However, in order to implement your workaround, we can create a new null_resources k8s_ca_certificates_install_noroot that will use sudo and should be enabled through a new variable. What do you think about that ?

[caleb-devops]

What do you think of something like this for the k8s_ca_certificates_install provisioner?

 provisioner "remote-exec" {
    inline = [
      <<-EOT
      # --- use sudo if we are not already root ---
      [ $(id -u) -eq 0 ] || exec sh -c "echo ${var.sudo_pass} | sudo -S $0 $@"

      mkdir -p /var/lib/rancher/k3s/server/tls/
      echo '${local.certificates_files[count.index].file_content}' > /var/lib/rancher/k3s/server/tls/${local.certificates_files[count.index].file_name}
      EOT
    ]
  }

The sudo check could be added to every remote-exec provisioner to enable provisioning without root and it would also support a sudo password. Sudo would not run if the user is already root.

[xunleii]

I think it's better than before, but I prefer to avoid the password as a variable (even if in sensitive mode). Passing the password is it mandatory ?

[caleb-devops]

I updated my pull request to use sudo only if you are not already root. I removed the sudo password check, but this does now require that the user can sudo with no password.

[caleb-devops]

Let me know if you need anything else for this. As this currently is, it meets my needs as I do not require a sudo pass in my homelab environment. If you do want to support sudo passwords, I think we would have to include that password as a Terraform variable as shown above.

[xunleii]

Hi @caleb-devops, I will read your work this week and sorry for the latency.

[xunleii]

Seems good to me :)
Thanks a lot for your contribution

[fredleger]

we tested it a lot yesterday and it seems to work like a charm ! thanks @caleb-devops !
let's make a release to avoid pointing to git master ;-)

[xunleii]

Yep, I'll do that this noon !