-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for provisioning without logging in as root #49
Conversation
Hi @caleb-devops, Thanks for your contribution ! |
What do you think of something like this for the k8s_ca_certificates_install provisioner?
The sudo check could be added to every remote-exec provisioner to enable provisioning without root and it would also support a sudo password. Sudo would not run if the user is already root. |
I think it's better than before, but I prefer to avoid the password as a variable (even if in sensitive mode). Passing the password is it mandatory ? |
I updated my pull request to use sudo only if you are not already root. I removed the sudo password check, but this does now require that the user can sudo with no password. |
Let me know if you need anything else for this. As this currently is, it meets my needs as I do not require a sudo pass in my homelab environment. If you do want to support sudo passwords, I think we would have to include that password as a Terraform variable as shown above. |
Hi @caleb-devops, I will read your work this week and sorry for the latency. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems good to me :)
Thanks a lot for your contribution
we tested it a lot yesterday and it seems to work like a charm ! thanks @caleb-devops ! |
Yep, I'll do that this noon ! |
The k8s_ca_certificates_install provisioner now uses sudo to create the certificate. This enables a non-root user (with sudo permissions) to create this resource.
In addition to this change, a non-root user must set the following server flags to make the kube config file world readable:
flags = ["--write-kubeconfig-mode '0644'"]
This assumes that the non-root user can sudo with no password.
Relates to: #42