Merge pull request #41 from bhegazy/tiller-listen-localhost

Add option tiller_listen_localhost to to disable listen localhost

Author: yorinasub17

.circleci/config.yml

@@ -8,7 +8,7 @@ defaults: &defaults
     KUBERGRUNT_VERSION: v0.5.1
     HELM_VERSION: v2.12.2
     MODULE_CI_VERSION: v0.14.1
-    TERRAFORM_VERSION: 0.12.1
+    TERRAFORM_VERSION: 0.12.9
     TERRAGRUNT_VERSION: NONE
     PACKER_VERSION: NONE
     GOLANG_VERSION: 1.11.2

examples/k8s-tiller-kubergrunt-minikube/main.tf

@@ -110,7 +110,7 @@ resource "null_resource" "wait_for_tiller" {
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 resource "null_resource" "grant_helm_access" {
-  count = var.configure_helm ? 1 : 0
+  count      = var.configure_helm ? 1 : 0
   depends_on = [null_resource.wait_for_tiller]
 
   provisioner "local-exec" {

modules/k8s-tiller/main.tf

@@ -87,13 +87,12 @@ resource "kubernetes_deployment" "tiller" {
           image_pull_policy = var.tiller_image_pull_policy
           command           = ["/tiller"]
 
-          args = [
+          args = concat([
             "--storage=secret",
-            "--listen=localhost:44134",
             "--tls-key=${local.tls_certs_mount_path}/${var.tiller_tls_key_file_name}",
             "--tls-cert=${local.tls_certs_mount_path}/${var.tiller_tls_cert_file_name}",
             "--tls-ca-cert=${local.tls_certs_mount_path}/${var.tiller_tls_cacert_file_name}",
-          ]
+          ], local.tiller_listen_localhost_arg)
 
           env {
             name  = "TILLER_NAMESPACE"
@@ -264,8 +263,8 @@ resource "null_resource" "tiller_tls_ca_certs" {
     # Use environment variables for Kubernetes credentials to avoid leaking into the logs
     environment = {
       KUBECTL_SERVER_ENDPOINT = var.kubectl_server_endpoint
-      KUBECTL_CA_DATA = var.kubectl_ca_b64_data
-      KUBECTL_TOKEN = var.kubectl_token
+      KUBECTL_CA_DATA         = var.kubectl_ca_b64_data
+      KUBECTL_TOKEN           = var.kubectl_token
     }
   }
 
@@ -318,8 +317,8 @@ resource "null_resource" "tiller_tls_certs" {
     # Use environment variables for Kubernetes credentials to avoid leaking into the logs
     environment = {
       KUBECTL_SERVER_ENDPOINT = var.kubectl_server_endpoint
-      KUBECTL_CA_DATA = var.kubectl_ca_b64_data
-      KUBECTL_TOKEN = var.kubectl_token
+      KUBECTL_CA_DATA         = var.kubectl_ca_b64_data
+      KUBECTL_TOKEN           = var.kubectl_token
     }
   }
 
@@ -430,6 +429,8 @@ locals {
   tiller_tls_ca_certs_secret_name = "${var.namespace}-namespace-tiller-ca-certs"
   tiller_tls_certs_secret_name    = "${var.namespace}-namespace-tiller-certs"
 
+  tiller_listen_localhost_arg = var.tiller_listen_localhost ? ["--listen=localhost:44134"] : []
+
   tls_algorithm_config = var.private_key_algorithm == "ECDSA" ? "--tls-private-key-ecdsa-curve ${var.private_key_ecdsa_curve}" : "--tls-private-key-rsa-bits ${var.private_key_rsa_bits}"
 
   kubergrunt_auth_params = <<-EOF

modules/k8s-tiller/variables.tf

@@ -88,6 +88,12 @@ variable "tiller_image_pull_policy" {
   default     = "IfNotPresent"
 }
 
+variable "tiller_listen_localhost" {
+  description = "If Enabled, Tiller will only listen on localhost within the container."
+  type        = bool
+  default     = true
+}
+
 variable "tiller_history_max" {
   description = "The maximum number of revisions saved per release. Use 0 for no limit."
   type        = number