koboltmarky/gist:778ec48b04fc7ff863bc7821c93b708a

## gistfile1.txt
resource rke_cluster "rancher_cluster" {

  nodes {
    address           = "10.x.x.x"
    user              = var.node_username
    role              = ["controlplane", "worker", "etcd"]
    hostname_override = "kube01"
  }

  nodes {
    address           = "10.x.x.x"
    user              = var.node_username
    role              = ["controlplane", "worker", "etcd"]
    hostname_override = "kube02"
  }

  nodes {
    address           = "10.x.x.x"
    user              = var.node_username
    role              = ["controlplane", "worker", "etcd"]
    hostname_override = "kube03"
  }

  authentication {
    strategy = "x509"

    sans = [
      var.rancher_admin_url,
      var.rancher_admin_ip,
    ]
  }

  private_registries {
    url        = var.docker_registry_url
    user       = var.docker_registry_user
    password   = var.docker_registry_password
    is_default = true
  }

  ssh_key_path = var.ssh_key_file_name

  services {

    etcd {
      gid = "52034"
      uid = "52034"

      extra_args = {
        "data-dir"            = "/var/lib/rancher/etcd/data/"
        "wal-dir"             = "/var/lib/rancher/etcd/wal/wal_dir"
        "election-timeout"    = "5000"
        "heartbeat-interval"  = "500"
        "listen-metrics-urls" = "http://0.0.0.0:2381"
      }

      extra_binds = [
        "/var/lib/etcd/data:/var/lib/rancher/etcd/data",
        "/var/lib/etcd/wal:/var/lib/rancher/etcd/wal",
      ]

    }

    kubelet {

      extra_args = {
        "feature-gates"           = "VolumeSnapshotDataSource=true,CSIDriverRegistry=true,RotateKubeletServerCertificate=true",
        "protect-kernel-defaults" = true,
        "tls-cipher-suites"       = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256",
      }
      cluster_domain = var.cluster_domain

    }

    kube_controller {

      extra_args = {
        "feature-gates" = "RotateKubeletServerCertificate=true"
      }

    }

    kube_api {
      extra_args = {
        "feature-gates" = "VolumeSnapshotDataSource=true,CSIDriverRegistry=true",
      }

      secrets_encryption_config {
        enabled = true
      }

      event_rate_limit {
        enabled = true
      }

      pod_security_policy = true

      audit_log {
        enabled = true
        configuration {
          max_age    = 5
          max_backup = 5
          max_size   = 100
          path       = "-"
          format     = "json"
          policy     = file("${path.module}/files/auditlog_policy.json")
        }
      }
    }
  }
  network {
    plugin = "canal"
  }

  addons = <<EOL
---
apiVersion: v1
kind: Namespace
metadata:
  name: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: default-psp-role
  namespace: ingress-nginx
rules:
- apiGroups:
  - extensions
  resourceNames:
  - default-psp
  resources:
  - podsecuritypolicies
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: default-psp-rolebinding
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: default-psp-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
---
apiVersion: v1
kind: Namespace
metadata:
  name: cattle-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: default-psp-role
  namespace: cattle-system
rules:
- apiGroups:
  - extensions
  resourceNames:
  - default-psp
  resources:
  - podsecuritypolicies
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: default-psp-rolebinding
  namespace: cattle-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: default-psp-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
---
apiVersion: v1
kind: Namespace
metadata:
  name: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: default-psp-role
  namespace: cert-manager
rules:
- apiGroups:
  - extensions
  resourceNames:
  - default-psp
  resources:
  - podsecuritypolicies
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: default-psp-rolebinding
  namespace: cert-manager
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: default-psp-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted
spec:
  requiredDropCapabilities:
  - NET_RAW
  privileged: false
  allowPrivilegeEscalation: false
  defaultAllowPrivilegeEscalation: false
  fsGroup:
    rule: RunAsAny
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - emptyDir
  - secret
  - persistentVolumeClaim
  - downwardAPI
  - configMap
  - projected
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: psp:restricted
rules:
- apiGroups:
  - extensions
  resourceNames:
  - restricted
  resources:
  - podsecuritypolicies
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: psp:restricted
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: psp:restricted
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
EOL

}
	resource rke_cluster "rancher_cluster" {

	nodes {
	address = "10.x.x.x"
	user = var.node_username
	role = ["controlplane", "worker", "etcd"]
	hostname_override = "kube01"
	}

	nodes {
	address = "10.x.x.x"
	user = var.node_username
	role = ["controlplane", "worker", "etcd"]
	hostname_override = "kube02"
	}

	nodes {
	address = "10.x.x.x"
	user = var.node_username
	role = ["controlplane", "worker", "etcd"]
	hostname_override = "kube03"
	}

	authentication {
	strategy = "x509"

	sans = [
	var.rancher_admin_url,
	var.rancher_admin_ip,
	]
	}

	private_registries {
	url = var.docker_registry_url
	user = var.docker_registry_user
	password = var.docker_registry_password
	is_default = true
	}

	ssh_key_path = var.ssh_key_file_name

	services {

	etcd {
	gid = "52034"
	uid = "52034"

	extra_args = {
	"data-dir" = "/var/lib/rancher/etcd/data/"
	"wal-dir" = "/var/lib/rancher/etcd/wal/wal_dir"
	"election-timeout" = "5000"
	"heartbeat-interval" = "500"
	"listen-metrics-urls" = "http://0.0.0.0:2381"
	}

	extra_binds = [
	"/var/lib/etcd/data:/var/lib/rancher/etcd/data",
	"/var/lib/etcd/wal:/var/lib/rancher/etcd/wal",
	]

	}

	kubelet {

	extra_args = {
	"feature-gates" = "VolumeSnapshotDataSource=true,CSIDriverRegistry=true,RotateKubeletServerCertificate=true",
	"protect-kernel-defaults" = true,
	"tls-cipher-suites" = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256",
	}
	cluster_domain = var.cluster_domain

	}

	kube_controller {

	extra_args = {
	"feature-gates" = "RotateKubeletServerCertificate=true"
	}

	}

	kube_api {
	extra_args = {
	"feature-gates" = "VolumeSnapshotDataSource=true,CSIDriverRegistry=true",
	}

	secrets_encryption_config {
	enabled = true
	}

	event_rate_limit {
	enabled = true
	}

	pod_security_policy = true

	audit_log {
	enabled = true
	configuration {
	max_age = 5
	max_backup = 5
	max_size = 100
	path = "-"
	format = "json"
	policy = file("${path.module}/files/auditlog_policy.json")
	}
	}
	}
	}
	network {
	plugin = "canal"
	}

	addons = <<EOL
	---
	apiVersion: v1
	kind: Namespace
	metadata:
	name: ingress-nginx
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	name: default-psp-role
	namespace: ingress-nginx
	rules:
	- apiGroups:
	- extensions
	resourceNames:
	- default-psp
	resources:
	- podsecuritypolicies
	verbs:
	- use
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: default-psp-rolebinding
	namespace: ingress-nginx
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: default-psp-role
	subjects:
	- apiGroup: rbac.authorization.k8s.io
	kind: Group
	name: system:serviceaccounts
	- apiGroup: rbac.authorization.k8s.io
	kind: Group
	name: system:authenticated
	---
	apiVersion: v1
	kind: Namespace
	metadata:
	name: cattle-system
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	name: default-psp-role
	namespace: cattle-system
	rules:
	- apiGroups:
	- extensions
	resourceNames:
	- default-psp
	resources:
	- podsecuritypolicies
	verbs:
	- use
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: default-psp-rolebinding
	namespace: cattle-system
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: default-psp-role
	subjects:
	- apiGroup: rbac.authorization.k8s.io
	kind: Group
	name: system:serviceaccounts
	- apiGroup: rbac.authorization.k8s.io
	kind: Group
	name: system:authenticated
	---
	apiVersion: v1
	kind: Namespace
	metadata:
	name: cert-manager
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	name: default-psp-role
	namespace: cert-manager
	rules:
	- apiGroups:
	- extensions
	resourceNames:
	- default-psp
	resources:
	- podsecuritypolicies
	verbs:
	- use
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: default-psp-rolebinding
	namespace: cert-manager
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: default-psp-role
	subjects:
	- apiGroup: rbac.authorization.k8s.io
	kind: Group
	name: system:serviceaccounts
	- apiGroup: rbac.authorization.k8s.io
	kind: Group
	name: system:authenticated
	---
	apiVersion: policy/v1beta1
	kind: PodSecurityPolicy
	metadata:
	name: restricted
	spec:
	requiredDropCapabilities:
	- NET_RAW
	privileged: false
	allowPrivilegeEscalation: false
	defaultAllowPrivilegeEscalation: false
	fsGroup:
	rule: RunAsAny
	runAsUser:
	rule: MustRunAsNonRoot
	seLinux:
	rule: RunAsAny
	supplementalGroups:
	rule: RunAsAny
	volumes:
	- emptyDir
	- secret
	- persistentVolumeClaim
	- downwardAPI
	- configMap
	- projected
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: psp:restricted
	rules:
	- apiGroups:
	- extensions
	resourceNames:
	- restricted
	resources:
	- podsecuritypolicies
	verbs:
	- use
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: psp:restricted
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: psp:restricted
	subjects:
	- apiGroup: rbac.authorization.k8s.io
	kind: Group
	name: system:serviceaccounts
	- apiGroup: rbac.authorization.k8s.io
	kind: Group
	name: system:authenticated
	EOL

	}