oceanbox/platform
6
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Improve base deployment and pki handling

Browse Source
This commit is contained in:
Jonas Juselius
2020-02-27 15:42:16 +01:00
parent 8846047f04
commit 1257542e46
5 changed files with 135 additions and 189 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
lib/base.nix Normal file
View File

@@ -0,0 +1,63 @@
{ pkgs, lib, settings, here ? "", ...}:
with lib;
rec {
pki = import ./pki.nix { inherit pkgs; ca = settings.initca; };
baseNixos = name: {
users.extraUsers.admin.openssh.authorizedKeys.keys =
settings.adminAuthorizedKeys;
boot.kernel.sysctl = {
"kernel.mm.transparent_hugepage.enabled" = "never";
"net.core.somaxconn" = "512";
};
imports = [
./nixos/configuration.nix
(here + "/${name}.nix")
];
security.pki.certificateFiles = [
pki.ca.cert
];
networking = {
hostName = name;
extraHosts = settings.clusterHosts;
firewall.allowedTCPPortRanges = [ { from = 5000; to = 50000; } ];
firewall.allowedTCPPorts = [ 80 443 111 ];
firewall.allowedUDPPorts = [ 111 24007 24008 ];
};
environment.systemPackages = with pkgs; [
nfs-utils
];
};
hostCerts =
builtins.foldl'
(a: x: a // { ${x.name} = pki.gencert {
cn = x.name;
ca = x.ca;
o = settings.clusterName;
};
}) {} settings.hosts;
mkHost = host: self:
{
deployment.targetHost = host.address;
require = [
(baseNixos host.name)
];
};
baseDeployment = attrs:
let
hosts =
builtins.foldl'
(a: x: a // { ${x.name} = mkHost x _; }) {} settings.hosts;
hosts' = lib.recursiveUpdate hosts attrs;
names = builtins.attrNames hosts;
in
builtins.foldl' (a: x: a // { ${x} = self: hosts'.${x}; }) {} names;
}

16
lib/initca.nix
View File

@@ -1,18 +1,18 @@
{ pkgs ? import <nixpkgs> {}, initca ? "", ...}: { pkgs ? import <nixpkgs> {}, ca ? "", name ? "ca", ...}:
with pkgs; with pkgs;
let let
initca' = ca' =
let let
ca_csr = pkgs.writeText "kube-pki-cacert-csr.json" (builtins.toJSON { ca_csr = pkgs.writeText "${name}-csr.json" (builtins.toJSON {
key = { key = {
algo = "rsa"; algo = "rsa";
size = 2048; size = 2048;
}; };
names = [ names = [
{ {
CN = "kubernetes-cluster-ca"; CN = "${name}";
O = "NixOS"; O = "NixOS";
OU = "services.kubernetes.pki.caSpec"; OU = "${name}.pki.caSpec";
L = "generated"; L = "generated";
} }
]; ];
@@ -22,12 +22,12 @@ let
buildInputs = [ pkgs.cfssl ]; buildInputs = [ pkgs.cfssl ];
} '' cfssl genkey -initca ${ca_csr} | cfssljson -bare ca; \ } '' cfssl genkey -initca ${ca_csr} | cfssljson -bare ca; \
mkdir -p $out; cp *.pem $out''; mkdir -p $out; cp *.pem $out'';
ca = if initca != "" then initca else initca'; initca = if ca != "" then ca else ca';
in in
# make ca derivation sha depend on initca cfssl output # make ca derivation sha depend on initca cfssl output
pkgs.stdenv.mkDerivation { pkgs.stdenv.mkDerivation {
name = "ca"; inherit name;
src = ca; src = initca;
buildCommand = '' buildCommand = ''
mkdir -p $out; mkdir -p $out;
cp -r $src/* $out cp -r $src/* $out

64
lib/k8s.nix
View File

@@ -1,11 +1,9 @@
{ pkgs, lib, settings, here ? "", ...}: { pkgs, lib, settings, here ? "", ...}:
with import ./base.nix { inherit pkgs lib settings here; };
with lib; with lib;
let let
apiserverAddress = "https://${masterAddress}:4443"; apiserverAddress = "https://${masterAddress}:4443";
masterAddress = settings.master.address; masterAddress = settings.master.address;
initca = settings.initca;
cluster-ca = import ./initca.nix { inherit pgks initca; };
cfssl-apitoken = cfssl-apitoken =
let let
@@ -47,7 +45,7 @@ let
export bash="${pkgs.bash}" export bash="${pkgs.bash}"
export apiserver="${settings.master.name}" export apiserver="${settings.master.name}"
export apiserverAddress="${settings.master.address}" export apiserverAddress="${settings.master.address}"
export initca="${initca}" export initca="${pki.initca}"
export cluster="${clusterName}" export cluster="${clusterName}"
export fileserver="${fileserver}" export fileserver="${fileserver}"
export acme_email="${acme_email}" export acme_email="${acme_email}"
@@ -89,8 +87,8 @@ let
''; '';
kubeMaster = { kubeMaster = {
services.cfssl.ca = "${cluster-ca}/ca.pem"; services.cfssl.ca = pki.ca.cert;
services.cfssl.caKey = "${cluster-ca}/ca-key.pem"; services.cfssl.caKey = pki.ca.key;
services.kubernetes = { services.kubernetes = {
roles = [ "master" ]; roles = [ "master" ];
inherit apiserverAddress; inherit apiserverAddress;
@@ -98,7 +96,7 @@ let
clusterCidr = settings.cidr; clusterCidr = settings.cidr;
pki.genCfsslCACert = false; pki.genCfsslCACert = false;
pki.genCfsslAPIToken = false; pki.genCfsslAPIToken = false;
pki.caCertPathPrefix = "${cluster-ca}/ca"; pki.caCertPathPrefix = "${pki.initca}";
kubelet = { kubelet = {
clusterDomain = "${settings.clusterName}.local"; clusterDomain = "${settings.clusterName}.local";
@@ -110,7 +108,7 @@ let
allowPrivileged = true; allowPrivileged = true;
securePort = 4443; securePort = 4443;
insecurePort = 8080; insecurePort = 8080;
extraOpts = "--requestheader-client-ca-file ${cluster-ca}/ca.pem"; extraOpts = "--requestheader-client-ca-file ${pki.ca.cert}";
# verbosity = 4; # verbosity = 4;
}; };
@@ -195,42 +193,6 @@ let
}; };
}; };
baseNixos = name: {
users.extraUsers.admin.openssh.authorizedKeys.keys =
settings.adminAuthorizedKeys;
boot.kernel.sysctl = {
"kernel.mm.transparent_hugepage.enabled" = "never";
"net.core.somaxconn" = "512";
};
imports = [
./nixos/configuration.nix
(here + "/${name}.nix")
];
security.pki.certificateFiles = [
"${cluster-ca}/ca.pem"
];
# services.glusterfs = {
# enable = true;
# # tlsSettings = {
# # caCert = certs.ca.caFile;
# # tlsKeyPath = certs.self.keyFile;
# # tlsPem = certs.self.certFile;
# };
# };
networking = {
hostName = name;
extraHosts = settings.clusterHosts;
firewall.allowedTCPPortRanges = [ { from = 5000; to = 50000; } ];
firewall.allowedTCPPorts = [ 80 443 111 ];
firewall.allowedUDPPorts = [ 111 24007 24008 ];
};
environment.systemPackages = with pkgs; [
nfs-utils
];
};
mkApiServer = host: self: mkApiServer = host: self:
{ {
deployment.targetHost = host.address; deployment.targetHost = host.address;
@@ -249,15 +211,9 @@ let
]; ];
}; };
mkHost = host: self:
{
deployment.targetHost = host.address;
require = [
(baseNixos host.name)
];
};
master = { "${settings.master.name}" = mkApiServer settings.master; }; master = { "${settings.master.name}" = mkApiServer settings.master; };
deployment = builtins.foldl' (a: x:
a // { "${x.name}" = mkWorker x; }) master settings.workers;
in in
builtins.foldl' deployment
(a: x: a // { "${x.name}" = mkWorker x; }) master settings.workers

2
lib/nixos

Submodule lib/nixos updated: 4425906c65...9d8148f272

179
lib/pki.nix
View File

@@ -1,5 +1,12 @@
{ pkgs ? import <nixpkgs> {} }: { pkgs, ca ? "" }:
let let
initca = import ./initca.nix { inherit pkgs ca; };
ca' = {
key = "${initca}/ca-key.pem";
cert = "${initca}/ca.pem";
};
ca-config = pkgs.writeText "ca-config.json" '' ca-config = pkgs.writeText "ca-config.json" ''
{ {
"signing": { "signing": {
@@ -7,7 +14,7 @@ let
"expiry": "8760h" "expiry": "8760h"
}, },
"profiles": { "profiles": {
"kubernetes": { "default": {
"usages": [ "usages": [
"signing", "signing",
"key encipherment", "key encipherment",
@@ -21,135 +28,55 @@ let
} }
''; '';
csr = o: { gencsr = args:
key = {
algo = "rsa";
size = 2048;
};
names = [
{
CN = "kubernetes-cluster-ca";
O = "${o}";
OU = "services.kubernetes.pki.caSpec";
L = "generated";
}
];
};
gencsr = args: pkgs.writeText "${args.name}-csr.json" (builtins.toJSON {
CN = "${args.cn}";
hosts = [ "${args.hosts}" ];
} // csr args.o
);
initca' =
let let
ca_csr = pkgs.writeText "kube-pki-cacert-csr.json" ( csr = {
builtins.toJSON (csr "NixOS") CN = "${args.cn}";
); key = {
algo = "rsa";
size = 2048;
};
names = [
{
CN = "${args.cn}";
O = "${args.o}";
OU = "${args.cn}.${args.o}.pki.caSpec";
L = "generated";
}
];
hosts = [ "${args.hosts}" ];
};
in in
pkgs.runCommand "initca" { pkgs.writeText "${args.cn}-csr.json" (builtins.toJSON csr);
buildInputs = [ pkgs.cfssl ]; in
} '' cfssl genkey -initca ${ca_csr} | cfssljson -bare ca; \ # Example usage:
mkdir -p $out; cp *.pem $out''; #
# gencert { cn = "test"; ca = ca; o = "test; };
# make ca derivation sha depend on initca cfssl output #
initca = pkgs.stdenv.mkDerivation { rec {
name = "ca"; inherit initca;
src = initca'; ca = ca';
buildCommand = '' gencert = attrs:
mkdir -p $out; let
cp -r $src/* $out conf = {
''; cn = attrs.cn;
}; ca = attrs.ca;
csr = gencsr { cn = attrs.cn; o = attrs.o; hosts = ""; };
ca = { };
key = "${initca}/ca-key.pem"; cfssl = conf:
cert = "${initca}/ca.pem"; ''
}; cfssl gencert -ca ${ca.cert} -ca-key ${ca.key} \
-config=${ca-config} -profile=default ${conf.csr} | \
cfssl = conf: '' cfssljson -bare cert; \
cfssl gencert -ca ${ca.cert} -ca-key ${ca.key} \ mkdir -p $out; cp *.pem $out
-config=${ca-config} -profile=kubernetes ${conf.csr} | \ '';
cfssljson -bare cert; \ crt =
mkdir -p $out; cp *.pem $out pkgs.runCommand "${attrs.cn}" {
''; buildInputs = [ pkgs.cfssl ];
} (cfssl conf);
gencert = conf:
let crt =
pkgs.runCommand "${conf.name}" {
buildInputs = [ pkgs.cfssl ];
} (cfssl conf);
in in
{ {
key = "${crt}/cert-key.pem"; key = "${crt}/cert-key.pem";
cert = "${crt}/cert.pem"; cert = "${crt}/cert.pem";
}; };
trust = name: hosts:
let
hosts' = "\"${name}\", " + hosts;
in gencert rec {
inherit name;
csr = gencsr {
inherit name;
hosts = hosts';
cn = name;
o = name;
};
};
in
{
inherit ca;
admin = gencert rec {
name = "admin";
csr = gencsr {
inherit name;
cn = "admin";
o = "system:masters";
hosts = "";
};
};
apiserver = hosts:
gencert rec {
name = "kubernetes";
csr = gencsr {
inherit name hosts;
cn = "kubernetes";
o = "kubernetes";
};
};
etcd = hosts: gencert rec {
name = "etcd";
csr = gencsr {
inherit name hosts;
cn = "etcd";
o = "kubernetes";
};
};
kube-proxy = gencert rec {
name = "kube-proxy";
csr = gencsr {
inherit name;
cn = "system:kube-proxy";
o = "system:node-proxier";
hosts = "";
};
};
worker = instance:
gencert rec {
name = instance.name;
csr = gencsr {
inherit name;
cn = "system:node:${instance.name}";
o = "system:nodes";
hosts = ''"${instance.name}","${instance.ip}"'';
};
};
} }