oceanbox/platform
6
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Manage certificates using nix.

Browse Source
This commit is contained in:
Jonas Juselius
2017-07-11 13:27:14 +02:00
parent 1a4f1c0da0
commit 153cb55b6d
8 changed files with 113 additions and 259 deletions
Download Patch File Download Diff File Expand all files Collapse all files

144
k8s.nix
View File

@@ -1,27 +1,77 @@
with import ./base/pki.nix;
let
etcdConfig = name: {
server-cert = mkCert {
name = "kubernetes";
csr = csr {
cn = "kubernetes";
hosts = ''"kubernetes", "k8s0-0", "10.253.18.100"'';
};
profile = "server";
};
etcd0-cert = mkCert {
name = "etcd0";
csr = csr {
cn = "etcd0";
hosts = ''"etcd0", "10.253.18.100"'';
};
profile = "peer";
};
etcd1-cert = mkCert {
name = "etcd1";
csr = csr {
cn = "etcd1";
hosts = ''"etcd1", "10.253.18.101"'';
};
profile = "peer";
};
client-cert = mkCert {
name = "client";
csr = csr {
cn = "client";
hosts = '''';
};
profile = "client";
};
server_key = "${server-cert}/cert-key.pem";
server_cert = "${server-cert}/cert.pem";
etcd0_key = "${etcd0-cert}/cert-key.pem";
etcd0_cert = "${etcd0-cert}/cert.pem";
etcd1_key = "${etcd1-cert}/cert-key.pem";
etcd1_cert = "${etcd1-cert}/cert.pem";
client_key = "${client-cert}/cert-key.pem";
client_cert = "${client-cert}/cert.pem";
etcdCluster = [
"etcd0=https://etcd0:2380"
"etcd1=https://etcd1:2380"
];
etcdConfig = etcd: {
services.etcd = {
inherit name;
enable = true;
listenClientUrls = ["https://0.0.0.0:2379"];
listenPeerUrls = ["https://0.0.0.0:2380"];
peerClientCertAuth = true;
certFile = ./pki + "/${name}.pem";
keyFile = ./pki + "/${name}-key.pem";
trustedCaFile = ./pki/ca.pem;
advertiseClientUrls = [ "https://${name}:2379" ];
initialAdvertisePeerUrls = [ "https://${name}:2380" ];
initialCluster = [
"etcd0=https://etcd0:2380"
"etcd1=https://etcd1:2380"
];
keyFile = "${etcd.key}";
certFile = "${etcd.cert}";
trustedCaFile = "${ca_cert}";
advertiseClientUrls = [ "https://${etcd.name}:2379" ];
initialAdvertisePeerUrls = [ "https://${etcd.name}:2380" ];
initialCluster = etcdCluster;
};
environment.variables = {
ETCDCTL_KEY_FILE = "${etcd.key}";
ETCDCTL_CERT_FILE = "${etcd.cert}";
ETCDCTL_CA_FILE = "${ca_cert}";
ETCDCTL_PEERS = "https://127.0.0.1:2379";
};
# environment.variables = {
# ETCDCTL_CERT_FILE = ./pki + "/${name}.pem";
# ETCDCTL_KEY_FILE = ./pki + "/${name}-key.pem";
# ETCDCTL_CA_FILE = ./pki/ca.pem;
# ETCDCTL_PEERS = "https://127.0.0.1:2379";
# };
networking.firewall.allowedTCPPorts = [ 2379 2380 ];
};
@@ -32,9 +82,9 @@ let
iface = "enp2s0";
etcd = {
endpoints = [ "https://etcd0:2379" "https://etcd1:2379" ];
caFile = ./pki/ca.pem;
certFile = ./pki/client.pem;
keyFile = ./pki/client-key.pem;
caFile = "${ca_cert}";
keyFile = "${client_key}";
certFile = "${client_cert}";
};
};
};
@@ -43,16 +93,19 @@ let
require = [ flannelConfig ];
networking.firewall.allowedUDPPorts = [ 8472 ]; # VXLAN
networking.firewall.allowedTCPPorts = [ 10250 ];
systemd.services.docker.after = [ "flannel.service" ];
systemd.services.docker.serviceConfig.EnvironmentFile = "/run/flannel/subnet.env";
virtualisation.docker.extraOptions = "--iptables=false --ip-masq=false --bip $FLANNEL_SUBNET";
# services.kubernetes.verbose = true;
systemd.services.docker = {
after = [ "flannel.service" ];
serviceConfig.EnvironmentFile = "/run/flannel/subnet.env";
};
virtualisation.docker.extraOptions =
"--iptables=false --ip-masq=false --bip $FLANNEL_SUBNET";
services.kubernetes.etcd = {
servers = [ "https://etcd0:2379" "https://etcd1:2379" ];
caFile = ./pki/ca.pem;
certFile = ./pki/client.pem;
keyFile = ./pki/client-key.pem;
caFile = "${ca_cert}";
keyFile = "${client_key}";
certFile = "${client_cert}";
};
# services.kubernetes.verbose = true;
};
kubeNode = {
@@ -60,13 +113,14 @@ let
roles = [ "node" ];
kubeconfig = {
server = "https://kubernetes:443";
caFile = ./pki/ca.pem;
certFile = ./pki/client.pem;
keyFile = ./pki/client-key.pem;
caFile = "${ca_cert}";
keyFile = "${client_key}";
certFile = "${client_cert}";
};
kubelet = {
tlsCertFile = ./pki/client.pem;
tlsKeyFile = ./pki/client-key.pem;
tlsKeyFile = "${client_key}";
tlsCertFile = "${client_cert}";
extraOpts = "--client-ca-file=${ca_cert}";
networkPlugin = null;
clusterDns = "kubernetes";
};
@@ -83,16 +137,16 @@ let
apiserver = {
publicAddress = "0.0.0.0";
address = "0.0.0.0";
clientCaFile = ./pki/ca.pem;
tlsCertFile = ./pki/server.pem;
tlsKeyFile = ./pki/server-key.pem;
# kubeletClientCaFile = ./pki/ca.pem;
# kubeletClientCertFile = ./pki/client.pem;
# kubeletClientKeyFile = ./pki/client-key.pem;
clientCaFile = "${ca_cert}";
tlsKeyFile = "${server_key}";
tlsCertFile = "${server_cert}";
# kubeletClientCaFile = "${ca_cert}";
# kubeletClientKeyFile = "${server_key}";
# kubeletClientCertFile = "${server_cert}";
};
scheduler.leaderElect = true;
controllerManager.leaderElect = true;
controllerManager.serviceAccountKeyFile = ./pki/apiserver-key.pem;
controllerManager.serviceAccountKeyFile = "${server_key}";
};
networking.firewall.allowedTCPPorts = [ 5000 8080 443 53 ];
@@ -114,8 +168,12 @@ in
k8s0-0 = { config, lib, pkgs, ... }:
let
host = "k8s0-0";
etcd = etcdConfig "etcd0";
base = baseConfig host;
etcd = etcdConfig {
name = "etcd0";
key = etcd0_key;
cert = etcd0_cert;
};
in
{
deployment.targetHost = "10.253.18.100";
@@ -125,8 +183,12 @@ in
k8s0-1 = { config, lib, pkgs, ... }:
let
host = "k8s0-1";
etcd = etcdConfig "etcd1";
base = baseConfig host;
etcd = etcdConfig {
name = "etcd1";
key = etcd1_key;
cert = etcd1_cert;
};
in
{
deployment.targetHost = "10.253.18.101";