From 1a4f1c0da08f416235468d7a199fa14dca479483 Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@itpartner.no>
Date: Tue, 11 Jul 2017 11:42:54 +0200
Subject: [PATCH] Simplified structure using new certificates.

---
 .gitignore |  2 ++
 k8s.nix    | 58 +++++++++++++++++++++++++-----------------------------
 2 files changed, 29 insertions(+), 31 deletions(-)

diff --git a/.gitignore b/.gitignore
index e67a75e..9135c35 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,4 @@
 *.pem
 *.csr
+result
+result-*
diff --git a/k8s.nix b/k8s.nix
index 7de0ca3..c642010 100644
--- a/k8s.nix
+++ b/k8s.nix
@@ -6,8 +6,8 @@ let
       listenClientUrls = ["https://0.0.0.0:2379"];
       listenPeerUrls = ["https://0.0.0.0:2380"];
       peerClientCertAuth = true;
-      certFile = ./pki/etcd.pem;
-      keyFile = ./pki/etcd-key.pem;
+      certFile = ./pki + "/${name}.pem";
+      keyFile  = ./pki + "/${name}-key.pem";
       trustedCaFile = ./pki/ca.pem;
       advertiseClientUrls = [ "https://${name}:2379" ];
       initialAdvertisePeerUrls = [ "https://${name}:2380" ];
@@ -25,22 +25,22 @@ let
     networking.firewall.allowedTCPPorts = [ 2379 2380 ];
   };
 
-  flannelConfig = node: {
+  flannelConfig = {
     services.flannel = {
       enable = true;
       network = "10.10.0.0/16";
       iface = "enp2s0";
       etcd = {
         endpoints = [ "https://etcd0:2379" "https://etcd1:2379" ];
-        certFile = ./pki + "/${node}.pem";
-        keyFile = ./pki + "/${node}-key.pem";
-        caFile = ./pki/ca.pem;
+        caFile   = ./pki/ca.pem;
+        certFile = ./pki/client.pem;
+        keyFile  = ./pki/client-key.pem;
       };
     };
   };
 
-  kubeConfig = node: {
-    require = [ (flannelConfig node) ];
+  kubeConfig = {
+    require = [ flannelConfig ];
     networking.firewall.allowedUDPPorts = [ 8472 ]; # VXLAN
     networking.firewall.allowedTCPPorts = [ 10250 ];
     systemd.services.docker.after = [ "flannel.service" ];
@@ -49,31 +49,31 @@ let
     # services.kubernetes.verbose = true;
     services.kubernetes.etcd = {
       servers = [ "https://etcd0:2379" "https://etcd1:2379" ];
-      certFile = ./pki + "/${node}.pem";
-      keyFile = ./pki + "/${node}-key.pem";
-      caFile = ./pki/ca.pem;
+      caFile   = ./pki/ca.pem;
+      certFile = ./pki/client.pem;
+      keyFile  = ./pki/client-key.pem;
     };
   };
 
-  kubeNode = doConfig: node: {
+  kubeNode = {
     services.kubernetes = {
       roles = [ "node" ];
       kubeconfig = {
         server = "https://kubernetes:443";
-        caFile = ./pki/ca.pem;
-        certFile = ./pki + "/${node}.pem";
-        keyFile = ./pki + "/${node}-key.pem";
+        caFile   = ./pki/ca.pem;
+        certFile = ./pki/client.pem;
+        keyFile  = ./pki/client-key.pem;
       };
       kubelet = {
-        tlsCertFile = ./pki + "/${node}.pem";
-        tlsKeyFile = ./pki + "/${node}-key.pem";
+        tlsCertFile = ./pki/client.pem;
+        tlsKeyFile  = ./pki/client-key.pem;
         networkPlugin = null;
         clusterDns = "kubernetes";
       };
     };
   };
 
-  kubeMaster = node: {
+  kubeMaster = {
     services.dockerRegistry = {
       enable = true;
       listenAddress = "0.0.0.0";
@@ -84,11 +84,11 @@ let
         publicAddress = "0.0.0.0";
         address = "0.0.0.0";
         clientCaFile = ./pki/ca.pem;
-        tlsCertFile = ./pki/apiserver.pem;
-        tlsKeyFile = ./pki/apiserver-key.pem;
-        # kubeletClientCaFile = ./pki/ca.pem;
-        # kubeletClientCertFile = ./pki + "/${node}.pem";
-        # kubeletClientKeyFile = ./pki + "/${node}-key.pem";
+        tlsCertFile  = ./pki/server.pem;
+        tlsKeyFile   = ./pki/server-key.pem;
+        # kubeletClientCaFile   = ./pki/ca.pem;
+        # kubeletClientCertFile = ./pki/client.pem;
+        # kubeletClientKeyFile  = ./pki/client-key.pem;
       };
       scheduler.leaderElect = true;
       controllerManager.leaderElect = true;
@@ -102,7 +102,7 @@ let
 
   baseConfig = node: {
     imports = [ (./hw + "/${node}.nix") ./base/configuration.nix ];
-    require = [ (kubeConfig node) ];
+    require = [ kubeConfig ];
     networking.hostName = node;
     networking.extraHosts = ''
       10.253.18.100 etcd0 kubernetes
@@ -116,12 +116,10 @@ in
       host = "k8s0-0";
       etcd = etcdConfig "etcd0";
       base = baseConfig host;
-      master = kubeMaster host;
-      node = kubeNode true host;
     in
     {
       deployment.targetHost = "10.253.18.100";
-      require = [ base etcd master node ];
+      require = [ base etcd kubeMaster kubeNode ];
     };
 
   k8s0-1 = { config, lib, pkgs, ... }:
@@ -129,21 +127,19 @@ in
       host = "k8s0-1";
       etcd = etcdConfig "etcd1";
       base = baseConfig host;
-      node = kubeNode true host;
     in
     {
       deployment.targetHost = "10.253.18.101";
-      require = [ base etcd node ];
+      require = [ base etcd kubeNode ];
   };
 
   k8s0-2 = { config, lib, pkgs, ... }:
     let
       host = "k8s0-2";
       base = baseConfig host;
-      node = kubeNode true host;
     in
     {
       deployment.targetHost = "10.253.18.102";
-      require = [ base node ];
+      require = [ base kubeNode ];
   };
 }