oceanbox/platform
6
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Simplified structure using new certificates.

Browse Source
This commit is contained in:
Jonas Juselius
2017-07-11 11:42:54 +02:00
parent be8082a927
commit 1a4f1c0da0
2 changed files with 29 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@@ -1,2 +1,4 @@
*.pem
*.csr
result
result-*

50
k8s.nix
View File

@@ -6,8 +6,8 @@ let
listenClientUrls = ["https://0.0.0.0:2379"];
listenPeerUrls = ["https://0.0.0.0:2380"];
peerClientCertAuth = true;
certFile = ./pki/etcd.pem;
keyFile = ./pki/etcd-key.pem;
certFile = ./pki + "/${name}.pem";
keyFile = ./pki + "/${name}-key.pem";
trustedCaFile = ./pki/ca.pem;
advertiseClientUrls = [ "https://${name}:2379" ];
initialAdvertisePeerUrls = [ "https://${name}:2380" ];
@@ -25,22 +25,22 @@ let
networking.firewall.allowedTCPPorts = [ 2379 2380 ];
};
flannelConfig = node: {
flannelConfig = {
services.flannel = {
enable = true;
network = "10.10.0.0/16";
iface = "enp2s0";
etcd = {
endpoints = [ "https://etcd0:2379" "https://etcd1:2379" ];
certFile = ./pki + "/${node}.pem";
keyFile = ./pki + "/${node}-key.pem";
caFile = ./pki/ca.pem;
certFile = ./pki/client.pem;
keyFile = ./pki/client-key.pem;
};
};
};
kubeConfig = node: {
require = [ (flannelConfig node) ];
kubeConfig = {
require = [ flannelConfig ];
networking.firewall.allowedUDPPorts = [ 8472 ]; # VXLAN
networking.firewall.allowedTCPPorts = [ 10250 ];
systemd.services.docker.after = [ "flannel.service" ];
@@ -49,31 +49,31 @@ let
# services.kubernetes.verbose = true;
services.kubernetes.etcd = {
servers = [ "https://etcd0:2379" "https://etcd1:2379" ];
certFile = ./pki + "/${node}.pem";
keyFile = ./pki + "/${node}-key.pem";
caFile = ./pki/ca.pem;
certFile = ./pki/client.pem;
keyFile = ./pki/client-key.pem;
};
};
kubeNode = doConfig: node: {
kubeNode = {
services.kubernetes = {
roles = [ "node" ];
kubeconfig = {
server = "https://kubernetes:443";
caFile = ./pki/ca.pem;
certFile = ./pki + "/${node}.pem";
keyFile = ./pki + "/${node}-key.pem";
certFile = ./pki/client.pem;
keyFile = ./pki/client-key.pem;
};
kubelet = {
tlsCertFile = ./pki + "/${node}.pem";
tlsKeyFile = ./pki + "/${node}-key.pem";
tlsCertFile = ./pki/client.pem;
tlsKeyFile = ./pki/client-key.pem;
networkPlugin = null;
clusterDns = "kubernetes";
};
};
};
kubeMaster = node: {
kubeMaster = {
services.dockerRegistry = {
enable = true;
listenAddress = "0.0.0.0";
@@ -84,11 +84,11 @@ let
publicAddress = "0.0.0.0";
address = "0.0.0.0";
clientCaFile = ./pki/ca.pem;
tlsCertFile = ./pki/apiserver.pem;
tlsKeyFile = ./pki/apiserver-key.pem;
tlsCertFile = ./pki/server.pem;
tlsKeyFile = ./pki/server-key.pem;
# kubeletClientCaFile = ./pki/ca.pem;
# kubeletClientCertFile = ./pki + "/${node}.pem";
# kubeletClientKeyFile = ./pki + "/${node}-key.pem";
# kubeletClientCertFile = ./pki/client.pem;
# kubeletClientKeyFile = ./pki/client-key.pem;
};
scheduler.leaderElect = true;
controllerManager.leaderElect = true;
@@ -102,7 +102,7 @@ let
baseConfig = node: {
imports = [ (./hw + "/${node}.nix") ./base/configuration.nix ];
require = [ (kubeConfig node) ];
require = [ kubeConfig ];
networking.hostName = node;
networking.extraHosts = ''
10.253.18.100 etcd0 kubernetes
@@ -116,12 +116,10 @@ in
host = "k8s0-0";
etcd = etcdConfig "etcd0";
base = baseConfig host;
master = kubeMaster host;
node = kubeNode true host;
in
{
deployment.targetHost = "10.253.18.100";
require = [ base etcd master node ];
require = [ base etcd kubeMaster kubeNode ];
};
k8s0-1 = { config, lib, pkgs, ... }:
@@ -129,21 +127,19 @@ in
host = "k8s0-1";
etcd = etcdConfig "etcd1";
base = baseConfig host;
node = kubeNode true host;
in
{
deployment.targetHost = "10.253.18.101";
require = [ base etcd node ];
require = [ base etcd kubeNode ];
};
k8s0-2 = { config, lib, pkgs, ... }:
let
host = "k8s0-2";
base = baseConfig host;
node = kubeNode true host;
in
{
deployment.targetHost = "10.253.18.102";
require = [ base node ];
require = [ base kubeNode ];
};
}