oceanbox/platform
6
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Global token, key and cert provisioning works

Browse Source
This commit is contained in:
Jonas Juselius
2019-10-16 19:14:37 +02:00
parent 286ad04f8e
commit 2dae12bad2
3 changed files with 70 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
lib/k8s.nix
View File

@@ -1,4 +1,4 @@
here: { pkgs, lib, settings, ...}:
{ pkgs, lib, settings, here, ...}:
with lib;
let
cluster-ca = pkgs.stdenv.mkDerivation {
@@ -19,18 +19,18 @@ let
'';
};
nixos-kubernetes-join-nodes = workers:
let
wrk = builtins.foldl' (a: s: a + " " + s) "" workers;
in
pkgs.writeScriptBin "nixos-kubernetes-join-nodes" ''
#!/bin/sh
set -e
token=$(cat /var/lib/cfssl/apitoken.secret)
for i in ${wrk}; do
ssh root@$i "echo $token | sh nixos-kubernetes-node-join"
done
'';
#nixos-kubernetes-join-nodes = workers:
# let
# wrk = builtins.foldl' (a: s: a + " " + s) "" workers;
# in
# pkgs.writeScriptBin "nixos-kubernetes-join-nodes" ''
# #!/bin/sh
# set -e
# token=$(cat /var/lib/cfssl/apitoken.secret)
# for i in ${wrk}; do
# ssh root@$i "echo $token | sh nixos-kubernetes-node-join"
# done
# '';
kube-system-bootstrap = pkgs.stdenv.mkDerivation {
name = "kube-system-bootstrap";
@@ -45,18 +45,20 @@ let
'';
};
install-apitoken = pkgs.writeScript "kube-install-certmgr-apitoken" ''
#!${pkgs.bash}/bin/bash
set -e
if [ -d /var/lib/cfssl ]; then
cp ${cfssl-apitoken} /var/lib/cfssl/apitoken.secret
chown cfssl /var/lib/cfssl/apitoken.secret
chmod 600 /var/lib/cfssl/apitoken.secret
fi
cp ${cfssl-apitoken} /var/lib/kubernetes/secrets/apitoken.secret
chown root /var/lib/kubernetes/secrets/apitoken.secret
chmod 600 /var/lib/kubernetes/secrets/apitoken.secret
'';
install-apitoken = ''
#!${pkgs.bash}/bin/bash
set -e
if [ -d /var/lib/cfssl ]; then
cp ${cfssl-apitoken} /var/lib/cfssl/apitoken.secret
chown cfssl /var/lib/cfssl/apitoken.secret
chmod 640 /var/lib/cfssl/apitoken.secret
else
mkdir -p /var/lib/kubernetes/secrets
cp ${cfssl-apitoken} /var/lib/kubernetes/secrets/apitoken.secret
chown root /var/lib/kubernetes/secrets/apitoken.secret
chmod 600 /var/lib/kubernetes/secrets/apitoken.secret
fi
'';
cidr = "10.10.0.0/16";
in
@@ -94,9 +96,19 @@ rec {
};
environment.systemPackages = [
pkgs.kubernetes-helm
(nixos-kubernetes-join-nodes settings.workers)
# (nixos-kubernetes-join-nodes settings.workers)
kube-system-bootstrap
];
systemd.services.kube-certmgr-apitoken-bootstrap = {
description = "Kubernetes certmgr bootstrapper";
wantedBy = [ "cfssl.service" ];
before = [ "cfssl.target" ];
script = install-apitoken;
serviceConfig = {
RestartSec = "10s";
Restart = "on-failure";
};
};
};
kubeWorker = {
@@ -116,9 +128,22 @@ rec {
};
virtualisation.docker.extraOptions = "--insecure-registry 10.0.0.0/8";
virtualisation.docker.autoPrune.enable = true;
systemd.services.kube-certmgr-apitoken-bootstrap = {
description = "Kubernetes certmgr bootstrapper";
wantedBy = [ "certmgr.service" ];
before = [ "certmgr.target" ];
script = install-apitoken;
serviceConfig = {
RestartSec = "10s";
Restart = "on-failure";
};
};
};
baseNixos = name: {
users.extraUsers.admin.openssh.authorizedKeys.keys =
settings.adminAuthorizedKeys;
imports = [
../nixos/configuration.nix
(here + "/${name}.nix")
@@ -145,19 +170,6 @@ rec {
firewall.allowedTCPPorts = [ 80 443 111 ];
firewall.allowedUDPPorts = [ 111 24007 24008 ];
};
users.extraUsers.admin.openssh.authorizedKeys.keys =
settings.adminAuthorizedKeys;
systemd.services.kube-certmgr-apitoken-bootstrap = {
description = "Kubernetes certmgr bootstrapper";
wantedBy = [ "cfssl.service" ];
before = [ "cfssl.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${install-apitoken}";
};
};
};
apiserver = ip: name: self: