oceanbox/platform
6
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Changes for kubernets 1.9.

Browse Source
This commit is contained in:
Jonas Juselius
2018-05-23 13:46:30 +02:00
parent c3c8d49eca
commit 618fc7cc99
3 changed files with 68 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
bin/teardown.sh
View File

@@ -12,10 +12,10 @@ f=.$d.$$
# nixops ssh -d $d ${d}0-0 kubectl --namespace kube-system delete --all pods # nixops ssh -d $d ${d}0-0 kubectl --namespace kube-system delete --all pods
# sleep 60 # sleep 60
sed -s 's/require = \[ \+base .*/require = [ base ];/' $d.nix > $f # sed -s 's/require = \[ \+base .*/require = [ base ];/' $d.nix > $f
nixops modify -d $d $f # nixops modify -d $d $f
nixops deploy -d $d # nixops deploy -d $d
rm $f # rm $f
nixops reboot -d $d nixops reboot -d $d
nixops ssh-for-each -d $d "rm -rf /var/run/kubernetes /var/lib/kubernetes /var/lib/etcd" nixops ssh-for-each -d $d "rm -rf /var/run/kubernetes /var/lib/kubernetes /var/lib/etcd"

89
lib/k8s.nix
View File

@@ -1,7 +1,7 @@
{ pkgs, kubeMaster, etcdNodes, clusterHosts, certs, ...}: { pkgs, masterNode, etcdNodes, clusterHosts, certs, ...}:
let let
kubeApiserver = "https://${kubeMaster}:443"; kubeApiserver = "https://${masterNode}:8443";
localApiserver = "https://127.0.0.1:8080"; localApiserver = "http://127.0.0.1:8080";
etcdEndpoints = builtins.map (x: "https://${x}:2379") etcdNodes; etcdEndpoints = builtins.map (x: "https://${x}:2379") etcdNodes;
etcdCluster = builtins.map (x: "${x}=https://${x}:2380") etcdNodes; etcdCluster = builtins.map (x: "${x}=https://${x}:2380") etcdNodes;
in in
@@ -55,25 +55,24 @@ rec {
networking = { networking = {
firewall = { firewall = {
enable = true; enable = true;
# trustedInterfaces = [ "flannel.1" "docker0" "veth+" ];
allowedTCPPorts = [ 53 4194 10250 ]; allowedTCPPorts = [ 53 4194 10250 ];
allowedUDPPorts = [ 53 ]; allowedUDPPorts = [ 53 ];
extraCommands = ''iptables -m comment --comment "pod external access" -t nat -A POSTROUTING ! -d 10.10.0.0/16 -m addrtype ! --dst-type LOCAL -j MASQUERADE''; extraCommands = ''iptables -m comment --comment "pod external access" -t nat -A POSTROUTING ! -d 10.10.0.0/16 -m addrtype ! --dst-type LOCAL -j MASQUERADE'';
}; };
}; };
virtualisation.docker.extraOptions = "--insecure-registry 10.0.0.0/8"; virtualisation.docker.extraOptions = "--insecure-registry 10.0.0.0/8";
# systemd.services.kube-proxy.path = [pkgs.iptables pkgs.conntrack_tools pkgs.kmod]; virtualisation.docker.autoPrune.enable = true;
}; };
kubeMaster = { kubeMaster = {
services.kubernetes = { services.kubernetes = {
roles = [ "master" ]; roles = [ "master" ];
kubelet.unschedulable = true; kubelet.unschedulable = false;
apiserver = { apiserver = {
address = kubeMaster; address = masterNode;
advertiseAddress = kubeMaster; advertiseAddress = masterNode;
authorizationMode = [ "Node" "RBAC" ]; authorizationMode = [ "Node" "RBAC" ];
securePort = 443; securePort = 8443;
tlsKeyFile = certs.apiserver.key; tlsKeyFile = certs.apiserver.key;
tlsCertFile = certs.apiserver.cert; tlsCertFile = certs.apiserver.cert;
clientCaFile = certs.ca.cert; clientCaFile = certs.ca.cert;
@@ -94,7 +93,7 @@ rec {
addons.dns.enable = true; addons.dns.enable = true;
}; };
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ 5000 8080 443 ]; #;4053 ]; allowedTCPPorts = [ 5000 8080 8443 ]; #;4053 ];
# allowedUDPPorts = [ 4053 ]; # allowedUDPPorts = [ 4053 ];
}; };
environment.systemPackages = [ pkgs.kubernetes-helm ]; environment.systemPackages = [ pkgs.kubernetes-helm ];
@@ -118,49 +117,71 @@ rec {
}; };
}; };
nixosConfig = node: { nixosConfig = instance: {
imports = [ (./hardware-configuration + "/${node}.nix") ./nixos/configuration.nix ]; imports = [
(../nixos/hardware-configuration + "/${instance}.nix")
../nixos/configuration.nix
];
services.glusterfs = {
enable = true;
tlsSettings = {
caCert = certs.ca.cert;
tlsKeyPath = certs.${instance}.key;
tlsPem = certs.${instance}.cert;
};
};
networking = { networking = {
hostName = node; hostName = instance;
extraHosts = clusterHosts; extraHosts = clusterHosts;
firewall.allowedTCPPortRanges = [ { from = 5000; to = 50000; } ]; firewall.allowedTCPPortRanges = [ { from = 5000; to = 50000; } ];
firewall.allowedTCPPorts = [ 80 443 ]; firewall.allowedTCPPorts = [ 80 443 111 ];
firewall.allowedUDPPorts = [ 111 24007 24008 ];
}; };
environment.systemPackages = [ pkgs.tshark ]; environment.systemPackages = [ pkgs.tshark ];
# services.dnsmasq.enable = true;
}; };
worker = host: ip: { config, lib, pkgs, ... }: plain = ip: name: { config, lib, pkgs, ... }:
let
instance = host;
base = nixosConfig host;
in
{ {
deployment.targetHost = ip; deployment.targetHost = ip;
require = [ base (kubeConfig instance) (kubeNode instance) ]; require = [
(nixosConfig name)
];
};
worker = ip: name: { config, lib, pkgs, ... }:
{
deployment.targetHost = ip;
require = [
(nixosConfig name)
(kubeConfig name)
(kubeNode name)
];
services.kubernetes.addons.dns.enable = false; services.kubernetes.addons.dns.enable = false;
}; };
server = host: etc: ip: { config, lib, pkgs, ... }: server = ip: name: etc: { config, lib, pkgs, ... }:
let
instance = host;
base = nixosConfig instance;
etcd = etcdConfig etc;
in
{ {
deployment.targetHost = ip; deployment.targetHost = ip;
require = [ base etcd (kubeConfig instance) (kubeNode instance) ]; require = [
(nixosConfig name)
(etcdConfig etc)
(kubeConfig name)
(kubeNode name)
];
services.kubernetes.addons.dns.enable = false; services.kubernetes.addons.dns.enable = false;
}; };
apiserver = host: ip: etc: { config, lib, pkgs, ... }: apiserver = ip: name: etc: { config, lib, pkgs, ... }:
let
instance = host;
base = nixosConfig instance;
etcd = etcdConfig etc;
in
{ {
deployment.targetHost = ip; deployment.targetHost = ip;
require = [ base etcd (kubeConfig instance) kubeMaster (kubeNode instance) ]; require = [
(nixosConfig name)
(etcdConfig etc)
kubeMaster
(kubeConfig name)
(kubeNode name)
];
services.dockerRegistry = { services.dockerRegistry = {
enable = true; enable = true;
listenAddress = "0.0.0.0"; listenAddress = "0.0.0.0";

9
lib/pki.nix
View File

@@ -101,6 +101,15 @@
}; };
}; };
trust = name: hosts: gencert rec {
inherit name;
csr = gencsr {
inherit name hosts;
cn = name;
o = name;
};
};
kube-proxy = gencert rec { kube-proxy = gencert rec {
name = "kube-proxy"; name = "kube-proxy";
csr = gencsr { csr = gencsr {