Secure certificates after generation

2019-02-23 15:34:28 +01:00
parent cce9aa825b
commit 66d29be22c
19 changed files with 2098 additions and 144 deletions
--- a/kube1/build.nix
+++ b/kube1/build.nix
@@ -0,0 +1,2 @@
+with import <nixpkgs> {};
+pkgs.callPackage ./certs.nix {}
--- a/kube1/certs.nix
+++ b/kube1/certs.nix
@@ -0,0 +1,29 @@
+{ pkgs, ...}:
+let
+  pki = pkgs.callPackage ../lib/pki.nix {};
+in
+{
+    initca = pki.initca;
+    ca = pki.ca;
+    apiserver = pki.apiserver ''
+      "10.253.18.109",
+      "10.0.0.1",
+      "127.0.0.1",
+      "kubernetes",
+      "etcd0",
+      "k1-0"
+    '';
+    kube-proxy = pki.kube-proxy;
+    admin = pki.admin;
+    etcd = pki.etcd ''
+        "etcd0",
+        "etcd1",
+        "10.253.18.109",
+        "10.253.18.110",
+        "127.0.0.1"
+    '';
+    k1-0 = pki.worker { name = "k1-0"; ip = "10.253.18.109"; };
+    k1-1 = pki.worker { name = "k1-1"; ip = "10.253.18.110"; };
+    k1-2 = pki.worker { name = "k1-2"; ip = "10.253.18.111"; };
+}
+
--- a/kube1/deployment.nix
+++ b/kube1/deployment.nix
@@ -0,0 +1,38 @@
+with import <nixpkgs> {};
+let
+  certs = pkgs.callPackage ./certs.nix {};
+  pki = pkgs.callPackage ../lib/pki.nix {};
+  cluster = callPackage ../lib/k8s.nix {
+    masterNode = "10.253.18.109";
+    etcdNodes = [ "etcd0" "etcd1" ];
+    clusterHosts = ''
+      10.253.18.109 k1-0 etcd0 kubernetes fs0-2
+      10.253.18.110 k1-1 etcd1
+      10.253.18.111 k1-2
+      10.253.18.106 fs0-0
+      10.1.2.164    fs0-1
+      10.253.18.100 k0-0
+      10.253.18.100 gitlab.itpartner.no registry.itpartner.no minio.itpartner.no
+      10.253.18.109 gitlab.k1.local registry.k1.local minio.k1.local
+      10.253.18.100 itp-registry itp-registry.local
+    '';
+    certs = {
+      ca = certs.ca;
+      apiserver = pki.toSet certs.apiserver;
+      kube-proxy = pki.toSet certs.kube-proxy;
+      admin = pki.toSet certs.admin;
+      etcd = pki.toSet certs.etcd;
+      k1-0 = pki.toSet certs.k1-0;
+      k1-1 = pki.toSet certs.k1-1;
+      k1-2 = pki.toSet certs.k1-2;
+    };
+  };
+in
+{
+  k1-0 = { ... }:
+  {
+    require = [ (cluster.apiserver "10.253.18.109" "k1-0" "etcd0") ];
+  };
+  k1-1 = cluster.server "10.253.18.110" "k1-1" "etcd1";
+  k1-2 = cluster.worker "10.253.18.111" "k1-2";
+}