Secure certificates after generation

2019-02-23 15:34:28 +01:00
parent cce9aa825b
commit 66d29be22c
19 changed files with 2098 additions and 144 deletions
--- a/lib/k8s.nix
+++ b/lib/k8s.nix
@@ -55,8 +55,8 @@ rec {
    networking = {
      firewall = {
        enable = true;
-        allowedTCPPorts = [ 53 4194 10250 ];
-        allowedUDPPorts = [ 53 ];
+        allowedTCPPorts = [ 4194 10250 ];
+        # allowedUDPPorts = [ 53 ];
        extraCommands = ''iptables -m comment --comment "pod external access" -t nat -A POSTROUTING ! -d 10.10.0.0/16 -m addrtype ! --dst-type LOCAL -j MASQUERADE'';
      };
    };
@@ -69,7 +69,7 @@ rec {
      roles = [ "master" ];
      kubelet.unschedulable = false;
      apiserver = {
-        bindAddress = "0.0.0.0"; #masterNode; 
+        bindAddress = "0.0.0.0"; #masterNode;
        advertiseAddress = masterNode;
        authorizationMode = [ "Node" "RBAC" ];
        securePort = 8443;
@@ -89,20 +89,25 @@ rec {
        kubeconfig.server = localApiserver;
      };
      scheduler.kubeconfig.server = localApiserver;
+      addons.dns.enable = true;
+      addons.dns.reconcileMode = "EnsureExists";
      addons.dashboard = rec {
      	enable = true;
      	version = "v1.10.0";
+        rbac.enable = true;
+        rbac.clusterAdmin = true;
+        tokenTtl = 0;
     	image = {
-	  imageName = "k8s.gcr.io/kubernetes-dashboard-amd64";
-	  imageDigest = "sha256:1d2e1229a918f4bc38b5a3f9f5f11302b3e71f8397b492afac7f273a0008776a";
-	  finalImageTag = version;
-	  sha256 = "10qkqqhzkr0bcv0dlf8nq069h190pw6zjj1l5s5g438g80v8639j";
+          imageName = "k8s.gcr.io/kubernetes-dashboard-amd64";
+          imageDigest = "sha256:1d2e1229a918f4bc38b5a3f9f5f11302b3e71f8397b492afac7f273a0008776a";
+          finalImageTag = version;
+          sha256 = "10qkqqhzkr0bcv0dlf8nq069h190pw6zjj1l5s5g438g80v8639j";
        };
      };
    };
    networking.firewall = {
-      allowedTCPPorts = [ 5000 8080 8443 ]; #;4053 ];
-      # allowedUDPPorts = [ 4053 ];
+      allowedTCPPorts = [ 53 5000 8080 8443 ]; #;4053 ];
+      allowedUDPPorts = [ 53 4053 ];
    };
    environment.systemPackages = [ pkgs.kubernetes-helm ];
  };
@@ -130,6 +135,9 @@ rec {
      (../nixos/hardware-configuration + "/${instance}.nix")
      ../nixos/configuration.nix
    ];
+    security.pki.certificateFiles = [
+      certs.ca.cert
+    ];
    services.glusterfs = {
      enable = true;
      tlsSettings = {
@@ -141,12 +149,14 @@ rec {
    networking = {
      hostName = instance;
      extraHosts = clusterHosts;
+      # nameservers = [ masterNode ];
+      # dhcpcd.extraConfig = ''
+      #  static domain_name_servers=${masterNode}
+      # '';
      firewall.allowedTCPPortRanges = [ { from = 5000; to = 50000; } ];
      firewall.allowedTCPPorts = [ 80 443 111 ];
      firewall.allowedUDPPorts = [ 111 24007 24008 ];
    };
-    environment.systemPackages = [ pkgs.tshark ];
-    # services.dnsmasq.enable = true;
  };

  plain = ip: name: { config, lib, pkgs, ... }:
@@ -193,6 +203,8 @@ rec {
      services.dockerRegistry = {
        enable = true;
        listenAddress = "0.0.0.0";
+        enableDelete = true;
+        enableGarbageCollect = true;
        extraConfig = {
          REGISTRY_HTTP_TLS_CERTIFICATE = "${certs.apiserver.cert}";
          REGISTRY_HTTP_TLS_KEY = "${certs.apiserver.key}";
--- a/lib/pki.nix
+++ b/lib/pki.nix
@@ -36,7 +36,7 @@
    }
  '';

-  initca =
+  initca' =
    let
      ca_csr = gencsr {
        name = "kubernetes";
@@ -51,9 +51,9 @@
           mkdir -p $out; cp *.pem $out'';

   # make ca derivation sha depend on initca cfssl output
-   initca' = pkgs.stdenv.mkDerivation {
+   initca = pkgs.stdenv.mkDerivation {
    name = "ca";
-    src = initca;
+    src = initca';
    buildCommand = ''
      mkdir -p $out;
      cp -r $src/* $out
@@ -61,8 +61,8 @@
  };

  ca = {
-    key = "${initca'}/ca-key.pem";
-    cert = "${initca'}/ca.pem";
+    key = "${initca}/ca-key.pem";
+    cert = "${initca}/ca.pem";
  };

  cfssl = conf: ''
@@ -72,16 +72,16 @@
    mkdir -p $out; cp *.pem $out
  '';

+  toSet = cert:
+    {
+      key = "${cert}/cert-key.pem";
+      cert = "${cert}/cert.pem";
+    };
+
  gencert = conf:
-    let
-      drv = pkgs.runCommand "${conf.name}" {
+      pkgs.runCommand "${conf.name}" {
        buildInputs = [ pkgs.cfssl ];
      } (cfssl conf);
-    in
-      {
-        key = "${drv}/cert-key.pem";
-        cert = "${drv}/cert.pem";
-      };

  admin = gencert rec {
      name = "admin";