From 8a904384ef2d4f7edf5a26a147039edad5b52383 Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Fri, 15 Sep 2017 20:54:08 +0200 Subject: [PATCH] Configure private Docker registry. --- bin/cache-certs.sh | 2 ++ certs.nix | 10 ++++++---- git.nix | 17 +++++++++++++++++ k8s.nix | 7 ++++++- 4 files changed, 31 insertions(+), 5 deletions(-) create mode 100755 bin/cache-certs.sh create mode 100644 git.nix diff --git a/bin/cache-certs.sh b/bin/cache-certs.sh new file mode 100755 index 0000000..bf11407 --- /dev/null +++ b/bin/cache-certs.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +nix-instantiate --add-root `pwd`/gcroots/certs --indirect -E "import ./certs.nix" diff --git a/certs.nix b/certs.nix index 0436ae3..bf4eb8b 100644 --- a/certs.nix +++ b/certs.nix @@ -2,8 +2,8 @@ let pkgs = import {}; runWithOpenSSL = file: cmd: pkgs.runCommand file { - buildInputs = [ pkgs.openssl ]; - } cmd; + buildInputs = [ pkgs.openssl_1_1_0 ]; + } ("export RANDFILE=/tmp/rnd;" + cmd); etcd_cnf = pkgs.writeText "etcd-openssl.cnf" '' [req] @@ -50,6 +50,7 @@ let DNS.2 = kubernetes.default DNS.3 = kubernetes.default.svc DNS.4 = kubernetes.default.svc.cluster.local + DNS.4 = k8s0-0.itpartner.no IP.1 = 10.10.10.1 IP.2 = 10.253.18.100 ''; @@ -67,13 +68,15 @@ let DNS.1 = k8s0-0 DNS.2 = k8s0-1 DNS.3 = k8s0-2 + DNS.4 = *.itpartner.no + DNS.5 = *.itpartner.intern ''; ca_key = runWithOpenSSL "ca-key.pem" "openssl genrsa -out $out 2048"; ca_pem = runWithOpenSSL "ca.pem" '' openssl req \ -x509 -new -nodes -key ${ca_key} \ - -days 10000 -out $out -subj "/CN=etcd-ca" + -days 10000 -out $out -subj "/CN=kube-ca" ''; etcd_key = runWithOpenSSL "etcd-key.pem" "openssl genrsa -out $out 2048"; @@ -138,7 +141,6 @@ let -out $out -days 365 -extensions v3_req \ -extfile ${worker_cnf} ''; - in { inherit ca_key ca_pem; diff --git a/git.nix b/git.nix new file mode 100644 index 0000000..348b04f --- /dev/null +++ b/git.nix @@ -0,0 +1,17 @@ +{ + git01 = { config, lib, pkgs, ... }: + { + deployment.targetHost = "10.253.18.103"; + networking.hostName = "git01"; # Define your hostname + imports = [ ./hw/git01.nix ./base/configuration.nix ]; + services.nfs.server = { + enable=true; + exports= '' + /data 10.253.18.0/24(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0,no_root_squash) + /vol 10.253.18.0/24(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0,no_root_squash) + ''; + }; + networking.firewall.allowedTCPPorts = [2049 111 20048]; + networking.firewall.allowedUDPPorts = [2049 111 20048]; + }; +} diff --git a/k8s.nix b/k8s.nix index 6dbc6e8..a62f48b 100644 --- a/k8s.nix +++ b/k8s.nix @@ -3,7 +3,6 @@ let pkgs = import {}; etcdServers = [ "etcd0" "etcd1" "etcd2" ]; - # etcdServers = [ "k8s0-0" "k8s0-1" "k8s0-2" ]; etcdEndpoints = builtins.map (x: "https://${x}:2379") etcdServers; etcdCluster = builtins.map (x: "${x}=https://${x}:2380") etcdServers; @@ -32,6 +31,7 @@ let }; kubeConfig = { + systemd.services.kubelet.path = [ pkgs.socat ]; services.flannel = { enable = true; network = "10.10.0.0/16"; @@ -83,6 +83,7 @@ let extraCommands = ''iptables -m comment --comment "pod external access" -t nat -A POSTROUTING ! -d 10.10.0.0/16 -m addrtype ! --dst-type LOCAL -j MASQUERADE''; }; }; + virtualisation.docker.extraOptions = "--insecure-registry 10.0.0.0/8"; }; kubeMaster = { @@ -156,6 +157,10 @@ in services.dockerRegistry = { enable = true; listenAddress = "0.0.0.0"; + extraConfig = { + REGISTRY_HTTP_TLS_CERTIFICATE = "${apiserver_cert}"; + REGISTRY_HTTP_TLS_KEY = "${apiserver_key}"; + }; }; };