oceanbox/platform
6
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Configure private Docker registry.

Browse Source
This commit is contained in:
Jonas Juselius
2017-09-15 20:54:08 +02:00
parent 229a08f229
commit 8a904384ef
4 changed files with 31 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bin/cache-certs.sh Executable file
View File

@@ -0,0 +1,2 @@
#!/usr/bin/env bash
nix-instantiate --add-root `pwd`/gcroots/certs --indirect -E "import ./certs.nix"

10
certs.nix
View File

@@ -2,8 +2,8 @@ let
pkgs = import <nixpkgs> {}; pkgs = import <nixpkgs> {};
runWithOpenSSL = file: cmd: pkgs.runCommand file { runWithOpenSSL = file: cmd: pkgs.runCommand file {
buildInputs = [ pkgs.openssl ]; buildInputs = [ pkgs.openssl_1_1_0 ];
} cmd; } ("export RANDFILE=/tmp/rnd;" + cmd);
etcd_cnf = pkgs.writeText "etcd-openssl.cnf" '' etcd_cnf = pkgs.writeText "etcd-openssl.cnf" ''
[req] [req]
@@ -50,6 +50,7 @@ let
DNS.2 = kubernetes.default DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local DNS.4 = kubernetes.default.svc.cluster.local
DNS.4 = k8s0-0.itpartner.no
IP.1 = 10.10.10.1 IP.1 = 10.10.10.1
IP.2 = 10.253.18.100 IP.2 = 10.253.18.100
''; '';
@@ -67,13 +68,15 @@ let
DNS.1 = k8s0-0 DNS.1 = k8s0-0
DNS.2 = k8s0-1 DNS.2 = k8s0-1
DNS.3 = k8s0-2 DNS.3 = k8s0-2
DNS.4 = *.itpartner.no
DNS.5 = *.itpartner.intern
''; '';
ca_key = runWithOpenSSL "ca-key.pem" "openssl genrsa -out $out 2048"; ca_key = runWithOpenSSL "ca-key.pem" "openssl genrsa -out $out 2048";
ca_pem = runWithOpenSSL "ca.pem" '' ca_pem = runWithOpenSSL "ca.pem" ''
openssl req \ openssl req \
-x509 -new -nodes -key ${ca_key} \ -x509 -new -nodes -key ${ca_key} \
-days 10000 -out $out -subj "/CN=etcd-ca" -days 10000 -out $out -subj "/CN=kube-ca"
''; '';
etcd_key = runWithOpenSSL "etcd-key.pem" "openssl genrsa -out $out 2048"; etcd_key = runWithOpenSSL "etcd-key.pem" "openssl genrsa -out $out 2048";
@@ -138,7 +141,6 @@ let
-out $out -days 365 -extensions v3_req \ -out $out -days 365 -extensions v3_req \
-extfile ${worker_cnf} -extfile ${worker_cnf}
''; '';
in in
{ {
inherit ca_key ca_pem; inherit ca_key ca_pem;

17
git.nix Normal file
View File

@@ -0,0 +1,17 @@
{
git01 = { config, lib, pkgs, ... }:
{
deployment.targetHost = "10.253.18.103";
networking.hostName = "git01"; # Define your hostname
imports = [ ./hw/git01.nix ./base/configuration.nix ];
services.nfs.server = {
enable=true;
exports= ''
/data 10.253.18.0/24(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0,no_root_squash)
/vol 10.253.18.0/24(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0,no_root_squash)
'';
};
networking.firewall.allowedTCPPorts = [2049 111 20048];
networking.firewall.allowedUDPPorts = [2049 111 20048];
};
}

7
k8s.nix
View File

@@ -3,7 +3,6 @@ let
pkgs = import <nixpkgs> {}; pkgs = import <nixpkgs> {};
etcdServers = [ "etcd0" "etcd1" "etcd2" ]; etcdServers = [ "etcd0" "etcd1" "etcd2" ];
# etcdServers = [ "k8s0-0" "k8s0-1" "k8s0-2" ];
etcdEndpoints = builtins.map (x: "https://${x}:2379") etcdServers; etcdEndpoints = builtins.map (x: "https://${x}:2379") etcdServers;
etcdCluster = builtins.map (x: "${x}=https://${x}:2380") etcdServers; etcdCluster = builtins.map (x: "${x}=https://${x}:2380") etcdServers;
@@ -32,6 +31,7 @@ let
}; };
kubeConfig = { kubeConfig = {
systemd.services.kubelet.path = [ pkgs.socat ];
services.flannel = { services.flannel = {
enable = true; enable = true;
network = "10.10.0.0/16"; network = "10.10.0.0/16";
@@ -83,6 +83,7 @@ let
extraCommands = ''iptables -m comment --comment "pod external access" -t nat -A POSTROUTING ! -d 10.10.0.0/16 -m addrtype ! --dst-type LOCAL -j MASQUERADE''; extraCommands = ''iptables -m comment --comment "pod external access" -t nat -A POSTROUTING ! -d 10.10.0.0/16 -m addrtype ! --dst-type LOCAL -j MASQUERADE'';
}; };
}; };
virtualisation.docker.extraOptions = "--insecure-registry 10.0.0.0/8";
}; };
kubeMaster = { kubeMaster = {
@@ -156,6 +157,10 @@ in
services.dockerRegistry = { services.dockerRegistry = {
enable = true; enable = true;
listenAddress = "0.0.0.0"; listenAddress = "0.0.0.0";
extraConfig = {
REGISTRY_HTTP_TLS_CERTIFICATE = "${apiserver_cert}";
REGISTRY_HTTP_TLS_KEY = "${apiserver_key}";
};
}; };
}; };