oceanbox/platform
6
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Multiple improvements and refactorizations

Browse Source
This commit is contained in:
Jonas Juselius
2019-12-17 22:12:50 +01:00
parent f4f53d90e1
commit a3fa5ebc36
3 changed files with 91 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/initca.nix
View File

@@ -1,4 +1,4 @@
{ pkgs ? import <nixpkgs> {}, ...}: { pkgs ? import <nixpkgs> {}, initca ? "", ...}:
with pkgs; with pkgs;
let let
initca' = initca' =
@@ -22,11 +22,12 @@ let
buildInputs = [ pkgs.cfssl ]; buildInputs = [ pkgs.cfssl ];
} '' cfssl genkey -initca ${ca_csr} | cfssljson -bare ca; \ } '' cfssl genkey -initca ${ca_csr} | cfssljson -bare ca; \
mkdir -p $out; cp *.pem $out''; mkdir -p $out; cp *.pem $out'';
ca = if initca != "" then initca else initca';
in in
# make ca derivation sha depend on initca cfssl output # make ca derivation sha depend on initca cfssl output
pkgs.stdenv.mkDerivation { pkgs.stdenv.mkDerivation {
name = "ca"; name = "ca";
src = initca'; src = ca;
buildCommand = '' buildCommand = ''
mkdir -p $out; mkdir -p $out;
cp -r $src/* $out cp -r $src/* $out

139
lib/k8s.nix
View File

@@ -1,7 +1,11 @@
{ pkgs, lib, settings, here, ...}: { pkgs, lib, settings, here ? "", ...}:
with lib; with lib;
let let
cluster-ca = import ./initca.nix { inherit pgks; }; apiserverAddress = "https://${masterAddress}:4443";
masterAddress = settings.master.address;
initca = settings.initca;
cluster-ca = import ./initca.nix { inherit pgks initca; };
cfssl-apitoken = pkgs.stdenv.mkDerivation { cfssl-apitoken = pkgs.stdenv.mkDerivation {
name = "cfssl-apitoken"; name = "cfssl-apitoken";
@@ -12,30 +16,50 @@ let
''; '';
}; };
kube-system-bootstrap = pkgs.stdenv.mkDerivation { kube-system-bootstrap =
name = "kube-system-bootstrap"; with settings;
src = ./kube-system-bootstrap; let
buildCommand = '' worker_nodes = pkgs.writeText "worker-nodes.txt" (
mkdir -p $out builtins.foldl' (a: x:
cp -r $src/* $out a + " - ${x.address}\n"
cp ${here}/bootstrap.conf $out/${settings.clusterName}.conf ) "" settings.workers);
''; grafana_ldap = pkgs.writeText "grafana-ldap.toml" grafana_ldap_toml;
}; in
pkgs.stdenv.mkDerivation {
name = "bootstrap-kube-system";
src = ../bootstrap;
buildCommand = ''
mkdir -p $out/bin
mkdir -p $out/share/kube-system-bootstrap/config
mkdir -p $out/share/kube-system-bootstrap/charts
bootstrap-kube-system-sh = pkgs.writeScriptBin "bootstrap-kube-system.sh" '' export bash="${pkgs.bash}"
#!${pkgs.bash}/bin/bash export apiserver="${settings.master.address}"
cd ${kube-system-bootstrap} export initca="${initca}"
${pkgs.bash}/bin/bash ./kube-system-bootstrap ${cluster-ca} ${settings.clusterName} export cluster="${clusterName}"
''; export fileserver="${fileserver}"
export acme_email="${acme_email}"
export grafana_smtp_user="$(echo -n ${grafana_smtp_user} | base64 -w0)"
export grafana_smtp_password="$(echo -n ${grafana_smtp_password} | base64 -w0)"
export grafana_ldap_toml="$(cat ${grafana_ldap} | base64 -w0)"
export workers="$(cat ${worker_nodes})"
kube-scripts = pkgs.stdenv.mkDerivation { substituteAll $src/kube-system-bootstrap $out/bin/bootstrap-kube-system
name = "kube-scripts"; chmod 755 $out/bin/bootstrap-kube-system
buildCommand = ''
mkdir -p $out/bin cd $src/config
cd $out/bin for i in *; do
ln -s ${kube-system-bootstrap}/bin/* . substituteAll $i $out/share/kube-system-bootstrap/config/$i
''; done
};
cd $src/charts
for i in *; do
substituteAll $i $out/share/kube-system-bootstrap/charts/$i
done
cp $src/bin/* $out/bin
'';
};
install-apitoken = '' install-apitoken = ''
#!${pkgs.bash}/bin/bash #!${pkgs.bash}/bin/bash
@@ -52,34 +76,38 @@ let
fi fi
''; '';
cidr = "10.10.0.0/16";
in
rec {
kubeMaster = { kubeMaster = {
services.cfssl.ca = "${cluster-ca}/ca.pem"; services.cfssl.ca = "${cluster-ca}/ca.pem";
services.cfssl.caKey = "${cluster-ca}/ca-key.pem"; services.cfssl.caKey = "${cluster-ca}/ca-key.pem";
services.kubernetes = { services.kubernetes = {
roles = [ "master" ]; roles = [ "master" ];
masterAddress = settings.master; inherit apiserverAddress masterAddress;
apiserverAddress = settings.apiserverAddress; clusterCidr = settings.cidr;
clusterCidr = cidr;
pki.genCfsslCACert = false; pki.genCfsslCACert = false;
pki.genCfsslAPIToken = false; pki.genCfsslAPIToken = false;
pki.caCertPathPrefix = "${cluster-ca}/ca"; pki.caCertPathPrefix = "${cluster-ca}/ca";
kubelet = { kubelet = {
unschedulable = false;
clusterDomain = "${settings.clusterName}.local"; clusterDomain = "${settings.clusterName}.local";
}; };
apiserver = { apiserver = {
advertiseAddress = settings.masterAddress; advertiseAddress = masterAddress;
authorizationMode = [ "Node" "RBAC" ]; authorizationMode = [ "Node" "RBAC" ];
allowPrivileged = true;
securePort = 4443; securePort = 4443;
insecurePort = 8080; insecurePort = 8080;
extraOpts = "--requestheader-client-ca-file ${cluster-ca}/ca.pem"; extraOpts = "--requestheader-client-ca-file ${cluster-ca}/ca.pem";
}; };
controllerManager = {
bindAddress = masterAddress;
extraOpts = "--authorization-always-allow-paths=/healthz,/metrics";
};
scheduler.address = masterAddress;
addonManager.enable = true;
addons = { addons = {
dns = { dns = {
enable = true; enable = true;
@@ -89,16 +117,19 @@ rec {
}; };
}; };
services.etcd = {
listenClientUrls = [ "https://${masterAddress}:2379" ];
};
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ 53 5000 8080 4443 ]; #;4053 ]; allowedTCPPorts = [ 53 5000 8080 4443 4001 2379 2380 10250 10251 10252 ];
allowedUDPPorts = [ 53 4053 ]; allowedUDPPorts = [ 53 4053 ];
}; };
environment.systemPackages = [ environment.systemPackages = [
pkgs.kubernetes-helm pkgs.kubernetes-helm
pkgs.kubectl pkgs.kubectl
kube-scripts kube-system-bootstrap
bootstrap-kube-system-sh
]; ];
systemd.services.kube-certmgr-apitoken-bootstrap = { systemd.services.kube-certmgr-apitoken-bootstrap = {
@@ -116,9 +147,8 @@ rec {
kubeWorker = { kubeWorker = {
services.kubernetes = rec { services.kubernetes = rec {
roles = [ "node" ]; roles = [ "node" ];
clusterCidr = cidr; inherit apiserverAddress masterAddress;
masterAddress = settings.master; clusterCidr = settings.cidr;
apiserverAddress = settings.apiserverAddress;
kubelet.clusterDomain = "${settings.clusterName}.local"; kubelet.clusterDomain = "${settings.clusterName}.local";
}; };
@@ -148,6 +178,11 @@ rec {
users.extraUsers.admin.openssh.authorizedKeys.keys = users.extraUsers.admin.openssh.authorizedKeys.keys =
settings.adminAuthorizedKeys; settings.adminAuthorizedKeys;
boot.kernel.sysctl = {
"kernel.mm.transparent_hugepage.enabled" = "never";
"net.core.somaxconn" = "512";
};
imports = [ imports = [
./nixos/configuration.nix ./nixos/configuration.nix
(here + "/${name}.nix") (here + "/${name}.nix")
@@ -166,10 +201,6 @@ rec {
networking = { networking = {
hostName = name; hostName = name;
extraHosts = settings.clusterHosts; extraHosts = settings.clusterHosts;
# nameservers = [ masterAddress ];
# dhcpcd.extraConfig = ''
# static domain_name_servers=${masterAddress}
# '';
firewall.allowedTCPPortRanges = [ { from = 5000; to = 50000; } ]; firewall.allowedTCPPortRanges = [ { from = 5000; to = 50000; } ];
firewall.allowedTCPPorts = [ 80 443 111 ]; firewall.allowedTCPPorts = [ 80 443 111 ];
firewall.allowedUDPPorts = [ 111 24007 24008 ]; firewall.allowedUDPPorts = [ 111 24007 24008 ];
@@ -179,29 +210,33 @@ rec {
]; ];
}; };
apiserver = ip: name: self: mkApiServer = host: self:
{ {
deployment.targetHost = ip; deployment.targetHost = host.address;
require = [ require = [
(baseNixos name) (baseNixos host.name)
kubeMaster kubeMaster
]; ];
}; };
worker = ip: name: self: mkWorker = host: self:
{ {
deployment.targetHost = ip; deployment.targetHost = host.address;
require = [ require = [
(baseNixos name) (baseNixos host.name)
kubeWorker kubeWorker
]; ];
}; };
host = ip: name: self: mkHost = host: self:
{ {
deployment.targetHost = ip; deployment.targetHost = host.address;
require = [ require = [
(baseNixos name) (baseNixos host.name)
]; ];
}; };
}
master = { "${settings.master.name}" = mkApiServer settings.master; };
in
builtins.foldl'
(a: x: a // { "${x.name}" = mkWorker x; }) master settings.workers

2
lib/nixos

Submodule lib/nixos updated: 5fb88d7ab6...4425906c65