From dda2886606dfbf64a642d486b14bd040e516aa5d Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@itpartner.no>
Date: Wed, 16 Oct 2019 20:58:45 +0200
Subject: [PATCH] Automatically bootstrap kube-system as one-time service

---
 kube-system-bootstrap |  2 +-
 lib/k8s.nix           | 44 +++++++++++++++++++++++++++----------------
 2 files changed, 29 insertions(+), 17 deletions(-)

diff --git a/kube-system-bootstrap b/kube-system-bootstrap
index a0572ff..c334818 160000
--- a/kube-system-bootstrap
+++ b/kube-system-bootstrap
@@ -1 +1 @@
-Subproject commit a0572ff7a77a1e8057b4dc6230bd1e69c00cc307
+Subproject commit c334818834160078dfde905212e4c1cc4cf9c314
diff --git a/lib/k8s.nix b/lib/k8s.nix
index b6746f1..ebcd9b5 100644
--- a/lib/k8s.nix
+++ b/lib/k8s.nix
@@ -19,19 +19,6 @@ let
     '';
   };
 
-  #nixos-kubernetes-join-nodes = workers:
-  #  let
-  #    wrk = builtins.foldl' (a: s: a + " " + s) "" workers;
-  #  in
-  #    pkgs.writeScriptBin "nixos-kubernetes-join-nodes" ''
-  #      #!/bin/sh
-  #      set -e
-  #      token=$(cat /var/lib/cfssl/apitoken.secret)
-  #      for i in ${wrk}; do
-  #         ssh root@$i "echo $token | sh nixos-kubernetes-node-join"
-  #      done
-  #    '';
-
   kube-system-bootstrap = pkgs.stdenv.mkDerivation {
     name = "kube-system-bootstrap";
     src = ../kube-system-bootstrap;
@@ -40,8 +27,7 @@ let
      mkdir -p $out/share/kube-system-bootstrap
      cp -r $src/* $out/share/kube-system-bootstrap/
      cd $out/bin
-     ln -s ../share/kube-system-bootstrap/bin/* .
-     ln -s ../share/kube-system-bootstrap/kube-system-bootstrap .
+     ln -s $out/share/kube-system-bootstrap/bin/* .
     '';
   };
 
@@ -75,6 +61,7 @@ rec {
       pki.genCfsslCACert = false;
       pki.genCfsslAPIToken = false;
       pki.caCertPathPrefix = "${cluster-ca}/ca";
+
       apiserver = {
         advertiseAddress = settings.masterAddress;
         authorizationMode = [ "Node" "RBAC" ];
@@ -82,6 +69,7 @@ rec {
         insecurePort = 8080;
         extraOpts = "--requestheader-client-ca-file ${cluster-ca}/ca.pem";
       };
+
       addons = {
         dns = {
           enable = true;
@@ -90,15 +78,18 @@ rec {
         };
       };
     };
+
     networking.firewall = {
       allowedTCPPorts = [ 53 5000 8080 8443 ]; #;4053 ];
       allowedUDPPorts = [ 53 4053 ];
     };
+
     environment.systemPackages = [
       pkgs.kubernetes-helm
-      # (nixos-kubernetes-join-nodes settings.workers)
+      pkgs.kubectl
       kube-system-bootstrap
     ];
+
     systemd.services.kube-certmgr-apitoken-bootstrap = {
       description = "Kubernetes certmgr bootstrapper";
       wantedBy = [ "cfssl.service" ];
@@ -109,6 +100,27 @@ rec {
         Restart = "on-failure";
       };
     };
+
+    systemd.services.kube-system-bootstrap = {
+      description = "Kubernetes certmgr bootstrapper";
+      after = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = false;
+        # PATH=$PATH:${pkgs.bash}/bin:${pkgs.kubectl}/bin:${pkgs.kubernetes-helm}/bin:${pkgs.coreutils}/bin
+        Environment = ''
+          PATH=$PATH:/run/current-system/sw/bin
+        '';
+        ExecStart = pkgs.writeScript "kube-system-bootstrap" ''
+          #!${pkgs.bash}/bin/bash
+          set -e
+          if [ ! -f /var/lib/kubernetes/.kube-system-bootstrap.done ]; then
+            ${pkgs.bash}/bin/bash ${kube-system-bootstrap}/share/kube-system-bootstrap/kube-system-bootstrap ${cluster-ca}
+            touch /var/lib/kubernetes/.kube-system-bootstrap.done
+          fi
+        '';
+      };
+    };
   };
 
   kubeWorker = {