Automatically bootstrap kube-system as one-time service
This commit is contained in:
Jonas Juselius
44
lib/k8s.nix
44
lib/k8s.nix
@@ -19,19 +19,6 @@ let
|
||||
'';
|
||||
};
|
||||
|
||||
#nixos-kubernetes-join-nodes = workers:
|
||||
# let
|
||||
# wrk = builtins.foldl' (a: s: a + " " + s) "" workers;
|
||||
# in
|
||||
# pkgs.writeScriptBin "nixos-kubernetes-join-nodes" ''
|
||||
# #!/bin/sh
|
||||
# set -e
|
||||
# token=$(cat /var/lib/cfssl/apitoken.secret)
|
||||
# for i in ${wrk}; do
|
||||
# ssh root@$i "echo $token | sh nixos-kubernetes-node-join"
|
||||
# done
|
||||
# '';
|
||||
|
||||
kube-system-bootstrap = pkgs.stdenv.mkDerivation {
|
||||
name = "kube-system-bootstrap";
|
||||
src = ../kube-system-bootstrap;
|
||||
@@ -40,8 +27,7 @@ let
|
||||
mkdir -p $out/share/kube-system-bootstrap
|
||||
cp -r $src/* $out/share/kube-system-bootstrap/
|
||||
cd $out/bin
|
||||
ln -s ../share/kube-system-bootstrap/bin/* .
|
||||
ln -s ../share/kube-system-bootstrap/kube-system-bootstrap .
|
||||
ln -s $out/share/kube-system-bootstrap/bin/* .
|
||||
'';
|
||||
};
|
||||
|
||||
@@ -75,6 +61,7 @@ rec {
|
||||
pki.genCfsslCACert = false;
|
||||
pki.genCfsslAPIToken = false;
|
||||
pki.caCertPathPrefix = "${cluster-ca}/ca";
|
||||
|
||||
apiserver = {
|
||||
advertiseAddress = settings.masterAddress;
|
||||
authorizationMode = [ "Node" "RBAC" ];
|
||||
@@ -82,6 +69,7 @@ rec {
|
||||
insecurePort = 8080;
|
||||
extraOpts = "--requestheader-client-ca-file ${cluster-ca}/ca.pem";
|
||||
};
|
||||
|
||||
addons = {
|
||||
dns = {
|
||||
enable = true;
|
||||
@@ -90,15 +78,18 @@ rec {
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [ 53 5000 8080 8443 ]; #;4053 ];
|
||||
allowedUDPPorts = [ 53 4053 ];
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.kubernetes-helm
|
||||
# (nixos-kubernetes-join-nodes settings.workers)
|
||||
pkgs.kubectl
|
||||
kube-system-bootstrap
|
||||
];
|
||||
|
||||
systemd.services.kube-certmgr-apitoken-bootstrap = {
|
||||
description = "Kubernetes certmgr bootstrapper";
|
||||
wantedBy = [ "cfssl.service" ];
|
||||
@@ -109,6 +100,27 @@ rec {
|
||||
Restart = "on-failure";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.kube-system-bootstrap = {
|
||||
description = "Kubernetes certmgr bootstrapper";
|
||||
after = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = false;
|
||||
# PATH=$PATH:${pkgs.bash}/bin:${pkgs.kubectl}/bin:${pkgs.kubernetes-helm}/bin:${pkgs.coreutils}/bin
|
||||
Environment = ''
|
||||
PATH=$PATH:/run/current-system/sw/bin
|
||||
'';
|
||||
ExecStart = pkgs.writeScript "kube-system-bootstrap" ''
|
||||
#!${pkgs.bash}/bin/bash
|
||||
set -e
|
||||
if [ ! -f /var/lib/kubernetes/.kube-system-bootstrap.done ]; then
|
||||
${pkgs.bash}/bin/bash ${kube-system-bootstrap}/share/kube-system-bootstrap/kube-system-bootstrap ${cluster-ca}
|
||||
touch /var/lib/kubernetes/.kube-system-bootstrap.done
|
||||
fi
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
kubeWorker = {
|
||||
|
||||
Reference in New Issue
Block a user