oceanbox/platform
6
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Automatically bootstrap kube-system as one-time service

Browse Source
This commit is contained in:
Jonas Juselius
2019-10-16 20:58:45 +02:00
parent 2dae12bad2
commit dda2886606
2 changed files with 29 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
kube-system-bootstrap

Submodule kube-system-bootstrap updated: a0572ff7a7...c334818834

44
lib/k8s.nix
View File

@@ -19,19 +19,6 @@ let
''; '';
}; };
#nixos-kubernetes-join-nodes = workers:
# let
# wrk = builtins.foldl' (a: s: a + " " + s) "" workers;
# in
# pkgs.writeScriptBin "nixos-kubernetes-join-nodes" ''
# #!/bin/sh
# set -e
# token=$(cat /var/lib/cfssl/apitoken.secret)
# for i in ${wrk}; do
# ssh root@$i "echo $token | sh nixos-kubernetes-node-join"
# done
# '';
kube-system-bootstrap = pkgs.stdenv.mkDerivation { kube-system-bootstrap = pkgs.stdenv.mkDerivation {
name = "kube-system-bootstrap"; name = "kube-system-bootstrap";
src = ../kube-system-bootstrap; src = ../kube-system-bootstrap;
@@ -40,8 +27,7 @@ let
mkdir -p $out/share/kube-system-bootstrap mkdir -p $out/share/kube-system-bootstrap
cp -r $src/* $out/share/kube-system-bootstrap/ cp -r $src/* $out/share/kube-system-bootstrap/
cd $out/bin cd $out/bin
ln -s ../share/kube-system-bootstrap/bin/* . ln -s $out/share/kube-system-bootstrap/bin/* .
ln -s ../share/kube-system-bootstrap/kube-system-bootstrap .
''; '';
}; };
@@ -75,6 +61,7 @@ rec {
pki.genCfsslCACert = false; pki.genCfsslCACert = false;
pki.genCfsslAPIToken = false; pki.genCfsslAPIToken = false;
pki.caCertPathPrefix = "${cluster-ca}/ca"; pki.caCertPathPrefix = "${cluster-ca}/ca";
apiserver = { apiserver = {
advertiseAddress = settings.masterAddress; advertiseAddress = settings.masterAddress;
authorizationMode = [ "Node" "RBAC" ]; authorizationMode = [ "Node" "RBAC" ];
@@ -82,6 +69,7 @@ rec {
insecurePort = 8080; insecurePort = 8080;
extraOpts = "--requestheader-client-ca-file ${cluster-ca}/ca.pem"; extraOpts = "--requestheader-client-ca-file ${cluster-ca}/ca.pem";
}; };
addons = { addons = {
dns = { dns = {
enable = true; enable = true;
@@ -90,15 +78,18 @@ rec {
}; };
}; };
}; };
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ 53 5000 8080 8443 ]; #;4053 ]; allowedTCPPorts = [ 53 5000 8080 8443 ]; #;4053 ];
allowedUDPPorts = [ 53 4053 ]; allowedUDPPorts = [ 53 4053 ];
}; };
environment.systemPackages = [ environment.systemPackages = [
pkgs.kubernetes-helm pkgs.kubernetes-helm
# (nixos-kubernetes-join-nodes settings.workers) pkgs.kubectl
kube-system-bootstrap kube-system-bootstrap
]; ];
systemd.services.kube-certmgr-apitoken-bootstrap = { systemd.services.kube-certmgr-apitoken-bootstrap = {
description = "Kubernetes certmgr bootstrapper"; description = "Kubernetes certmgr bootstrapper";
wantedBy = [ "cfssl.service" ]; wantedBy = [ "cfssl.service" ];
@@ -109,6 +100,27 @@ rec {
Restart = "on-failure"; Restart = "on-failure";
}; };
}; };
systemd.services.kube-system-bootstrap = {
description = "Kubernetes certmgr bootstrapper";
after = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = false;
# PATH=$PATH:${pkgs.bash}/bin:${pkgs.kubectl}/bin:${pkgs.kubernetes-helm}/bin:${pkgs.coreutils}/bin
Environment = ''
PATH=$PATH:/run/current-system/sw/bin
'';
ExecStart = pkgs.writeScript "kube-system-bootstrap" ''
#!${pkgs.bash}/bin/bash
set -e
if [ ! -f /var/lib/kubernetes/.kube-system-bootstrap.done ]; then
${pkgs.bash}/bin/bash ${kube-system-bootstrap}/share/kube-system-bootstrap/kube-system-bootstrap ${cluster-ca}
touch /var/lib/kubernetes/.kube-system-bootstrap.done
fi
'';
};
};
}; };
kubeWorker = { kubeWorker = {