Migration to new setup

2019-10-15 15:33:43 +02:00
parent 7b59038e50
commit e4765df729
19 changed files with 346 additions and 3212 deletions
--- a/lib/certs.nix.old
+++ b/lib/certs.nix.old
@@ -0,0 +1,152 @@
+let
+  pkgs = import <nixpkgs> {};
+
+  runWithOpenSSL = file: cmd: pkgs.runCommand file {
+    buildInputs = [ pkgs.openssl_1_1_0 ];
+  } ("export RANDFILE=/tmp/rnd;" + cmd);
+
+  etcd_cnf = pkgs.writeText "etcd-openssl.cnf" ''
+    [req]
+    req_extensions = v3_req
+    distinguished_name = req_distinguished_name
+    [req_distinguished_name]
+    [ v3_req ]
+    basicConstraints = CA:FALSE
+    keyUsage = digitalSignature, keyEncipherment
+    extendedKeyUsage = serverAuth
+    subjectAltName = @alt_names
+    [alt_names]
+    DNS.1 = etcd0
+    DNS.2 = etcd1
+    DNS.3 = etcd2
+    DNS.4 = k8s0-0
+    DNS.5 = k8s0-1
+    DNS.6 = k8s0-2
+    IP.1 = 127.0.0.1
+  '';
+
+  etcd_client_cnf = pkgs.writeText "etcd-client-openssl.cnf" ''
+    [req]
+    req_extensions = v3_req
+    distinguished_name = req_distinguished_name
+    [req_distinguished_name]
+    [ v3_req ]
+    basicConstraints = CA:FALSE
+    keyUsage = digitalSignature, keyEncipherment
+    extendedKeyUsage = clientAuth
+  '';
+
+  apiserver_cnf = pkgs.writeText "apiserver-openssl.cnf" ''
+    [req]
+    req_extensions = v3_req
+    distinguished_name = req_distinguished_name
+    [req_distinguished_name]
+    [ v3_req ]
+    basicConstraints = CA:FALSE
+    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+    subjectAltName = @alt_names
+    [alt_names]
+    DNS.1 = kubernetes
+    DNS.2 = kubernetes.default
+    DNS.3 = kubernetes.default.svc
+    DNS.4 = kubernetes.default.svc.cluster.local
+    DNS.4 = k8s0-0.itpartner.no
+    IP.1 = 10.0.0.1
+    IP.2 = 10.253.18.100
+  '';
+
+  worker_cnf = pkgs.writeText "worker-openssl.cnf" ''
+    [req]
+    req_extensions = v3_req
+    distinguished_name = req_distinguished_name
+    [req_distinguished_name]
+    [ v3_req ]
+    basicConstraints = CA:FALSE
+    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+    subjectAltName = @alt_names
+    [alt_names]
+    DNS.1 = *.itpartner.no
+    DNS.2 = *.itpartner.intern
+    DNS.3 = k8s0-0
+    DNS.4 = k8s0-1
+    DNS.5 = k8s0-2
+    DNS.6 = git01
+  '';
+
+  ca_key = runWithOpenSSL "ca-key.pem" "openssl genrsa -out $out 2048";
+  ca_pem = runWithOpenSSL "ca.pem" ''
+    openssl req \
+      -x509 -new -nodes -key ${ca_key} \
+      -days 10000 -out $out -subj "/CN=kube-ca"
+  '';
+
+  etcd_key = runWithOpenSSL "etcd-key.pem" "openssl genrsa -out $out 2048";
+  etcd_csr = runWithOpenSSL "etcd.csr" ''
+    openssl req \
+      -new -key ${etcd_key} \
+      -out $out -subj "/CN=etcd" \
+      -config ${etcd_cnf}
+  '';
+  etcd_cert = runWithOpenSSL "etcd.pem" ''
+    openssl x509 \
+      -req -in ${etcd_csr} \
+      -CA ${ca_pem} -CAkey ${ca_key} \
+      -CAcreateserial -out $out \
+      -days 365 -extensions v3_req \
+      -extfile ${etcd_cnf}
+  '';
+
+  etcd_client_key = runWithOpenSSL "etcd-client-key.pem"
+    "openssl genrsa -out $out 2048";
+  etcd_client_csr = runWithOpenSSL "etcd-client.csr" ''
+    openssl req \
+      -new -key ${etcd_client_key} \
+      -out $out -subj "/CN=etcd-client" \
+      -config ${etcd_client_cnf}
+  '';
+  etcd_client_cert = runWithOpenSSL "etcd-client.pem" ''
+    openssl x509 \
+      -req -in ${etcd_client_csr} \
+      -CA ${ca_pem} -CAkey ${ca_key} -CAcreateserial \
+      -out $out -days 365 -extensions v3_req \
+      -extfile ${etcd_client_cnf}
+  '';
+
+  apiserver_key = runWithOpenSSL "apiserver-key.pem"
+    "openssl genrsa -out $out 2048";
+  apiserver_csr = runWithOpenSSL "apiserver.csr" ''
+    openssl req \
+      -new -key ${apiserver_key} \
+      -out $out -subj "/CN=kube-apiserver" \
+      -config ${apiserver_cnf}
+  '';
+  apiserver_cert = runWithOpenSSL "apiserver.pem" ''
+    openssl x509 \
+      -req -in ${apiserver_csr} \
+      -CA ${ca_pem} -CAkey ${ca_key} -CAcreateserial \
+      -out $out -days 365 -extensions v3_req \
+      -extfile ${apiserver_cnf}
+  '';
+
+  worker_key = runWithOpenSSL "worker-key.pem" "openssl genrsa -out $out 2048";
+  worker_csr = runWithOpenSSL "worker.csr" ''
+    openssl req \
+      -new -key ${worker_key} \
+      -out $out -subj "/CN=kube-worker" \
+      -config ${worker_cnf}
+  '';
+  worker_cert = runWithOpenSSL "worker.pem" ''
+    openssl x509 \
+      -req -in ${worker_csr} \
+      -CA ${ca_pem} -CAkey ${ca_key} -CAcreateserial \
+      -out $out -days 365 -extensions v3_req \
+      -extfile ${worker_cnf}
+  '';
+in
+{
+  inherit ca_key ca_pem;
+  inherit etcd_key etcd_cert;
+  inherit etcd_client_key etcd_client_cert;
+  inherit apiserver_key apiserver_cert;
+  inherit worker_key worker_cert;
+}