Migration to new setup

lib/pki.nix

@@ -1,4 +1,5 @@
-{ pkgs ? import <nixpkgs> {} }: rec {
+{ pkgs ? import <nixpkgs> {} }:
+let
   ca-config = pkgs.writeText "ca-config.json" ''
   {
       "signing": {
@@ -38,20 +39,28 @@
 
   initca' =
     let
-      ca_csr = gencsr {
-        name = "kubernetes";
-        cn = "kubernetes";
-        o = "kubernetes";
-        hosts = "";
-      };
+      ca_csr = pkgs.writeText "kube-pki-cacert-csr.json" (builtins.toJSON {
+          key = {
+              algo = "rsa";
+              size = 2048;
+          };
+          names = [
+            {
+              CN = "kubernetes-cluster-ca";
+              O = "NixOS";
+              OU = "services.kubernetes.pki.caSpec";
+              L = "generated";
+            }
+          ];
+        });
     in
       pkgs.runCommand "initca" {
         buildInputs = [ pkgs.cfssl ];
       } '' cfssl genkey -initca ${ca_csr} | cfssljson -bare ca; \
            mkdir -p $out; cp *.pem $out'';
 
-   # make ca derivation sha depend on initca cfssl output
-   initca = pkgs.stdenv.mkDerivation {
+  # make ca derivation sha depend on initca cfssl output
+  initca = pkgs.stdenv.mkDerivation {
     name = "ca";
     src = initca';
     buildCommand = ''
@@ -72,45 +81,16 @@
     mkdir -p $out; cp *.pem $out
   '';
 
-  toSet = cert:
-    {
-      key = "${cert}/cert-key.pem";
-      cert = "${cert}/cert.pem";
-    };
-
   gencert = conf:
+    let crt =
       pkgs.runCommand "${conf.name}" {
         buildInputs = [ pkgs.cfssl ];
       } (cfssl conf);
-
-  admin = gencert rec {
-      name = "admin";
-      csr = gencsr {
-        inherit name;
-        cn = "admin";
-        o = "system:masters";
-        hosts = "";
-      };
-  };
-
-  apiserver = hosts:
-    gencert rec {
-      name = "kubernetes";
-      csr = gencsr {
-        inherit name hosts;
-        cn = "kubernetes";
-        o = "kubernetes";
-      };
-  };
-
-  etcd = hosts: gencert rec {
-    name = "etcd";
-    csr = gencsr {
-      inherit name hosts;
-      cn = "etcd";
-      o = "kubernetes";
+    in
+    {
+      key = "${crt}/cert-key.pem";
+      cert = "${crt}/cert.pem";
     };
-  };
 
   trust = name: hosts:
     let
@@ -125,24 +105,68 @@
       };
     };
 
-  kube-proxy = gencert rec {
-    name = "kube-proxy";
-    csr = gencsr {
-      inherit name;
-      cn = "system:kube-proxy";
-      o = "system:node-proxier";
-      hosts = "";
-    };
-  };
+  # certToSet = cert:
+  #   {
+  #     key = "${cert}/cert-key.pem";
+  #     cert = "${cert}/cert.pem";
+  #   };
 
-  worker = instance:
-    gencert rec {
-      name = instance.name;
+  # builtins.foldl'
+  #   (a: x: a // { ${x} = (certificates.${x}); })
+  #   { inherit ca; }
+  #   (builtins.attrNames certificates)
+in
+{
+    inherit ca;
+
+    admin = gencert rec {
+        name = "admin";
+        csr = gencsr {
+          inherit name;
+          cn = "admin";
+          o = "system:masters";
+          hosts = "";
+        };
+    };
+
+    apiserver = hosts:
+      gencert rec {
+        name = "kubernetes";
+        csr = gencsr {
+          inherit name hosts;
+          cn = "kubernetes";
+          o = "kubernetes";
+        };
+    };
+
+    etcd = hosts: gencert rec {
+      name = "etcd";
+      csr = gencsr {
+        inherit name hosts;
+        cn = "etcd";
+        o = "kubernetes";
+      };
+    };
+
+    kube-proxy = gencert rec {
+      name = "kube-proxy";
       csr = gencsr {
         inherit name;
-        cn = "system:node:${instance.name}";
-        o = "system:nodes";
-        hosts = ''"${instance.name}","${instance.ip}"'';
+        cn = "system:kube-proxy";
+        o = "system:node-proxier";
+        hosts = "";
       };
-  };
+    };
+
+    worker = instance:
+      gencert rec {
+        name = instance.name;
+        csr = gencsr {
+          inherit name;
+          cn = "system:node:${instance.name}";
+          o = "system:nodes";
+          hosts = ''"${instance.name}","${instance.ip}"'';
+        };
+    };
 }
+