{ pkgs ? import {} }: rec { ca-config = pkgs.writeText "ca-config.json" '' { "signing": { "default": { "expiry": "8760h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "8760h" } } } } ''; gencsr = args: pkgs.writeText "${args.name}-csr.json" '' { "CN": "${args.cn}", "hosts": [ ${args.hosts} ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "O": "${args.o}" } ] } ''; initca = let ca_csr = gencsr { name = "kubernetes"; cn = "kubernetes"; o = "kubernetes"; hosts = ""; }; in pkgs.runCommand "ca" { buildInputs = [ pkgs.cfssl ]; } '' cfssl genkey -initca ${ca_csr} | cfssljson -bare ca; \ mkdir -p $out; cp *.pem $out''; ca = { key = "${initca}/ca-key.pem"; cert = "${initca}/ca.pem"; }; cfssl = conf: '' cfssl gencert -ca ${ca.cert} -ca-key ${ca.key} \ -config=${ca-config} -profile=kubernetes ${conf.csr} | \ cfssljson -bare cert; \ mkdir -p $out; cp *.pem $out ''; gencert = conf: let drv = pkgs.runCommand "${conf.name}" { buildInputs = [ pkgs.cfssl ]; } (cfssl conf); in { key = "${drv}/cert-key.pem"; cert = "${drv}/cert.pem"; }; admin = gencert rec { name = "admin"; csr = gencsr { inherit name; cn = "admin"; o = "system:masters"; hosts = ""; }; }; apiserver = hosts: gencert rec { name = "kubernetes"; csr = gencsr { inherit name hosts; cn = "kubernetes"; o = "kubernetes"; }; }; etcd = hosts: gencert rec { name = "etcd"; csr = gencsr { inherit name hosts; cn = "etcd"; o = "kubernetes"; }; }; trust = name: hosts: gencert rec { inherit name; csr = gencsr { inherit name hosts; cn = name; o = name; }; }; kube-proxy = gencert rec { name = "kube-proxy"; csr = gencsr { inherit name; cn = "system:kube-proxy"; o = "system:node-proxier"; hosts = ""; }; }; worker = instance: gencert rec { name = instance.name; csr = gencsr { inherit name; cn = "system:node:${instance.name}"; o = "system:nodes"; hosts = ''"${instance.name}","${instance.ip}"''; }; }; }