156 lines
3.2 KiB
Nix
156 lines
3.2 KiB
Nix
{ pkgs ? import <nixpkgs> {} }:
|
|
let
|
|
ca-config = pkgs.writeText "ca-config.json" ''
|
|
{
|
|
"signing": {
|
|
"default": {
|
|
"expiry": "8760h"
|
|
},
|
|
"profiles": {
|
|
"kubernetes": {
|
|
"usages": [
|
|
"signing",
|
|
"key encipherment",
|
|
"server auth",
|
|
"client auth"
|
|
],
|
|
"expiry": "8760h"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
'';
|
|
|
|
csr = o: {
|
|
key = {
|
|
algo = "rsa";
|
|
size = 2048;
|
|
};
|
|
names = [
|
|
{
|
|
CN = "kubernetes-cluster-ca";
|
|
O = "${o}";
|
|
OU = "services.kubernetes.pki.caSpec";
|
|
L = "generated";
|
|
}
|
|
];
|
|
};
|
|
|
|
gencsr = args: pkgs.writeText "${args.name}-csr.json" (builtins.toJSON {
|
|
CN = "${args.cn}";
|
|
hosts = [ "${args.hosts}" ];
|
|
} // csr args.o
|
|
);
|
|
|
|
initca' =
|
|
let
|
|
ca_csr = pkgs.writeText "kube-pki-cacert-csr.json" (
|
|
builtins.toJSON (csr "NixOS")
|
|
);
|
|
in
|
|
pkgs.runCommand "initca" {
|
|
buildInputs = [ pkgs.cfssl ];
|
|
} '' cfssl genkey -initca ${ca_csr} | cfssljson -bare ca; \
|
|
mkdir -p $out; cp *.pem $out'';
|
|
|
|
# make ca derivation sha depend on initca cfssl output
|
|
initca = pkgs.stdenv.mkDerivation {
|
|
name = "ca";
|
|
src = initca';
|
|
buildCommand = ''
|
|
mkdir -p $out;
|
|
cp -r $src/* $out
|
|
'';
|
|
};
|
|
|
|
ca = {
|
|
key = "${initca}/ca-key.pem";
|
|
cert = "${initca}/ca.pem";
|
|
};
|
|
|
|
cfssl = conf: ''
|
|
cfssl gencert -ca ${ca.cert} -ca-key ${ca.key} \
|
|
-config=${ca-config} -profile=kubernetes ${conf.csr} | \
|
|
cfssljson -bare cert; \
|
|
mkdir -p $out; cp *.pem $out
|
|
'';
|
|
|
|
gencert = conf:
|
|
let crt =
|
|
pkgs.runCommand "${conf.name}" {
|
|
buildInputs = [ pkgs.cfssl ];
|
|
} (cfssl conf);
|
|
in
|
|
{
|
|
key = "${crt}/cert-key.pem";
|
|
cert = "${crt}/cert.pem";
|
|
};
|
|
|
|
trust = name: hosts:
|
|
let
|
|
hosts' = "\"${name}\", " + hosts;
|
|
in gencert rec {
|
|
inherit name;
|
|
csr = gencsr {
|
|
inherit name;
|
|
hosts = hosts';
|
|
cn = name;
|
|
o = name;
|
|
};
|
|
};
|
|
in
|
|
{
|
|
inherit ca;
|
|
|
|
admin = gencert rec {
|
|
name = "admin";
|
|
csr = gencsr {
|
|
inherit name;
|
|
cn = "admin";
|
|
o = "system:masters";
|
|
hosts = "";
|
|
};
|
|
};
|
|
|
|
apiserver = hosts:
|
|
gencert rec {
|
|
name = "kubernetes";
|
|
csr = gencsr {
|
|
inherit name hosts;
|
|
cn = "kubernetes";
|
|
o = "kubernetes";
|
|
};
|
|
};
|
|
|
|
etcd = hosts: gencert rec {
|
|
name = "etcd";
|
|
csr = gencsr {
|
|
inherit name hosts;
|
|
cn = "etcd";
|
|
o = "kubernetes";
|
|
};
|
|
};
|
|
|
|
kube-proxy = gencert rec {
|
|
name = "kube-proxy";
|
|
csr = gencsr {
|
|
inherit name;
|
|
cn = "system:kube-proxy";
|
|
o = "system:node-proxier";
|
|
hosts = "";
|
|
};
|
|
};
|
|
|
|
worker = instance:
|
|
gencert rec {
|
|
name = instance.name;
|
|
csr = gencsr {
|
|
inherit name;
|
|
cn = "system:node:${instance.name}";
|
|
o = "system:nodes";
|
|
hosts = ''"${instance.name}","${instance.ip}"'';
|
|
};
|
|
};
|
|
}
|
|
|