nix: bump to new k8s

2019-04-28 17:12:54 +02:00 · 2019-04-28 17:12:54 +02:00 · 4232c8b733
commit 4232c8b733
parent b245865087
1 changed files with 14 additions and 11 deletions
--- a/nix/cluster-configuration.nix
+++ b/nix/cluster-configuration.nix
@ -17,6 +17,8 @@ in rec {
  boot.loader.grub.version = 2;
  boot.loader.grub.device = node.diskBoot;

+  boot.kernelParams = [ "boot.shell_on_fail" ];
+
  time.timeZone = "Europe/Warsaw";

  # List packages installed in system profile. To search, run:
@ -110,25 +112,24 @@ in rec {

    caFile = pki.kube.apiserver.ca;
    clusterCidr = "10.10.16.0/20";
-    verbose = false;

    path = [ pkgs.e2fsprogs ]; # kubelet wants to mkfs.ext4 when mounting pvcs

    addons.dns.enable = false;

-    etcd = {
-      servers = (map (n: "https://${n.fqdn}:2379") nodes);
-      caFile = pki.etcd.kube.ca;
-      keyFile = pki.etcd.kube.key;
-      certFile = pki.etcd.kube.cert;
-    };
-
    apiserver = rec {
      enable = true;
-      port = ports.k8sAPIServerPlain;
+      insecurePort = ports.k8sAPIServerPlain;
      securePort = ports.k8sAPIServerSecure;
      advertiseAddress = "${node.ipAddr}";

+      etcd = {
+        servers = (map (n: "https://${n.fqdn}:2379") nodes);
+        caFile = pki.etcd.kube.ca;
+        keyFile = pki.etcd.kube.key;
+        certFile = pki.etcd.kube.cert;
+      };
+
      tlsCertFile = pki.kube.apiserver.cert;
      tlsKeyFile = pki.kube.apiserver.key;

@ -141,6 +142,7 @@ in rec {

      serviceAccountKeyFile = pki.kube.serviceaccounts.key;

+      allowPrivileged = true;
      serviceClusterIpRange = "10.10.12.0/24";
      runtimeConfig = "api/all,authentication.k8s.io/v1beta1";
      authorizationMode = ["Node" "RBAC"];
@ -160,8 +162,8 @@ in rec {

    controllerManager = {
      enable = true;
-      address = "0.0.0.0";
-      port = ports.k8sControllerManagerPlain;
+      bindAddress = "0.0.0.0";
+      insecurePort = ports.k8sControllerManagerPlain;
      leaderElect = true;
      serviceAccountKeyFile = pki.kube.serviceaccounts.key;
      rootCaFile = pki.kube.ca;
@ -193,6 +195,7 @@ in rec {
    kubelet = {
      enable = true;
      unschedulable = false;
+      allowPrivileged = true;
      hostname = fqdn;
      tlsCertFile = pki.kube.kubelet.cert;
      tlsKeyFile = pki.kube.kubelet.key;