diff --git a/cluster/machines/modules/kube-common.nix b/cluster/machines/modules/kube-common.nix index 6707efaf..f4c6066c 100644 --- a/cluster/machines/modules/kube-common.nix +++ b/cluster/machines/modules/kube-common.nix @@ -86,7 +86,9 @@ in { # We do not use any nixpkgs predefined roles for k8s. Instead, we enable # k8s components manually. roles = []; - caFile = cfg.pki.kube.apiserver.ca; + # TODO(q3k): undo after CA migration done + #caFile = cfg.pki.kube.apiserver.ca; + caFile = ../../certs/ca-kube-new-and-old.crt; clusterCidr = "10.10.16.0/20"; addons.dns.enable = false; }; diff --git a/cluster/machines/modules/kube-controlplane.nix b/cluster/machines/modules/kube-controlplane.nix index 8efda584..d38b91fc 100644 --- a/cluster/machines/modules/kube-controlplane.nix +++ b/cluster/machines/modules/kube-controlplane.nix @@ -82,7 +82,8 @@ in { # k8s components manually. roles = []; addons.dns.enable = false; - caFile = pki.kube.apiserver.ca; + # TODO(q3k): undo after CA migration done + #caFile = pki.kube.apiserver.ca; clusterCidr = "10.10.16.0/20"; apiserver = rec { @@ -102,11 +103,15 @@ in { tlsCertFile = pki.kube.apiserver.cert; tlsKeyFile = pki.kube.apiserver.key; - clientCaFile = pki.kube.apiserver.ca; + # TODO(q3k): undo after CA migration done + #clientCaFile = pki.kube.apiserver.ca; + clientCaFile = ../../certs/ca-kube-new-and-old.crt; kubeletHttps = true; # Same CA as main APIServer CA. - kubeletClientCaFile = pki.kube.apiserver.ca; + # TODO(q3k): undo after CA migration done + #kubeletClientCaFile = pki.kube.apiserver.ca; + kubeletClientCaFile = ../../certs/ca-kube-new-and-old.crt; kubeletClientCertFile = pki.kube.apiserver.cert; kubeletClientKeyFile = pki.kube.apiserver.key; @@ -145,21 +150,24 @@ in { leaderElect = true; serviceAccountKeyFile = pki.kube.serviceaccounts.key; rootCaFile = pki.kube.ca; + # TODO(q3k): undo after CA migration done extraOpts = '' --service-cluster-ip-range=10.10.12.0/24 \ --use-service-account-credentials=true \ --secure-port=${toString cfg.portControllerManagerSecure}\ --authentication-kubeconfig=${kubeconfig}\ --authorization-kubeconfig=${kubeconfig}\ + --root-ca-file=${../../certs/ca-kube-new-and-old.crt}\ ''; kubeconfig = pki.kube.controllermanager.config; }; scheduler = let top = config.services.kubernetes; - # BUG: this should be scheduler - # TODO(q3k): change after big nix change - kubeconfig = top.lib.mkKubeConfig "scheduler" pki.kube.controllermanager.config; + # TODO(q3k): undo after CA migration done + kubeconfig = top.lib.mkKubeConfig "scheduler" (pki.kube.scheduler.config // { + ca = ../../certs/ca-kube-new-and-old.crt; + }); in { enable = true; address = "0.0.0.0"; diff --git a/cluster/machines/modules/kube-dataplane.nix b/cluster/machines/modules/kube-dataplane.nix index 45efcd27..fd87dbc6 100644 --- a/cluster/machines/modules/kube-dataplane.nix +++ b/cluster/machines/modules/kube-dataplane.nix @@ -72,7 +72,9 @@ in { hostname = fqdn; tlsCertFile = pki.kube.kubelet.cert; tlsKeyFile = pki.kube.kubelet.key; - clientCaFile = pki.kube.kubelet.ca; + # TODO(q3k): undo after CA migration done + #clientCaFile = pki.kube.kubelet.ca; + clientCaFile = ../../certs/ca-kube-new-and-old.crt; nodeIp = config.hscloud.base.ipAddr; networkPlugin = "cni"; clusterDns = "10.10.12.254";