forked from hswaw/hscloud
cluster: move kubernetes services to temporary CA bundle
This is already deployed, and it allows Kubernetes components (temporary) freedom to use the old or new CA cert. Change-Id: I8ac7f773a333c30fa22902b8edc327c0c700a482 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1490 Reviewed-by: q3k <q3k@hackerspace.pl>master
parent
3a6d67e0c4
commit
bbc5a43d77
|
@ -86,7 +86,9 @@ in {
|
|||
# We do not use any nixpkgs predefined roles for k8s. Instead, we enable
|
||||
# k8s components manually.
|
||||
roles = [];
|
||||
caFile = cfg.pki.kube.apiserver.ca;
|
||||
# TODO(q3k): undo after CA migration done
|
||||
#caFile = cfg.pki.kube.apiserver.ca;
|
||||
caFile = ../../certs/ca-kube-new-and-old.crt;
|
||||
clusterCidr = "10.10.16.0/20";
|
||||
addons.dns.enable = false;
|
||||
};
|
||||
|
|
|
@ -82,7 +82,8 @@ in {
|
|||
# k8s components manually.
|
||||
roles = [];
|
||||
addons.dns.enable = false;
|
||||
caFile = pki.kube.apiserver.ca;
|
||||
# TODO(q3k): undo after CA migration done
|
||||
#caFile = pki.kube.apiserver.ca;
|
||||
clusterCidr = "10.10.16.0/20";
|
||||
|
||||
apiserver = rec {
|
||||
|
@ -102,11 +103,15 @@ in {
|
|||
|
||||
tlsCertFile = pki.kube.apiserver.cert;
|
||||
tlsKeyFile = pki.kube.apiserver.key;
|
||||
clientCaFile = pki.kube.apiserver.ca;
|
||||
# TODO(q3k): undo after CA migration done
|
||||
#clientCaFile = pki.kube.apiserver.ca;
|
||||
clientCaFile = ../../certs/ca-kube-new-and-old.crt;
|
||||
|
||||
kubeletHttps = true;
|
||||
# Same CA as main APIServer CA.
|
||||
kubeletClientCaFile = pki.kube.apiserver.ca;
|
||||
# TODO(q3k): undo after CA migration done
|
||||
#kubeletClientCaFile = pki.kube.apiserver.ca;
|
||||
kubeletClientCaFile = ../../certs/ca-kube-new-and-old.crt;
|
||||
kubeletClientCertFile = pki.kube.apiserver.cert;
|
||||
kubeletClientKeyFile = pki.kube.apiserver.key;
|
||||
|
||||
|
@ -145,21 +150,24 @@ in {
|
|||
leaderElect = true;
|
||||
serviceAccountKeyFile = pki.kube.serviceaccounts.key;
|
||||
rootCaFile = pki.kube.ca;
|
||||
# TODO(q3k): undo after CA migration done
|
||||
extraOpts = ''
|
||||
--service-cluster-ip-range=10.10.12.0/24 \
|
||||
--use-service-account-credentials=true \
|
||||
--secure-port=${toString cfg.portControllerManagerSecure}\
|
||||
--authentication-kubeconfig=${kubeconfig}\
|
||||
--authorization-kubeconfig=${kubeconfig}\
|
||||
--root-ca-file=${../../certs/ca-kube-new-and-old.crt}\
|
||||
'';
|
||||
kubeconfig = pki.kube.controllermanager.config;
|
||||
};
|
||||
|
||||
scheduler = let
|
||||
top = config.services.kubernetes;
|
||||
# BUG: this should be scheduler
|
||||
# TODO(q3k): change after big nix change
|
||||
kubeconfig = top.lib.mkKubeConfig "scheduler" pki.kube.controllermanager.config;
|
||||
# TODO(q3k): undo after CA migration done
|
||||
kubeconfig = top.lib.mkKubeConfig "scheduler" (pki.kube.scheduler.config // {
|
||||
ca = ../../certs/ca-kube-new-and-old.crt;
|
||||
});
|
||||
in {
|
||||
enable = true;
|
||||
address = "0.0.0.0";
|
||||
|
|
|
@ -72,7 +72,9 @@ in {
|
|||
hostname = fqdn;
|
||||
tlsCertFile = pki.kube.kubelet.cert;
|
||||
tlsKeyFile = pki.kube.kubelet.key;
|
||||
clientCaFile = pki.kube.kubelet.ca;
|
||||
# TODO(q3k): undo after CA migration done
|
||||
#clientCaFile = pki.kube.kubelet.ca;
|
||||
clientCaFile = ../../certs/ca-kube-new-and-old.crt;
|
||||
nodeIp = config.hscloud.base.ipAddr;
|
||||
networkPlugin = "cni";
|
||||
clusterDns = "10.10.12.254";
|
||||
|
|
Loading…
Reference in New Issue