hscloud/ops/exports.nix
Serge Bazanski 9f0e1e88f1 cluster/clustercfg: rewrite it in Go
This replaces the old clustercfg script with a brand spanking new
mostly-equivalent Go reimplementation. But it's not exactly the same,
here are the differences:

 1. No cluster deployment logic anymore - we expect everyone to use ops/
    machine at this point.
 2. All certs/keys are Ed25519 and do not expire by default - but
    support for short-lived certificates is there, and is actually more
    generic and reusable. Currently it's only used for admincreds.
 3. Speaking of admincreds: the new admincreds automatically figure out
    your username.
 4. admincreds also doesn't shell out to kubectl anymore, and doesn't
    override your default context. The generated creds can live
    peacefully alongside your normal prodaccess creds.
 5. gencerts (the new nodestrap without deployment support) now
    automatically generates certs for all nodes, based on local Nix
    modules in ops/.
 6. No secretstore support. This will be changed once we rebuild
    secretstore in Go. For now users are expected to manually run
    secretstore sync on cluster/secrets.

Change-Id: Ida935f44e04fd933df125905eee10121ac078495
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1498
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-06-19 22:23:52 +00:00

14 lines
506 B
Nix

{ hscloud, pkgs, hscloudForPkgs, ... }:
{
# Used by clustercfg to figure out which machines need kube certs.
kubeMachineNames = let
isKubeMachine = n: value:
n != "__readTree" &&
(builtins.hasAttr "hscloud" value.options) &&
(builtins.hasAttr "kube" value.options.hscloud) &&
value.options.hscloud.kube.control.enable.value;
machines = pkgs.lib.filterAttrs isKubeMachine hscloud.ops.machines;
names = pkgs.lib.mapAttrsToList (name: _: name) machines;
in names;
}