forked from hswaw/hscloud
Sergiusz Bazanski
73cef11c85
This pretty large change does the following: - moves nix from bootstrap.hswaw.net to nix/ - changes clustercfg to use cfssl and moves it to cluster/clustercfg - changes clustercfg to source information about target location of certs from nix - changes clustercfg to push nix config - changes tls certs to have more than one CA - recalculates all TLS certs (it keeps the old serviceaccoutns key, otherwise we end up with invalid serviceaccounts - the cert doesn't match, but who cares, it's not used anyway)
90 lines
2.1 KiB
Nix
90 lines
2.1 KiB
Nix
rec {
|
|
domain = ".hswaw.net";
|
|
k8sapi = "k0.hswaw.net";
|
|
acmeEmail = "q3k@hackerspace.pl";
|
|
|
|
nodes = [
|
|
{
|
|
fqdn = "bc01n01.hswaw.net";
|
|
ipAddr = "185.236.240.35";
|
|
podNet = "10.10.16.0/24";
|
|
diskBoot = "/dev/sdb";
|
|
}
|
|
{
|
|
fqdn = "bc01n02.hswaw.net";
|
|
ipAddr = "185.236.240.36";
|
|
podNet = "10.10.17.0/24";
|
|
diskBoot = "/dev/sdb";
|
|
}
|
|
{
|
|
fqdn = "bc01n03.hswaw.net";
|
|
ipAddr = "185.236.240.37";
|
|
podNet = "10.10.18.0/24";
|
|
diskBoot = "/dev/sdb";
|
|
}
|
|
];
|
|
|
|
pki = rec {
|
|
root = /opt/hscloud;
|
|
|
|
make = (radix: name: rec {
|
|
ca = root + "/${radix}-ca.crt";
|
|
cert = root + "/${radix}-${name}.crt";
|
|
key = root + "/${radix}-${name}.key";
|
|
|
|
json = (builtins.toJSON {
|
|
ca = (builtins.toString ca);
|
|
cert = (builtins.toString cert);
|
|
key = (builtins.toString key);
|
|
});
|
|
});
|
|
|
|
etcdPeer = (make "etcdpeer" "server");
|
|
|
|
etcd = {
|
|
server = (make "etcd" "server");
|
|
kube = (make "etcd" "kube");
|
|
};
|
|
|
|
makeKube = (name: (make "kube" name) // {
|
|
config = {
|
|
server = "https://${k8sapi}:${toString ports.k8sAPIServerSecure}";
|
|
certFile = (make "kube" name).cert;
|
|
keyFile = (make "kube" name).key;
|
|
};
|
|
});
|
|
|
|
kube = rec {
|
|
ca = apiserver.ca;
|
|
|
|
# Used to identify apiserver.
|
|
apiserver = (makeKube "apiserver");
|
|
|
|
# Used to identify controller-manager.
|
|
controllermanager = (makeKube "controller-manager");
|
|
|
|
# Used to identify scheduler.
|
|
scheduler = (makeKube "scheduler");
|
|
|
|
# Used to identify kube-proxy.
|
|
proxy = (makeKube "proxy");
|
|
|
|
# Used to identify kubelet.
|
|
kubelet = (makeKube "node");
|
|
|
|
# Used to encrypt service accounts.
|
|
serviceaccounts = (makeKube "serviceaccounts");
|
|
};
|
|
|
|
kubeFront = {
|
|
apiserver = (make "kubeFront" "apiserver");
|
|
};
|
|
};
|
|
|
|
ports = {
|
|
k8sAPIServerPlain = 4000;
|
|
k8sAPIServerSecure = 4001;
|
|
k8sControllerManagerPlain = 0; # 4002; do not serve plain http
|
|
k8sControllerManagerSecure = 4003;
|
|
};
|
|
}
|