forked from hswaw/hscloud
We want to be able to scrape controller-manager and scheduler metrics into Prometheus. For that, each of them needs to: 1) listen on a secure port 2) have authn enabled With this, any k8s user with the right permissions (and a bearer token or TLS certificate) can come in and access metrics over a node's public IP address. Access without a certificate/token gets thrown into the system:anonymous user, which as no access to any API. Change-Id: I267680f92f748ba63b6762e6aaba3c417446e50b
78 lines
2 KiB
Nix
78 lines
2 KiB
Nix
machineName:
|
|
|
|
let
|
|
machines = (import ./defs-machines.nix);
|
|
in rec {
|
|
domain = ".hswaw.net";
|
|
k8sapi = "k0.hswaw.net";
|
|
acmeEmail = "q3k@hackerspace.pl";
|
|
|
|
fqdn = machineName + domain;
|
|
machine = (builtins.head (builtins.filter (n: n.fqdn == fqdn) machines));
|
|
otherMachines = (builtins.filter (n: n.fqdn != fqdn) machines);
|
|
inherit machines;
|
|
|
|
pki = rec {
|
|
make = (radix: name: rec {
|
|
ca = ./../certs + "/ca-${radix}.crt";
|
|
cert = ./../certs + "/${radix}-${name}.cert";
|
|
key = ./../secrets/plain + "/${radix}-${name}.key";
|
|
|
|
json = (builtins.toJSON {
|
|
ca = (builtins.toString ca);
|
|
cert = (builtins.toString cert);
|
|
key = (builtins.toString key);
|
|
});
|
|
});
|
|
|
|
etcdPeer = (make "etcdpeer" fqdn);
|
|
|
|
etcd = {
|
|
server = (make "etcd" fqdn);
|
|
kube = (make "etcd" "kube");
|
|
};
|
|
|
|
makeKube = (name: (make "kube" name) // {
|
|
config = {
|
|
server = "https://${k8sapi}:${toString ports.k8sAPIServerSecure}";
|
|
certFile = (make "kube" name).cert;
|
|
keyFile = (make "kube" name).key;
|
|
};
|
|
});
|
|
|
|
kube = rec {
|
|
ca = apiserver.ca;
|
|
|
|
# Used to identify apiserver.
|
|
apiserver = (makeKube "apiserver");
|
|
|
|
# Used to identify controller-manager.
|
|
controllermanager = (makeKube "controllermanager");
|
|
|
|
# Used to identify scheduler.
|
|
scheduler = (makeKube "scheduler");
|
|
|
|
# Used to identify kube-proxy.
|
|
proxy = (makeKube "proxy");
|
|
|
|
# Used to identify kubelet.
|
|
kubelet = (makeKube "kubelet-${fqdn}");
|
|
|
|
# Used to encrypt service accounts.
|
|
serviceaccounts = (makeKube "serviceaccounts");
|
|
};
|
|
|
|
kubeFront = {
|
|
apiserver = (make "kubefront" "apiserver");
|
|
};
|
|
};
|
|
|
|
ports = {
|
|
k8sAPIServerPlain = 4000;
|
|
k8sAPIServerSecure = 4001;
|
|
k8sControllerManagerPlain = 0; # would be 4002; do not serve plain http
|
|
k8sControllerManagerSecure = 4003;
|
|
k8sSchedulerPlain = 0; # would be 4004; do not serve plain http
|
|
k8sSchedulerSecure = 4005;
|
|
};
|
|
}
|