hscloud/cluster/nix/defs-cluster-k0.nix
Serge Bazanski 1257389d3d k0: expose controller-manager and scheduler metrics
We want to be able to scrape controller-manager and scheduler metrics
into Prometheus. For that, each of them needs to:

 1) listen on a secure port
 2) have authn enabled

With this, any k8s user with the right permissions (and a bearer token
or TLS certificate) can come in and access metrics over a node's public
IP address. Access without a certificate/token gets thrown into the
system:anonymous user, which as no access to any API.

Change-Id: I267680f92f748ba63b6762e6aaba3c417446e50b
2020-10-10 16:00:15 +00:00

78 lines
2 KiB
Nix

machineName:
let
machines = (import ./defs-machines.nix);
in rec {
domain = ".hswaw.net";
k8sapi = "k0.hswaw.net";
acmeEmail = "q3k@hackerspace.pl";
fqdn = machineName + domain;
machine = (builtins.head (builtins.filter (n: n.fqdn == fqdn) machines));
otherMachines = (builtins.filter (n: n.fqdn != fqdn) machines);
inherit machines;
pki = rec {
make = (radix: name: rec {
ca = ./../certs + "/ca-${radix}.crt";
cert = ./../certs + "/${radix}-${name}.cert";
key = ./../secrets/plain + "/${radix}-${name}.key";
json = (builtins.toJSON {
ca = (builtins.toString ca);
cert = (builtins.toString cert);
key = (builtins.toString key);
});
});
etcdPeer = (make "etcdpeer" fqdn);
etcd = {
server = (make "etcd" fqdn);
kube = (make "etcd" "kube");
};
makeKube = (name: (make "kube" name) // {
config = {
server = "https://${k8sapi}:${toString ports.k8sAPIServerSecure}";
certFile = (make "kube" name).cert;
keyFile = (make "kube" name).key;
};
});
kube = rec {
ca = apiserver.ca;
# Used to identify apiserver.
apiserver = (makeKube "apiserver");
# Used to identify controller-manager.
controllermanager = (makeKube "controllermanager");
# Used to identify scheduler.
scheduler = (makeKube "scheduler");
# Used to identify kube-proxy.
proxy = (makeKube "proxy");
# Used to identify kubelet.
kubelet = (makeKube "kubelet-${fqdn}");
# Used to encrypt service accounts.
serviceaccounts = (makeKube "serviceaccounts");
};
kubeFront = {
apiserver = (make "kubefront" "apiserver");
};
};
ports = {
k8sAPIServerPlain = 4000;
k8sAPIServerSecure = 4001;
k8sControllerManagerPlain = 0; # would be 4002; do not serve plain http
k8sControllerManagerSecure = 4003;
k8sSchedulerPlain = 0; # would be 4004; do not serve plain http
k8sSchedulerSecure = 4005;
};
}