karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add custom kubernetes module base

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-01-29 16:16:17 +00:00
parent 51ef8d6ac9
commit a8ca3653b4
13 changed files with 1286 additions and 544 deletions
Download Patch File Download Diff File Expand all files Collapse all files

206
hosts/common/configs/system/kubernetes/options/addons/bootstrap/default.nix Normal file
View File

@@ -0,0 +1,206 @@
{ config, ... }:
[
{
apiVersion = "rbac.authorization.k8s.io/v1";
kind = "ClusterRoleBinding";
metadata = {
name = "create-csrs-for-bootstrapping";
};
subjects = [
{
kind = "Group";
name = "system:bootstrappers";
apiGroup = "rbac.authorization.k8s.io";
}
];
roleRef = {
kind = "ClusterRole";
name = "system:node-bootstrapper";
apiGroup = "rbac.authorization.k8s.io";
};
}
{
apiVersion = "rbac.authorization.k8s.io/v1";
kind = "ClusterRoleBinding";
metadata = {
name = "auto-approve-csrs-for-group";
};
subjects = [
{
kind = "Group";
name = "system:bootstrappers";
apiGroup = "rbac.authorization.k8s.io";
}
];
roleRef = {
kind = "ClusterRole";
name = "system:certificates.k8s.io:certificatesigningrequests:nodeclient";
apiGroup = "rbac.authorization.k8s.io";
};
}
{
apiVersion = "rbac.authorization.k8s.io/v1";
kind = "ClusterRoleBinding";
metadata = {
name = "auto-approve-renewals-for-nodes";
};
subjects = [
{
kind = "Group";
name = "system:nodes";
apiGroup = "rbac.authorization.k8s.io";
}
];
roleRef = {
kind = "ClusterRole";
name = "system:certificates.k8s.io:certificatesigningrequests:selfnodeclient";
apiGroup = "rbac.authorization.k8s.io";
};
}
{
apiVersion = "rbac.authorization.k8s.io/v1";
kind = "ClusterRole";
metadata = {
name = "kubelet-csr-approver";
};
rules = [
{
apiGroups = [ "certificates.k8s.io" ];
resources = [ "certificatesigningrequests" ];
verbs = [
"get"
"list"
"watch"
];
}
{
apiGroups = [ "coordination.k8s.io" ];
resources = [ "leases" ];
verbs = [
"create"
"get"
"update"
];
}
{
apiGroups = [ "certificates.k8s.io" ];
resources = [ "certificatesigningrequests/approval" ];
verbs = [ "update" ];
}
{
apiGroups = [ "certificates.k8s.io" ];
resourceNames = [ "kubernetes.io/kubelet-serving" ];
resources = [ "signers" ];
verbs = [ "approve" ];
}
{
apiGroups = [ "" ];
resources = [ "events" ];
verbs = [ "create" ];
}
];
}
{
apiVersion = "rbac.authorization.k8s.io/v1";
kind = "ClusterRoleBinding";
metadata = {
name = "kubelet-csr-approver";
namespace = "kube-system";
};
roleRef = {
apiGroup = "rbac.authorization.k8s.io";
kind = "ClusterRole";
name = "kubelet-csr-approver";
};
subjects = [
{
kind = "ServiceAccount";
name = "kubelet-csr-approver";
namespace = "kube-system";
}
];
}
{
apiVersion = "v1";
kind = "ServiceAccount";
metadata = {
name = "kubelet-csr-approver";
namespace = "kube-system";
};
}
{
apiVersion = "apps/v1";
kind = "Deployment";
metadata = {
name = "kubelet-csr-approver";
namespace = "kube-system";
};
spec = {
replicas = 1;
selector = {
matchLabels = {
app = "kubelet-csr-approver";
};
};
template = {
metadata = {
labels = {
app = "kubelet-csr-approver";
};
};
spec = {
serviceAccountName = "kubelet-csr-approver";
containers = [
{
name = "kubelet-csr-approver";
image = "postfinance/kubelet-csr-approver:latest";
args = [
"-metrics-bind-address"
":8080"
"-health-probe-bind-address"
":8081"
];
livenessProbe = {
httpGet = {
path = "/healthz";
port = 8081;
};
};
resources = {
requests = {
cpu = "100m";
memory = "200Mi";
};
};
env = [
{
name = "PROVIDER_REGEX";
value = "^${config.networking.fqdnOrHostName}$";
}
{
name = "PROVIDER_IP_PREFIXES";
value = "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,127.0.0.0/8,169.254.0.0/16,::1/128,fe80::/10,fc00::/7";
}
{
name = "MAX_EXPIRATION_SEC";
value = "31622400";
}
{
name = "BYPASS_DNS_RESOLUTION";
value = "true";
}
];
}
];
tolerations = [
{
effect = "NoSchedule";
key = "node-role.kubernetes.io/control-plane";
operator = "Equal";
}
];
};
};
};
}
]