karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add custom kubernetes module base

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-01-29 16:16:17 +00:00
parent 51ef8d6ac9
commit a8ca3653b4
13 changed files with 1286 additions and 544 deletions
Download Patch File Download Diff File Expand all files Collapse all files

191
hosts/common/configs/system/kubernetes/secrets/default.nix
View File

@@ -1,204 +1,293 @@
{ ... }:
{ config, ... }:
{
sops.secrets = {
"kubernetes/ca/crt" = {
"kubernetes/ca/kubernetes/crt" = {
owner = "kubernetes";
group = "users";
mode = "0440";
};
"kubernetes/ca/key" = {
"kubernetes/ca/kubernetes/key" = {
owner = "kubernetes";
group = "users";
mode = "0440";
};
"kubernetes/front-proxy/ca/crt" = {
"kubernetes/ca/front-proxy/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/front-proxy/ca/key" = {
"kubernetes/ca/front-proxy/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/etcd/ca/crt" = {
"kubernetes/ca/etcd/crt" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/etcd/ca/key" = {
"kubernetes/ca/etcd/key" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/apiserver/cert/crt" = {
"kubernetes/cert/apiserver/server/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/apiserver/cert/key" = {
"kubernetes/cert/apiserver/server/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/apiserver/kubelet-client/crt" = {
"kubernetes/cert/apiserver/etcd-client/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/apiserver/kubelet-client/key" = {
"kubernetes/cert/apiserver/etcd-client/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/apiserver/etcd-client/crt" = {
"kubernetes/cert/apiserver/kubelet-client/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/apiserver/etcd-client/key" = {
"kubernetes/cert/apiserver/kubelet-client/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/front-proxy/client/crt" = {
"kubernetes/cert/front-proxy/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/front-proxy/client/key" = {
"kubernetes/cert/front-proxy/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/etcd/server/crt" = {
"kubernetes/cert/etcd/server/crt" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/etcd/server/key" = {
"kubernetes/cert/etcd/server/key" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/etcd/peer/crt" = {
"kubernetes/cert/etcd/peer/crt" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/etcd/peer/key" = {
"kubernetes/cert/etcd/peer/key" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/sa/key" = {
"kubernetes/cert/sa/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/sa/pub" = {
"kubernetes/cert/sa/pub" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/admin/crt" = {
group = "kubernetes";
};
"kubernetes/accounts/admin/key" = {
group = "kubernetes";
};
"kubernetes/accounts/controller-manager/crt" = {
"kubernetes/cert/accounts/scheduler/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/controller-manager/key" = {
"kubernetes/cert/accounts/scheduler/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/addon-manager/crt" = {
"kubernetes/cert/accounts/controller-manager/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/addon-manager/key" = {
"kubernetes/cert/accounts/controller-manager/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/scheduler/crt" = {
"kubernetes/cert/accounts/addon-manager/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/scheduler/key" = {
"kubernetes/cert/accounts/addon-manager/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/proxy/crt" = {
"kubernetes/cert/accounts/proxy/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/proxy/key" = {
"kubernetes/cert/accounts/proxy/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/flannel/crt" = {
"kubernetes/cert/accounts/admin/crt" = {
group = "kubernetes";
};
"kubernetes/cert/accounts/admin/key" = {
group = "kubernetes";
};
"kubernetes/token/kubelet-bootstrap/token" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/flannel/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/kubelet-bootstrap/token" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/kubelet-bootstrap/csv" = {
"kubernetes/token/kubelet-bootstrap/csv" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
};
services.kubernetes = {
cas = {
kubernetes = {
key = config.sops.secrets."kubernetes/ca/kubernetes/key".path;
crt = config.sops.secrets."kubernetes/ca/kubernetes/crt".path;
};
frontProxy = {
key = config.sops.secrets."kubernetes/ca/front-proxy/key".path;
crt = config.sops.secrets."kubernetes/ca/front-proxy/crt".path;
};
etcd = {
key = config.sops.secrets."kubernetes/ca/etcd/key".path;
crt = config.sops.secrets."kubernetes/ca/etcd/crt".path;
};
};
certs = {
apiserver = {
server = {
key = config.sops.secrets."kubernetes/cert/apiserver/server/key".path;
crt = config.sops.secrets."kubernetes/cert/apiserver/server/crt".path;
};
etcdClient = {
key = config.sops.secrets."kubernetes/cert/apiserver/etcd-client/key".path;
crt = config.sops.secrets."kubernetes/cert/apiserver/etcd-client/crt".path;
};
kubeletClient = {
key = config.sops.secrets."kubernetes/cert/apiserver/kubelet-client/key".path;
crt = config.sops.secrets."kubernetes/cert/apiserver/kubelet-client/crt".path;
};
};
etcd = {
server = {
key = config.sops.secrets."kubernetes/cert/etcd/server/key".path;
crt = config.sops.secrets."kubernetes/cert/etcd/server/crt".path;
};
peer = {
key = config.sops.secrets."kubernetes/cert/etcd/peer/key".path;
crt = config.sops.secrets."kubernetes/cert/etcd/peer/crt".path;
};
};
frontProxy = {
key = config.sops.secrets."kubernetes/cert/front-proxy/key".path;
crt = config.sops.secrets."kubernetes/cert/front-proxy/crt".path;
};
serviceAccount = {
private = config.sops.secrets."kubernetes/cert/sa/key".path;
public = config.sops.secrets."kubernetes/cert/sa/pub".path;
};
accounts = {
scheduler = {
key = config.sops.secrets."kubernetes/cert/accounts/scheduler/key".path;
crt = config.sops.secrets."kubernetes/cert/accounts/scheduler/crt".path;
};
controllerManager = {
key = config.sops.secrets."kubernetes/cert/accounts/controller-manager/key".path;
crt = config.sops.secrets."kubernetes/cert/accounts/controller-manager/crt".path;
};
addonManager = {
key = config.sops.secrets."kubernetes/cert/accounts/addon-manager/key".path;
crt = config.sops.secrets."kubernetes/cert/accounts/addon-manager/crt".path;
};
proxy = {
key = config.sops.secrets."kubernetes/cert/accounts/proxy/key".path;
crt = config.sops.secrets."kubernetes/cert/accounts/proxy/crt".path;
};
admin = {
key = config.sops.secrets."kubernetes/cert/accounts/admin/key".path;
crt = config.sops.secrets."kubernetes/cert/accounts/admin/crt".path;
};
};
};
kubelet.bootstrapToken = config.sops.secrets."kubernetes/token/kubelet-bootstrap/token".path;
apiserver.bootstrapTokenFile = config.sops.secrets."kubernetes/token/kubelet-bootstrap/csv".path;
};
systemd.services = {
kubelet.after = [ "sops-nix.service" ];
kube-apiserver.after = [ "sops-nix.service" ];
kube-controller-manager.after = [ "sops-nix.service" ];
kube-scheduler.after = [ "sops-nix.service" ];
kube-proxy.after = [ "sops-nix.service" ];
kube-addon-manager.after = [ "sops-nix.service" ];
etcd.after = [ "sops-nix.service" ];
};
}

107
hosts/common/configs/system/kubernetes/secrets/generate-secrets.sh
View File

@@ -138,28 +138,27 @@ if [ -z "${hostname}" ]; then
exit 1
fi
generate_ca out ca ${DEFAULT_CA_DAYS} kubernetes-ca ""
generate_ca out/front-proxy ca ${DEFAULT_CA_DAYS} kubernetes-front-proxy-ca ""
generate_ca out/etcd ca ${DEFAULT_CA_DAYS} etcd-ca ""
generate_ca out/ca kubernetes ${DEFAULT_CA_DAYS} kubernetes-ca ""
generate_ca out/ca front-proxy ${DEFAULT_CA_DAYS} kubernetes-front-proxy-ca ""
generate_ca out/ca etcd ${DEFAULT_CA_DAYS} etcd-ca ""
generate_crt out/apiserver cert ${DEFAULT_CA_DAYS} kube-apiserver "" out/ca.key out/ca.crt "kubernetes" "kubernetes.default" "kubernetes.default.svc" "kubernetes.default.svc.cluster" "kubernetes.default.svc.cluster.local" "localhost" "10.0.0.1" "127.0.0.1"
generate_crt out/apiserver kubelet-client ${DEFAULT_CA_DAYS} kube-apiserver-kubelet-client system:masters out/ca.key out/ca.crt ""
generate_crt out/apiserver etcd-client ${DEFAULT_CA_DAYS} kube-apiserver-etcd-client "" out/etcd/ca.key out/etcd/ca.crt ""
generate_crt out/front-proxy client ${DEFAULT_CA_DAYS} front-proxy-client "" out/front-proxy/ca.key out/front-proxy/ca.crt ""
generate_crt out/etcd server ${DEFAULT_CA_DAYS} kube-etcd "" out/etcd/ca.key out/etcd/ca.crt "etcd.local" "etcd.cluster.local" "localhost" "127.0.0.1"
generate_crt out/etcd peer ${DEFAULT_CA_DAYS} kube-etcd-peer "" out/etcd/ca.key out/etcd/ca.crt "etcd.local" "etcd.cluster.local" "localhost" "127.0.0.1"
generate_crt out/cert/apiserver server ${DEFAULT_CA_DAYS} kube-apiserver "" out/ca/kubernetes.key out/ca/kubernetes.crt "kubernetes" "kubernetes.default" "kubernetes.default.svc" "kubernetes.default.svc.cluster" "kubernetes.default.svc.cluster.local" "localhost" "10.0.0.1" "127.0.0.1"
generate_crt out/cert/apiserver etcd-client ${DEFAULT_CA_DAYS} kube-apiserver-etcd-client "" out/ca/etcd.key out/ca/etcd.crt ""
generate_crt out/cert/apiserver kubelet-client ${DEFAULT_CA_DAYS} kube-apiserver-kubelet-client "" out/ca/kubernetes.key out/ca/kubernetes.crt ""
generate_crt out/cert/etcd server ${DEFAULT_CA_DAYS} kube-etcd "" out/ca/etcd.key out/ca/etcd.crt "etcd.local" "etcd.cluster.local" "localhost" "127.0.0.1"
generate_crt out/cert/etcd peer ${DEFAULT_CA_DAYS} kube-etcd-peer "" out/ca/etcd.key out/ca/etcd.crt "etcd.local" "etcd.cluster.local" "localhost" "127.0.0.1"
generate_crt out/cert front-proxy ${DEFAULT_CA_DAYS} front-proxy-client "" out/ca/front-proxy.key out/ca/front-proxy.crt ""
generate_key_pair out sa
generate_key_pair out/cert sa
generate_crt out/accounts admin ${DEFAULT_CA_DAYS} kubernetes-admin system:masters out/ca.key out/ca.crt ""
generate_crt out/accounts users ${DEFAULT_CA_DAYS} kubernetes-users system:masters out/ca.key out/ca.crt ""
generate_crt out/accounts controller-manager ${DEFAULT_CA_DAYS} system:kube-controller-manager "" out/ca.key out/ca.crt ""
generate_crt out/accounts addon-manager ${DEFAULT_CA_DAYS} system:kube-addon-manager "" out/ca.key out/ca.crt ""
generate_crt out/accounts scheduler ${DEFAULT_CA_DAYS} system:kube-scheduler "" out/ca.key out/ca.crt ""
generate_crt out/accounts proxy ${DEFAULT_CA_DAYS} system:kube-proxy "" out/ca.key out/ca.crt ""
generate_crt out/accounts flannel ${DEFAULT_CA_DAYS} flannel-client "" out/ca.key out/ca.crt ""
generate_crt out/cert/accounts scheduler ${DEFAULT_CA_DAYS} system:kube-scheduler "" out/ca/kubernetes.key out/ca/kubernetes.crt ""
generate_crt out/cert/accounts controller-manager ${DEFAULT_CA_DAYS} system:kube-controller-manager "" out/ca/kubernetes.key out/ca/kubernetes.crt ""
generate_crt out/cert/accounts addon-manager ${DEFAULT_CA_DAYS} system:kube-addon-manager "" out/ca/kubernetes.key out/ca/kubernetes.crt ""
generate_crt out/cert/accounts proxy ${DEFAULT_CA_DAYS} system:kube-proxy "" out/ca/kubernetes.key out/ca/kubernetes.crt ""
generate_crt out/cert/accounts admin ${DEFAULT_CA_DAYS} kubernetes-admin system:masters out/ca/kubernetes.key out/ca/kubernetes.crt ""
generate_crt out/cert/accounts users ${DEFAULT_CA_DAYS} kubernetes-users system:masters out/ca/kubernetes.key out/ca/kubernetes.crt ""
generate_auth_token out/accounts kubelet-bootstrap "kubelet-bootstrap" 10001 "system:bootstrappers"
generate_auth_token out/token kubelet-bootstrap "kubelet-bootstrap" 10001 "system:bootstrappers"
sops_config="../../../../../$(hostname)/secrets/sops.yaml"
secrets_file="../../../../../$(hostname)/secrets/secrets.yaml"
@@ -168,43 +167,41 @@ sops -d "${secrets_file}" > "${decrypted_secrets_file}"
yq -i '
del(.kubernetes) |
.kubernetes.ca.crt = load_str("out/ca.crt") |
.kubernetes.ca.key = load_str("out/ca.key") |
.kubernetes.front-proxy.ca.crt = load_str("out/front-proxy/ca.crt") |
.kubernetes.front-proxy.ca.key = load_str("out/front-proxy/ca.key") |
.kubernetes.etcd.ca.crt = load_str("out/etcd/ca.crt") |
.kubernetes.etcd.ca.key = load_str("out/etcd/ca.key") |
.kubernetes.apiserver.cert.crt = load_str("out/apiserver/cert.crt") |
.kubernetes.apiserver.cert.key = load_str("out/apiserver/cert.key") |
.kubernetes.apiserver.kubelet-client.crt = load_str("out/apiserver/kubelet-client.crt") |
.kubernetes.apiserver.kubelet-client.key = load_str("out/apiserver/kubelet-client.key") |
.kubernetes.apiserver.etcd-client.crt = load_str("out/apiserver/etcd-client.crt") |
.kubernetes.apiserver.etcd-client.key = load_str("out/apiserver/etcd-client.key") |
.kubernetes.front-proxy.client.crt = load_str("out/front-proxy/client.crt") |
.kubernetes.front-proxy.client.key = load_str("out/front-proxy/client.key") |
.kubernetes.etcd.server.crt = load_str("out/etcd/server.crt") |
.kubernetes.etcd.server.key = load_str("out/etcd/server.key") |
.kubernetes.etcd.peer.crt = load_str("out/etcd/peer.crt") |
.kubernetes.etcd.peer.key = load_str("out/etcd/peer.key") |
.kubernetes.sa.key = load_str("out/sa.key") |
.kubernetes.sa.pub = load_str("out/sa.pub") |
.kubernetes.accounts.admin.crt = load_str("out/accounts/admin.crt") |
.kubernetes.accounts.admin.key = load_str("out/accounts/admin.key") |
.kubernetes.accounts.users.crt = load_str("out/accounts/users.crt") |
.kubernetes.accounts.users.key = load_str("out/accounts/users.key") |
.kubernetes.accounts.controller-manager.crt = load_str("out/accounts/controller-manager.crt") |
.kubernetes.accounts.controller-manager.key = load_str("out/accounts/controller-manager.key") |
.kubernetes.accounts.addon-manager.crt = load_str("out/accounts/addon-manager.crt") |
.kubernetes.accounts.addon-manager.key = load_str("out/accounts/addon-manager.key") |
.kubernetes.accounts.scheduler.crt = load_str("out/accounts/scheduler.crt") |
.kubernetes.accounts.scheduler.key = load_str("out/accounts/scheduler.key") |
.kubernetes.accounts.proxy.crt = load_str("out/accounts/proxy.crt") |
.kubernetes.accounts.proxy.key = load_str("out/accounts/proxy.key") |
.kubernetes.accounts.flannel.crt = load_str("out/accounts/flannel.crt") |
.kubernetes.accounts.flannel.key = load_str("out/accounts/flannel.key") |
.kubernetes.accounts.kubelet-bootstrap.token = load_str("out/accounts/kubelet-bootstrap.token") |
.kubernetes.accounts.kubelet-bootstrap.csv = load_str("out/accounts/kubelet-bootstrap.csv")
.kubernetes.ca.kubernetes.crt = load_str("out/ca/kubernetes.crt") |
.kubernetes.ca.kubernetes.key = load_str("out/ca/kubernetes.key") |
.kubernetes.ca.front-proxy.crt = load_str("out/ca/front-proxy.crt") |
.kubernetes.ca.front-proxy.key = load_str("out/ca/front-proxy.key") |
.kubernetes.ca.etcd.crt = load_str("out/ca/etcd.crt") |
.kubernetes.ca.etcd.key = load_str("out/ca/etcd.key") |
.kubernetes.cert.apiserver.server.crt = load_str("out/cert/apiserver/server.crt") |
.kubernetes.cert.apiserver.server.key = load_str("out/cert/apiserver/server.key") |
.kubernetes.cert.apiserver.etcd-client.crt = load_str("out/cert/apiserver/etcd-client.crt") |
.kubernetes.cert.apiserver.etcd-client.key = load_str("out/cert/apiserver/etcd-client.key") |
.kubernetes.cert.apiserver.kubelet-client.crt = load_str("out/cert/apiserver/kubelet-client.crt") |
.kubernetes.cert.apiserver.kubelet-client.key = load_str("out/cert/apiserver/kubelet-client.key") |
.kubernetes.cert.etcd.server.crt = load_str("out/cert/etcd/server.crt") |
.kubernetes.cert.etcd.server.key = load_str("out/cert/etcd/server.key") |
.kubernetes.cert.etcd.peer.crt = load_str("out/cert/etcd/peer.crt") |
.kubernetes.cert.etcd.peer.key = load_str("out/cert/etcd/peer.key") |
.kubernetes.cert.front-proxy.crt = load_str("out/cert/front-proxy.crt") |
.kubernetes.cert.front-proxy.key = load_str("out/cert/front-proxy.key") |
.kubernetes.cert.sa.key = load_str("out/cert/sa.key") |
.kubernetes.cert.sa.pub = load_str("out/cert/sa.pub") |
.kubernetes.cert.accounts.scheduler.crt = load_str("out/cert/accounts/scheduler.crt") |
.kubernetes.cert.accounts.scheduler.key = load_str("out/cert/accounts/scheduler.key") |
.kubernetes.cert.accounts.controller-manager.crt = load_str("out/cert/accounts/controller-manager.crt") |
.kubernetes.cert.accounts.controller-manager.key = load_str("out/cert/accounts/controller-manager.key") |
.kubernetes.cert.accounts.addon-manager.crt = load_str("out/cert/accounts/addon-manager.crt") |
.kubernetes.cert.accounts.addon-manager.key = load_str("out/cert/accounts/addon-manager.key") |
.kubernetes.cert.accounts.proxy.crt = load_str("out/cert/accounts/proxy.crt") |
.kubernetes.cert.accounts.proxy.key = load_str("out/cert/accounts/proxy.key") |
.kubernetes.cert.accounts.admin.crt = load_str("out/cert/accounts/admin.crt") |
.kubernetes.cert.accounts.admin.key = load_str("out/cert/accounts/admin.key") |
.kubernetes.cert.accounts.users.crt = load_str("out/cert/accounts/users.crt") |
.kubernetes.cert.accounts.users.key = load_str("out/cert/accounts/users.key") |
.kubernetes.token.kubelet-bootstrap.token = load_str("out/token/kubelet-bootstrap.token") |
.kubernetes.token.kubelet-bootstrap.csv = load_str("out/token/kubelet-bootstrap.csv")
' "${decrypted_secrets_file}"
sops --config "${sops_config}" -e "${decrypted_secrets_file}" > "${secrets_file}"
rm -rf out
rm -rf ${decrypted_secrets_file} out