talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Move the encryption config into a package.

Browse Source
This commit is contained in:
Tom Alexander
2025-12-14 20:28:48 -05:00
parent 45312dd91f
commit 03efde4674
6 changed files with 222 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files

177
nix/kubernetes/keys/scope.nix
View File

@@ -2,10 +2,6 @@
makeScope,
newScope,
callPackage,
writeShellScript,
openssh,
runCommand,
writeText,
lib,
}:
let
@@ -73,12 +69,12 @@ let
];
};
};
_vm_name_to_hostname = {
"nc0" = "controller0";
"nc1" = "controller1";
"nc2" = "controller2";
};
vm_name_to_hostname = (vm_name: _vm_name_to_hostname."${vm_name}");
# _vm_name_to_hostname = {
# "nc0" = "controller0";
# "nc1" = "controller1";
# "nc2" = "controller2";
# };
# vm_name_to_hostname = (vm_name: _vm_name_to_hostname."${vm_name}");
in
makeScope newScope (
self:
@@ -87,166 +83,6 @@ makeScope newScope (
inherit all_hostnames controllers;
k8s = self;
};
deploy_file = (
{
dest_dir,
file,
name ? (builtins.baseNameOf file),
owner,
group,
mode,
}:
''
##
## deploy ${name} to ${dest_dir}
##
${openssh}/bin/ssh mrmanager doas rm -f ${dest_dir}/${name} ~/${name}
${openssh}/bin/scp ${file} mrmanager:~/${name}
${openssh}/bin/ssh mrmanager doas install -o ${toString owner} -g ${toString group} -m ${mode} ~/${name} ${dest_dir}/${name}
${openssh}/bin/ssh mrmanager doas rm -f ~/${name}
''
);
deploy_machine = (
vm_name:
(
''
##
## Create directories on ${vm_name}
##
${openssh}/bin/ssh mrmanager doas install -d -o 11235 -g 11235 -m 0755 /vm/${vm_name}/persist/keys
${openssh}/bin/ssh mrmanager doas install -d -o 10016 -g 10016 -m 0755 /vm/${vm_name}/persist/keys/etcd
${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube
''
+ (lib.concatMapStringsSep "\n" deploy_file [
{
dest_dir = "/vm/${vm_name}/persist/keys/etcd";
file = "${self.kubernetes}/kubernetes.pem";
owner = 10016;
group = 10016;
mode = "0640";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/etcd";
file = "${self.kubernetes}/kubernetes-key.pem";
owner = 10016;
group = 10016;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/etcd";
file = "${self.ca}/ca.pem";
owner = 10016;
group = 10016;
mode = "0640";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = "${self.kubernetes}/kubernetes.pem";
owner = 10024;
group = 10024;
mode = "0640";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = "${self.kubernetes}/kubernetes-key.pem";
owner = 10024;
group = 10024;
mode = "0640";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = "${self.ca}/ca.pem";
owner = 10024;
group = 10024;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = (writeText "encryption-config.yaml" (lib.generators.toYAML { } kube_encryption_config));
name = "encryption-config.yaml";
owner = 10024;
group = 10024;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = "${self.service_account}/service-account.pem";
owner = 10024;
group = 10024;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = "${self.service_account}/service-account-key.pem";
owner = 10024;
group = 10024;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = "${self.requestheader-client-ca}/requestheader-client-ca.pem";
owner = 10024;
group = 10024;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = "${self.controller-proxy}/${vm_name_to_hostname vm_name}-proxy.pem";
owner = 10024;
group = 10024;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = "${self.controller-proxy}/${vm_name_to_hostname vm_name}-proxy-key.pem";
owner = 10024;
group = 10024;
mode = "0600";
}
])
)
);
deploy_script = (
''
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "''${BASH_SOURCE[0]}" )" && pwd )"
''
+ (lib.concatMapStringsSep "\n" deploy_machine [
"nc0"
"nc1"
"nc2"
])
);
kube_encryption_key = runCommand "kube_encryption_key" { } ''
head -c 32 /dev/urandom | base64 | tee $out
'';
kube_encryption_config = {
kind = "EncryptionConfig";
apiVersion = "v1";
resources = [
{
resources = [ "secrets" ];
providers = [
{
aescbc = {
keys = [
{
name = "key1";
secret = (builtins.readFile "${kube_encryption_key}");
}
];
};
}
{ identity = { }; }
];
}
];
};
in
{
ca = (callPackage ./package/k8s-ca/package.nix additional_vars);
@@ -317,6 +153,7 @@ makeScope newScope (
};
}
);
encryption_config = (callPackage ./package/k8s-encryption-key/package.nix additional_vars);
all_keys = (callPackage ./package/k8s-keys/package.nix additional_vars);
deploy_script = (callPackage ./package/deploy-script/package.nix additional_vars);
}