diff --git a/nix/kubernetes/hosts/controller0/default.nix b/nix/kubernetes/hosts/controller0/default.nix index ef6a64fe..53616127 100644 --- a/nix/kubernetes/hosts/controller0/default.nix +++ b/nix/kubernetes/hosts/controller0/default.nix @@ -117,6 +117,7 @@ ]; me.kube_apiserver.internal_ip = "2620:11f:7001:7:ffff:ffff:0ad7:01dd"; + me.kube_apiserver.external_ip = "74.80.180.138"; me.kube_apiserver.etcd_services = [ "https://[2620:11f:7001:7:ffff:ffff:0ad7:01dd]:2379" # 10.215.1.221 "https://[2620:11f:7001:7:ffff:ffff:0ad7:01de]:2379" # 10.215.1.222 diff --git a/nix/kubernetes/hosts/controller1/default.nix b/nix/kubernetes/hosts/controller1/default.nix index 61f26a5e..d6571c08 100644 --- a/nix/kubernetes/hosts/controller1/default.nix +++ b/nix/kubernetes/hosts/controller1/default.nix @@ -117,6 +117,7 @@ ]; me.kube_apiserver.internal_ip = "2620:11f:7001:7:ffff:ffff:0ad7:01de"; + me.kube_apiserver.external_ip = "74.80.180.138"; me.kube_apiserver.etcd_services = [ "https://[2620:11f:7001:7:ffff:ffff:0ad7:01dd]:2379" # 10.215.1.221 "https://[2620:11f:7001:7:ffff:ffff:0ad7:01de]:2379" # 10.215.1.222 diff --git a/nix/kubernetes/hosts/controller2/default.nix b/nix/kubernetes/hosts/controller2/default.nix index 8336a011..c6c95c03 100644 --- a/nix/kubernetes/hosts/controller2/default.nix +++ b/nix/kubernetes/hosts/controller2/default.nix @@ -117,6 +117,7 @@ ]; me.kube_apiserver.internal_ip = "2620:11f:7001:7:ffff:ffff:0ad7:01df"; + me.kube_apiserver.external_ip = "74.80.180.138"; me.kube_apiserver.etcd_services = [ "https://[2620:11f:7001:7:ffff:ffff:0ad7:01dd]:2379" # 10.215.1.221 "https://[2620:11f:7001:7:ffff:ffff:0ad7:01de]:2379" # 10.215.1.222 diff --git a/nix/kubernetes/keys/package/k8s-keys/package.nix b/nix/kubernetes/keys/package/k8s-keys/package.nix index 497f1e07..42d98349 100644 --- a/nix/kubernetes/keys/package/k8s-keys/package.nix +++ b/nix/kubernetes/keys/package/k8s-keys/package.nix @@ -9,5 +9,6 @@ symlinkJoin { k8s.kubernetes k8s.ca k8s.service_account + k8s.requestheader-client-ca ]; } diff --git a/nix/kubernetes/keys/package/k8s-requestheader-client-ca/files/requestheader-client-ca-csr.json b/nix/kubernetes/keys/package/k8s-requestheader-client-ca/files/requestheader-client-ca-csr.json new file mode 100644 index 00000000..8145e503 --- /dev/null +++ b/nix/kubernetes/keys/package/k8s-requestheader-client-ca/files/requestheader-client-ca-csr.json @@ -0,0 +1,16 @@ +{ + "CN": "Kubernetes", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "US", + "L": "Portland", + "O": "Kubernetes", + "OU": "CA", + "ST": "Oregon" + } + ] +} diff --git a/nix/kubernetes/keys/package/k8s-requestheader-client-ca/package.nix b/nix/kubernetes/keys/package/k8s-requestheader-client-ca/package.nix new file mode 100644 index 00000000..4d907f50 --- /dev/null +++ b/nix/kubernetes/keys/package/k8s-requestheader-client-ca/package.nix @@ -0,0 +1,30 @@ +# unpackPhase +# patchPhase +# configurePhase +# buildPhase +# checkPhase +# installPhase +# fixupPhase +# installCheckPhase +# distPhase +{ + stdenv, + sqlite, + cfssl, + k8s, + all_hostnames, + ... +}: +stdenv.mkDerivation (finalAttrs: { + name = "k8s-service-account"; + nativeBuildInputs = [ cfssl ]; + buildInputs = [ ]; + + unpackPhase = "true"; + + installPhase = '' + mkdir -p "$out" + cd "$out" + cfssl gencert -initca ${./files/requestheader-client-ca-csr.json} | cfssljson -bare requestheader-client-ca + ''; +}) diff --git a/nix/kubernetes/keys/scope.nix b/nix/kubernetes/keys/scope.nix index 9135e969..8f490e9b 100644 --- a/nix/kubernetes/keys/scope.nix +++ b/nix/kubernetes/keys/scope.nix @@ -151,6 +151,13 @@ makeScope newScope ( group = 10024; mode = "0600"; } + { + dest_dir = "/vm/${vm_name}/persist/keys/kube"; + file = "${self.requestheader-client-ca}/requestheader-client-ca.pem"; + owner = 10024; + group = 10024; + mode = "0600"; + } ]) ) ); @@ -196,6 +203,9 @@ makeScope newScope ( ca = (callPackage ./package/k8s-ca/package.nix additional_vars); kubernetes = (callPackage ./package/k8s-kubernetes/package.nix additional_vars); service_account = (callPackage ./package/k8s-service-account/package.nix additional_vars); + requestheader-client-ca = ( + callPackage ./package/k8s-requestheader-client-ca/package.nix additional_vars + ); keys = (callPackage ./package/k8s-keys/package.nix additional_vars); deploy_script = (writeShellScript "deploy-keys" deploy_script); } diff --git a/nix/kubernetes/roles/kube_apiserver/default.nix b/nix/kubernetes/roles/kube_apiserver/default.nix index bbaee42d..9701d991 100644 --- a/nix/kubernetes/roles/kube_apiserver/default.nix +++ b/nix/kubernetes/roles/kube_apiserver/default.nix @@ -26,6 +26,12 @@ in description = "IP address this server should advertise."; }; + kube_apiserver.external_ip = lib.mkOption { + example = "192.168.1.10"; + type = lib.types.str; + description = "IP address to reach this cluster externally."; + }; + kube_apiserver.etcd_services = lib.mkOption { default = [ ]; example = [ "https://192.168.1.10:2379" ]; @@ -59,7 +65,7 @@ in "--authorization-mode=Node,RBAC" "--bind-address=0.0.0.0" "--client-ca-file=/.persist/keys/kube/ca.pem" - "--requestheader-client-ca-file=/var/lib/kubernetes/requestheader-client-ca.pem" + "--requestheader-client-ca-file=/.persist/keys/kube/requestheader-client-ca.pem" ''--requestheader-allowed-names=""'' "--requestheader-extra-headers-prefix=X-Remote-Extra-" "--requestheader-group-headers=X-Remote-Group" @@ -79,7 +85,7 @@ in "--runtime-config='api/all=true'" "--service-account-key-file=/.persist/keys/kube/service-account.pem" "--service-account-signing-key-file=/.persist/keys/kube/service-account-key.pem" - "--service-account-issuer=https://{{ kubernetes_public_address }}:6443" + "--service-account-issuer=https://${config.me.kube_apiserver.external_ip}:6443" "--service-node-port-range=30000-32767" "--tls-cert-file=/.persist/keys/kube/kubernetes.pem" "--tls-private-key-file=/.persist/keys/kube/kubernetes-key.pem"