talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Switch to generating certs with openssl.

Browse Source
This commit is contained in:
Tom Alexander 2025-12-14 18:24:24 -05:00 committed by Tom Alexander
parent d093c9185a
commit 5d660cced8
Signed by: talexander
GPG Key ID: 36C99E8B3C39D85F
23 changed files with 476 additions and 324 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nix/kubernetes/keys/flake.nix
View File

@ -19,7 +19,7 @@
in
{
deploy_script = appliedOverlay.k8s.deploy_script;
default = appliedOverlay.k8s.keys;
default = appliedOverlay.k8s.all_keys;
}
);
overlays.default = (

16
nix/kubernetes/keys/package/k8s-requestheader-client-ca/package.nix → nix/kubernetes/keys/package/deploy-script/package.nix
View File

@ -9,22 +9,22 @@
# distPhase
{
stdenv,
sqlite,
cfssl,
writeShellScript,
k8s,
all_hostnames,
...
}:
let
deploy_script_body = "";
deploy_script = (writeShellScript "deploy-script" deploy_script_body);
in
stdenv.mkDerivation (finalAttrs: {
name = "k8s-service-account";
nativeBuildInputs = [ cfssl ];
name = "deploy-script";
nativeBuildInputs = [ ];
buildInputs = [ ];
unpackPhase = "true";
installPhase = ''
mkdir -p "$out"
cd "$out"
cfssl gencert -initca ${./files/requestheader-client-ca-csr.json} | cfssljson -bare requestheader-client-ca
cp ${deploy_script} "$out"
'';
})

16
nix/kubernetes/keys/package/k8s-ca/files/ca-csr.json
View File

@ -1,16 +0,0 @@
{
"CN": "Kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "CA",
"ST": "Oregon"
}
]
}

291
nix/kubernetes/keys/package/k8s-ca/files/ca.conf Normal file
View File

@ -0,0 +1,291 @@
[req]
distinguished_name = req_distinguished_name
prompt = no
x509_extensions = ca_x509_extensions
[ca_x509_extensions]
basicConstraints = CA:TRUE
keyUsage = cRLSign, keyCertSign
[req_distinguished_name]
C = US
ST = Washington
L = Seattle
CN = CA
[admin]
distinguished_name = admin_distinguished_name
prompt = no
req_extensions = default_req_extensions
[admin_distinguished_name]
CN = admin
O = system:masters
# Service Accounts
#
# The Kubernetes Controller Manager leverages a key pair to generate
# and sign service account tokens as described in the
# [managing service accounts](https://kubernetes.io/docs/admin/service-accounts-admin/)
# documentation.
[service-accounts]
distinguished_name = service-accounts_distinguished_name
prompt = no
req_extensions = default_req_extensions
[service-accounts_distinguished_name]
CN = service-accounts
# Worker Nodes
#
# Kubernetes uses a [special-purpose authorization mode](https://kubernetes.io/docs/admin/authorization/node/)
# called Node Authorizer, that specifically authorizes API requests made
# by [Kubelets](https://kubernetes.io/docs/concepts/overview/components/#kubelet).
# In order to be authorized by the Node Authorizer, Kubelets must use a credential
# that identifies them as being in the `system:nodes` group, with a username
# of `system:node:<nodeName>`.
[controller0]
distinguished_name = controller0_distinguished_name
prompt = no
req_extensions = controller0_req_extensions
[controller0_req_extensions]
basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth, serverAuth
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = client
nsComment = "controller0 Certificate"
subjectAltName = DNS:controller0, IP:127.0.0.1
subjectKeyIdentifier = hash
[controller0_distinguished_name]
CN = system:node:controller0
O = system:nodes
C = US
ST = Washington
L = Seattle
[controller1]
distinguished_name = controller1_distinguished_name
prompt = no
req_extensions = controller1_req_extensions
[controller1_req_extensions]
basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth, serverAuth
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = client
nsComment = "controller1 Certificate"
subjectAltName = DNS:controller1, IP:127.0.0.1
subjectKeyIdentifier = hash
[controller1_distinguished_name]
CN = system:node:controller1
O = system:nodes
C = US
ST = Washington
L = Seattle
[controller2]
distinguished_name = controller2_distinguished_name
prompt = no
req_extensions = controller2_req_extensions
[controller2_req_extensions]
basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth, serverAuth
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = client
nsComment = "controller2 Certificate"
subjectAltName = DNS:controller2, IP:127.0.0.1
subjectKeyIdentifier = hash
[controller2_distinguished_name]
CN = system:node:controller2
O = system:nodes
C = US
ST = Washington
L = Seattle
[worker0]
distinguished_name = worker0_distinguished_name
prompt = no
req_extensions = worker0_req_extensions
[worker0_req_extensions]
basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth, serverAuth
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = client
nsComment = "worker0 Certificate"
subjectAltName = DNS:worker0, IP:127.0.0.1
subjectKeyIdentifier = hash
[worker0_distinguished_name]
CN = system:node:worker0
O = system:nodes
C = US
ST = Washington
L = Seattle
[worker1]
distinguished_name = worker1_distinguished_name
prompt = no
req_extensions = worker1_req_extensions
[worker1_req_extensions]
basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth, serverAuth
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = client
nsComment = "worker1 Certificate"
subjectAltName = DNS:worker1, IP:127.0.0.1
subjectKeyIdentifier = hash
[worker1_distinguished_name]
CN = system:node:worker1
O = system:nodes
C = US
ST = Washington
L = Seattle
[worker2]
distinguished_name = worker2_distinguished_name
prompt = no
req_extensions = worker2_req_extensions
[worker2_req_extensions]
basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth, serverAuth
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = client
nsComment = "worker2 Certificate"
subjectAltName = DNS:worker2, IP:127.0.0.1
subjectKeyIdentifier = hash
[worker2_distinguished_name]
CN = system:node:worker2
O = system:nodes
C = US
ST = Washington
L = Seattle
# Kube Proxy Section
[kube-proxy]
distinguished_name = kube-proxy_distinguished_name
prompt = no
req_extensions = kube-proxy_req_extensions
[kube-proxy_req_extensions]
basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth, serverAuth
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = client
nsComment = "Kube Proxy Certificate"
subjectAltName = DNS:kube-proxy, IP:127.0.0.1
subjectKeyIdentifier = hash
[kube-proxy_distinguished_name]
CN = system:kube-proxy
O = system:node-proxier
C = US
ST = Washington
L = Seattle
# Controller Manager
[kube-controller-manager]
distinguished_name = kube-controller-manager_distinguished_name
prompt = no
req_extensions = kube-controller-manager_req_extensions
[kube-controller-manager_req_extensions]
basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth, serverAuth
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = client
nsComment = "Kube Controller Manager Certificate"
subjectAltName = DNS:kube-controller-manager, IP:127.0.0.1
subjectKeyIdentifier = hash
[kube-controller-manager_distinguished_name]
CN = system:kube-controller-manager
O = system:kube-controller-manager
C = US
ST = Washington
L = Seattle
# Scheduler
[kube-scheduler]
distinguished_name = kube-scheduler_distinguished_name
prompt = no
req_extensions = kube-scheduler_req_extensions
[kube-scheduler_req_extensions]
basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth, serverAuth
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = client
nsComment = "Kube Scheduler Certificate"
subjectAltName = DNS:kube-scheduler, IP:127.0.0.1
subjectKeyIdentifier = hash
[kube-scheduler_distinguished_name]
CN = system:kube-scheduler
O = system:system:kube-scheduler
C = US
ST = Washington
L = Seattle
# API Server
#
# The Kubernetes API server is automatically assigned the `kubernetes`
# internal dns name, which will be linked to the first IP address (`10.32.0.1`)
# from the address range (`10.32.0.0/24`) reserved for internal cluster
# services.
[kube-api-server]
distinguished_name = kube-api-server_distinguished_name
prompt = no
req_extensions = kube-api-server_req_extensions
[kube-api-server_req_extensions]
basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth, serverAuth
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = client, server
nsComment = "Kube API Server Certificate"
subjectAltName = @kube-api-server_alt_names
subjectKeyIdentifier = hash
[kube-api-server_alt_names]
IP.0 = 127.0.0.1
IP.1 = 10.32.0.1
DNS.0 = kubernetes
DNS.1 = kubernetes.default
DNS.2 = kubernetes.default.svc
DNS.3 = kubernetes.default.svc.cluster
DNS.4 = kubernetes.svc.cluster.local
DNS.5 = server.kubernetes.local
DNS.6 = api-server.kubernetes.local
[kube-api-server_distinguished_name]
CN = kubernetes
C = US
ST = Washington
L = Seattle
[default_req_extensions]
basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = client
nsComment = "Admin Client Certificate"
subjectKeyIdentifier = hash

12
nix/kubernetes/keys/package/k8s-ca/package.nix
View File

@ -9,13 +9,12 @@
# distPhase
{
stdenv,
sqlite,
cfssl,
openssl,
...
}:
stdenv.mkDerivation (finalAttrs: {
name = "k8s-ca";
nativeBuildInputs = [ cfssl ];
nativeBuildInputs = [ openssl ];
buildInputs = [ ];
unpackPhase = "true";
@ -23,6 +22,11 @@ stdenv.mkDerivation (finalAttrs: {
installPhase = ''
mkdir -p "$out"
cd "$out"
cfssl gencert -initca ${./files/ca-csr.json} | cfssljson -bare ca
openssl genrsa -out ca.key 4096
openssl req -x509 -new -sha512 -noenc \
-key ca.key -days 3653 \
-config ${./files/ca.conf} \
-out ca.crt
'';
})

52
nix/kubernetes/keys/package/k8s-client-config/package.nix Normal file
View File

@ -0,0 +1,52 @@
# unpackPhase
# patchPhase
# configurePhase
# buildPhase
# checkPhase
# installPhase
# fixupPhase
# installCheckPhase
# distPhase
{
stdenv,
k8s,
kubectl,
config_name,
config_user,
config_server,
...
}:
stdenv.mkDerivation (finalAttrs: {
name = "k8s-client-config-${config_name}";
nativeBuildInputs = [ kubectl ];
buildInputs = [ ];
unpackPhase = "true";
buildPhase = ''
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=${k8s.ca}/ca.crt \
--embed-certs=true \
--server=${config_server} \
--kubeconfig=${config_name}.kubeconfig
kubectl config set-credentials ${config_user} \
--client-certificate=${k8s.keys."${config_name}"}/${config_name}.crt \
--client-key=${k8s.keys."${config_name}"}/${config_name}.key \
--embed-certs=true \
--kubeconfig=${config_name}.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=${config_user} \
--kubeconfig=${config_name}.kubeconfig
kubectl config use-context default \
--kubeconfig=${config_name}.kubeconfig
'';
installPhase = ''
mkdir "$out"
cp "${config_name}.kubeconfig" $out/
'';
})

13
nix/kubernetes/keys/package/k8s-controller-proxy/files/ca-config.json
View File

@ -1,13 +0,0 @@
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "8760h"
}
}
}
}

16
nix/kubernetes/keys/package/k8s-controller-proxy/files/controller0-proxy-csr.json
View File

@ -1,16 +0,0 @@
{
"CN": "system:node:controller0",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:nodes",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}

16
nix/kubernetes/keys/package/k8s-controller-proxy/files/controller1-proxy-csr.json
View File

@ -1,16 +0,0 @@
{
"CN": "system:node:controller1",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:nodes",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}

16
nix/kubernetes/keys/package/k8s-controller-proxy/files/controller2-proxy-csr.json
View File

@ -1,16 +0,0 @@
{
"CN": "system:node:controller2",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:nodes",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}

48
nix/kubernetes/keys/package/k8s-controller-proxy/package.nix
View File

@ -1,48 +0,0 @@
# unpackPhase
# patchPhase
# configurePhase
# buildPhase
# checkPhase
# installPhase
# fixupPhase
# installCheckPhase
# distPhase
{
lib,
stdenv,
sqlite,
cfssl,
k8s,
all_hostnames,
controllers,
...
}:
let
get_hostnames = (
hostname: (builtins.concatStringsSep "," ([ hostname ] ++ controllers."${hostname}".internal_ips))
);
install_body = (
lib.concatMapStringsSep "\n" (hostname: ''
cfssl gencert \
-ca=${k8s.requestheader-client-ca}/requestheader-client-ca.pem \
-ca-key=${k8s.requestheader-client-ca}/requestheader-client-ca-key.pem \
-config=${./files/ca-config.json} \
-hostname=${get_hostnames hostname} \
-profile=kubernetes \
${./files}/${hostname}-proxy-csr.json | cfssljson -bare ${hostname}-proxy
'') (builtins.attrNames controllers)
);
in
stdenv.mkDerivation (finalAttrs: {
name = "k8s-controller-proxy";
nativeBuildInputs = [ cfssl ];
buildInputs = [ ];
unpackPhase = "true";
installPhase = ''
mkdir -p "$out"
cd "$out"
''
+ install_body;
})

13
nix/kubernetes/keys/package/k8s-keys/files/ca-config.json
View File

@ -1,13 +0,0 @@
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "8760h"
}
}
}
}

16
nix/kubernetes/keys/package/k8s-keys/files/kubernetes-csr.json
View File

@ -1,16 +0,0 @@
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}

8
nix/kubernetes/keys/package/k8s-keys/package.nix
View File

@ -6,10 +6,8 @@
symlinkJoin {
name = "k8s-keys";
paths = [
k8s.kubernetes
k8s.ca
k8s.service_account
k8s.requestheader-client-ca
k8s.controller-proxy
];
]
++ (builtins.attrValues k8s.keys)
++ (builtins.attrValues k8s.client-configs);
}

13
nix/kubernetes/keys/package/k8s-kubernetes/files/ca-config.json
View File

@ -1,13 +0,0 @@
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "8760h"
}
}
}
}

16
nix/kubernetes/keys/package/k8s-kubernetes/files/kubernetes-csr.json
View File

@ -1,16 +0,0 @@
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}

36
nix/kubernetes/keys/package/k8s-kubernetes/package.nix
View File

@ -1,36 +0,0 @@
# unpackPhase
# patchPhase
# configurePhase
# buildPhase
# checkPhase
# installPhase
# fixupPhase
# installCheckPhase
# distPhase
{
stdenv,
sqlite,
cfssl,
k8s,
all_hostnames,
...
}:
stdenv.mkDerivation (finalAttrs: {
name = "k8s-kubernetes";
nativeBuildInputs = [ cfssl ];
buildInputs = [ ];
unpackPhase = "true";
installPhase = ''
mkdir -p "$out"
cd "$out"
cfssl gencert \
-ca=${k8s.ca}/ca.pem \
-ca-key=${k8s.ca}/ca-key.pem \
-config=${./files/ca-config.json} \
-hostname=${builtins.concatStringsSep "," all_hostnames} \
-profile=kubernetes \
${./files/kubernetes-csr.json} | cfssljson -bare kubernetes
'';
})

16
nix/kubernetes/keys/package/k8s-requestheader-client-ca/files/requestheader-client-ca-csr.json
View File

@ -1,16 +0,0 @@
{
"CN": "Kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "CA",
"ST": "Oregon"
}
]
}

13
nix/kubernetes/keys/package/k8s-service-account/files/ca-config.json
View File

@ -1,13 +0,0 @@
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "8760h"
}
}
}
}

16
nix/kubernetes/keys/package/k8s-service-account/files/service-account-csr.json
View File

@ -1,16 +0,0 @@
{
"CN": "service-accounts",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}

35
nix/kubernetes/keys/package/k8s-service-account/package.nix
View File

@ -1,35 +0,0 @@
# unpackPhase
# patchPhase
# configurePhase
# buildPhase
# checkPhase
# installPhase
# fixupPhase
# installCheckPhase
# distPhase
{
stdenv,
sqlite,
cfssl,
k8s,
all_hostnames,
...
}:
stdenv.mkDerivation (finalAttrs: {
name = "k8s-service-account";
nativeBuildInputs = [ cfssl ];
buildInputs = [ ];
unpackPhase = "true";
installPhase = ''
mkdir -p "$out"
cd "$out"
cfssl gencert \
-ca=${k8s.ca}/ca.pem \
-ca-key=${k8s.ca}/ca-key.pem \
-config=${./files/ca-config.json} \
-profile=kubernetes \
${./files/service-account-csr.json} | cfssljson -bare service-account
'';
})

45
nix/kubernetes/keys/package/tls-key/package.nix Normal file
View File

@ -0,0 +1,45 @@
# unpackPhase
# patchPhase
# configurePhase
# buildPhase
# checkPhase
# installPhase
# fixupPhase
# installCheckPhase
# distPhase
{
stdenv,
openssl,
k8s,
key_name,
...
}:
stdenv.mkDerivation (finalAttrs: {
name = "tls-key-${key_name}";
nativeBuildInputs = [ openssl ];
buildInputs = [ ];
unpackPhase = "true";
buildPhase = ''
cp ${k8s.ca}/ca.crt ${k8s.ca}/ca.key ./
openssl genrsa -out "${key_name}.key" 4096
openssl req -new -key "${key_name}.key" -sha256 \
-config "${../k8s-ca/files/ca.conf}" -section ${key_name} \
-out "${key_name}.csr"
openssl x509 -req -days 3653 -in "${key_name}.csr" \
-copy_extensions copyall \
-sha256 -CA "./ca.crt" \
-CAkey "./ca.key" \
-CAcreateserial \
-out "${key_name}.crt"
'';
installPhase = ''
mkdir "$out"
cp "${key_name}.crt" "${key_name}.key" $out/
'';
})

75
nix/kubernetes/keys/scope.nix
View File

@ -250,13 +250,74 @@ makeScope newScope (
in
{
ca = (callPackage ./package/k8s-ca/package.nix additional_vars);
kubernetes = (callPackage ./package/k8s-kubernetes/package.nix additional_vars);
service_account = (callPackage ./package/k8s-service-account/package.nix additional_vars);
requestheader-client-ca = (
callPackage ./package/k8s-requestheader-client-ca/package.nix additional_vars
keys = (
lib.genAttrs [
"admin"
"controller0"
"controller1"
"controller2"
"worker0"
"worker1"
"worker2"
"kube-proxy"
"kube-scheduler"
"kube-controller-manager"
"kube-api-server"
"service-accounts"
] (key_name: (callPackage ./package/tls-key/package.nix (additional_vars // { inherit key_name; })))
);
controller-proxy = (callPackage ./package/k8s-controller-proxy/package.nix additional_vars);
keys = (callPackage ./package/k8s-keys/package.nix additional_vars);
deploy_script = (writeShellScript "deploy-keys" deploy_script);
client-configs = (
builtins.mapAttrs
(
config_name: config:
(callPackage ./package/k8s-client-config/package.nix (
additional_vars // { inherit config_name; } // config
))
)
{
controller0 = {
config_user = "system:node:controller0";
config_server = "https://server.kubernetes.local:6443";
};
controller1 = {
config_user = "system:node:controller1";
config_server = "https://server.kubernetes.local:6443";
};
controller2 = {
config_user = "system:node:controller2";
config_server = "https://server.kubernetes.local:6443";
};
worker0 = {
config_user = "system:node:worker0";
config_server = "https://server.kubernetes.local:6443";
};
worker1 = {
config_user = "system:node:worker1";
config_server = "https://server.kubernetes.local:6443";
};
worker2 = {
config_user = "system:node:worker2";
config_server = "https://server.kubernetes.local:6443";
};
kube-proxy = {
config_user = "system:kube-proxy";
config_server = "https://server.kubernetes.local:6443";
};
kube-controller-manager = {
config_user = "system:kube-controller-manager";
config_server = "https://server.kubernetes.local:6443";
};
kube-scheduler = {
config_user = "system:kube-scheduler";
config_server = "https://server.kubernetes.local:6443";
};
admin = {
config_user = "admin";
config_server = "https://127.0.0.1:6443";
};
}
);
all_keys = (callPackage ./package/k8s-keys/package.nix additional_vars);
deploy_script = (callPackage ./package/deploy-script/package.nix additional_vars);
}
)