diff --git a/nix/kubernetes/keys/flake.nix b/nix/kubernetes/keys/flake.nix index 3fae6839..af515b51 100644 --- a/nix/kubernetes/keys/flake.nix +++ b/nix/kubernetes/keys/flake.nix @@ -19,7 +19,7 @@ in { deploy_script = appliedOverlay.k8s.deploy_script; - default = appliedOverlay.k8s.keys; + default = appliedOverlay.k8s.all_keys; } ); overlays.default = ( diff --git a/nix/kubernetes/keys/package/k8s-requestheader-client-ca/package.nix b/nix/kubernetes/keys/package/deploy-script/package.nix similarity index 52% rename from nix/kubernetes/keys/package/k8s-requestheader-client-ca/package.nix rename to nix/kubernetes/keys/package/deploy-script/package.nix index 4d907f50..dfe85edd 100644 --- a/nix/kubernetes/keys/package/k8s-requestheader-client-ca/package.nix +++ b/nix/kubernetes/keys/package/deploy-script/package.nix @@ -9,22 +9,22 @@ # distPhase { stdenv, - sqlite, - cfssl, + writeShellScript, k8s, - all_hostnames, ... }: +let + deploy_script_body = ""; + deploy_script = (writeShellScript "deploy-script" deploy_script_body); +in stdenv.mkDerivation (finalAttrs: { - name = "k8s-service-account"; - nativeBuildInputs = [ cfssl ]; + name = "deploy-script"; + nativeBuildInputs = [ ]; buildInputs = [ ]; unpackPhase = "true"; installPhase = '' - mkdir -p "$out" - cd "$out" - cfssl gencert -initca ${./files/requestheader-client-ca-csr.json} | cfssljson -bare requestheader-client-ca + cp ${deploy_script} "$out" ''; }) diff --git a/nix/kubernetes/keys/package/k8s-ca/files/ca-csr.json b/nix/kubernetes/keys/package/k8s-ca/files/ca-csr.json deleted file mode 100644 index 8145e503..00000000 --- a/nix/kubernetes/keys/package/k8s-ca/files/ca-csr.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "Kubernetes", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "Portland", - "O": "Kubernetes", - "OU": "CA", - "ST": "Oregon" - } - ] -} diff --git a/nix/kubernetes/keys/package/k8s-ca/files/ca.conf b/nix/kubernetes/keys/package/k8s-ca/files/ca.conf new file mode 100644 index 00000000..3c7021c7 --- /dev/null +++ b/nix/kubernetes/keys/package/k8s-ca/files/ca.conf @@ -0,0 +1,291 @@ +[req] +distinguished_name = req_distinguished_name +prompt = no +x509_extensions = ca_x509_extensions + +[ca_x509_extensions] +basicConstraints = CA:TRUE +keyUsage = cRLSign, keyCertSign + +[req_distinguished_name] +C = US +ST = Washington +L = Seattle +CN = CA + +[admin] +distinguished_name = admin_distinguished_name +prompt = no +req_extensions = default_req_extensions + +[admin_distinguished_name] +CN = admin +O = system:masters + +# Service Accounts +# +# The Kubernetes Controller Manager leverages a key pair to generate +# and sign service account tokens as described in the +# [managing service accounts](https://kubernetes.io/docs/admin/service-accounts-admin/) +# documentation. + +[service-accounts] +distinguished_name = service-accounts_distinguished_name +prompt = no +req_extensions = default_req_extensions + +[service-accounts_distinguished_name] +CN = service-accounts + +# Worker Nodes +# +# Kubernetes uses a [special-purpose authorization mode](https://kubernetes.io/docs/admin/authorization/node/) +# called Node Authorizer, that specifically authorizes API requests made +# by [Kubelets](https://kubernetes.io/docs/concepts/overview/components/#kubelet). +# In order to be authorized by the Node Authorizer, Kubelets must use a credential +# that identifies them as being in the `system:nodes` group, with a username +# of `system:node:`. + +[controller0] +distinguished_name = controller0_distinguished_name +prompt = no +req_extensions = controller0_req_extensions + +[controller0_req_extensions] +basicConstraints = CA:FALSE +extendedKeyUsage = clientAuth, serverAuth +keyUsage = critical, digitalSignature, keyEncipherment +nsCertType = client +nsComment = "controller0 Certificate" +subjectAltName = DNS:controller0, IP:127.0.0.1 +subjectKeyIdentifier = hash + +[controller0_distinguished_name] +CN = system:node:controller0 +O = system:nodes +C = US +ST = Washington +L = Seattle + +[controller1] +distinguished_name = controller1_distinguished_name +prompt = no +req_extensions = controller1_req_extensions + +[controller1_req_extensions] +basicConstraints = CA:FALSE +extendedKeyUsage = clientAuth, serverAuth +keyUsage = critical, digitalSignature, keyEncipherment +nsCertType = client +nsComment = "controller1 Certificate" +subjectAltName = DNS:controller1, IP:127.0.0.1 +subjectKeyIdentifier = hash + +[controller1_distinguished_name] +CN = system:node:controller1 +O = system:nodes +C = US +ST = Washington +L = Seattle + +[controller2] +distinguished_name = controller2_distinguished_name +prompt = no +req_extensions = controller2_req_extensions + +[controller2_req_extensions] +basicConstraints = CA:FALSE +extendedKeyUsage = clientAuth, serverAuth +keyUsage = critical, digitalSignature, keyEncipherment +nsCertType = client +nsComment = "controller2 Certificate" +subjectAltName = DNS:controller2, IP:127.0.0.1 +subjectKeyIdentifier = hash + +[controller2_distinguished_name] +CN = system:node:controller2 +O = system:nodes +C = US +ST = Washington +L = Seattle + +[worker0] +distinguished_name = worker0_distinguished_name +prompt = no +req_extensions = worker0_req_extensions + +[worker0_req_extensions] +basicConstraints = CA:FALSE +extendedKeyUsage = clientAuth, serverAuth +keyUsage = critical, digitalSignature, keyEncipherment +nsCertType = client +nsComment = "worker0 Certificate" +subjectAltName = DNS:worker0, IP:127.0.0.1 +subjectKeyIdentifier = hash + +[worker0_distinguished_name] +CN = system:node:worker0 +O = system:nodes +C = US +ST = Washington +L = Seattle + +[worker1] +distinguished_name = worker1_distinguished_name +prompt = no +req_extensions = worker1_req_extensions + +[worker1_req_extensions] +basicConstraints = CA:FALSE +extendedKeyUsage = clientAuth, serverAuth +keyUsage = critical, digitalSignature, keyEncipherment +nsCertType = client +nsComment = "worker1 Certificate" +subjectAltName = DNS:worker1, IP:127.0.0.1 +subjectKeyIdentifier = hash + +[worker1_distinguished_name] +CN = system:node:worker1 +O = system:nodes +C = US +ST = Washington +L = Seattle + +[worker2] +distinguished_name = worker2_distinguished_name +prompt = no +req_extensions = worker2_req_extensions + +[worker2_req_extensions] +basicConstraints = CA:FALSE +extendedKeyUsage = clientAuth, serverAuth +keyUsage = critical, digitalSignature, keyEncipherment +nsCertType = client +nsComment = "worker2 Certificate" +subjectAltName = DNS:worker2, IP:127.0.0.1 +subjectKeyIdentifier = hash + +[worker2_distinguished_name] +CN = system:node:worker2 +O = system:nodes +C = US +ST = Washington +L = Seattle + + + +# Kube Proxy Section +[kube-proxy] +distinguished_name = kube-proxy_distinguished_name +prompt = no +req_extensions = kube-proxy_req_extensions + +[kube-proxy_req_extensions] +basicConstraints = CA:FALSE +extendedKeyUsage = clientAuth, serverAuth +keyUsage = critical, digitalSignature, keyEncipherment +nsCertType = client +nsComment = "Kube Proxy Certificate" +subjectAltName = DNS:kube-proxy, IP:127.0.0.1 +subjectKeyIdentifier = hash + +[kube-proxy_distinguished_name] +CN = system:kube-proxy +O = system:node-proxier +C = US +ST = Washington +L = Seattle + + +# Controller Manager +[kube-controller-manager] +distinguished_name = kube-controller-manager_distinguished_name +prompt = no +req_extensions = kube-controller-manager_req_extensions + +[kube-controller-manager_req_extensions] +basicConstraints = CA:FALSE +extendedKeyUsage = clientAuth, serverAuth +keyUsage = critical, digitalSignature, keyEncipherment +nsCertType = client +nsComment = "Kube Controller Manager Certificate" +subjectAltName = DNS:kube-controller-manager, IP:127.0.0.1 +subjectKeyIdentifier = hash + +[kube-controller-manager_distinguished_name] +CN = system:kube-controller-manager +O = system:kube-controller-manager +C = US +ST = Washington +L = Seattle + + +# Scheduler +[kube-scheduler] +distinguished_name = kube-scheduler_distinguished_name +prompt = no +req_extensions = kube-scheduler_req_extensions + +[kube-scheduler_req_extensions] +basicConstraints = CA:FALSE +extendedKeyUsage = clientAuth, serverAuth +keyUsage = critical, digitalSignature, keyEncipherment +nsCertType = client +nsComment = "Kube Scheduler Certificate" +subjectAltName = DNS:kube-scheduler, IP:127.0.0.1 +subjectKeyIdentifier = hash + +[kube-scheduler_distinguished_name] +CN = system:kube-scheduler +O = system:system:kube-scheduler +C = US +ST = Washington +L = Seattle + + +# API Server +# +# The Kubernetes API server is automatically assigned the `kubernetes` +# internal dns name, which will be linked to the first IP address (`10.32.0.1`) +# from the address range (`10.32.0.0/24`) reserved for internal cluster +# services. + +[kube-api-server] +distinguished_name = kube-api-server_distinguished_name +prompt = no +req_extensions = kube-api-server_req_extensions + +[kube-api-server_req_extensions] +basicConstraints = CA:FALSE +extendedKeyUsage = clientAuth, serverAuth +keyUsage = critical, digitalSignature, keyEncipherment +nsCertType = client, server +nsComment = "Kube API Server Certificate" +subjectAltName = @kube-api-server_alt_names +subjectKeyIdentifier = hash + +[kube-api-server_alt_names] +IP.0 = 127.0.0.1 +IP.1 = 10.32.0.1 +DNS.0 = kubernetes +DNS.1 = kubernetes.default +DNS.2 = kubernetes.default.svc +DNS.3 = kubernetes.default.svc.cluster +DNS.4 = kubernetes.svc.cluster.local +DNS.5 = server.kubernetes.local +DNS.6 = api-server.kubernetes.local + +[kube-api-server_distinguished_name] +CN = kubernetes +C = US +ST = Washington +L = Seattle + + +[default_req_extensions] +basicConstraints = CA:FALSE +extendedKeyUsage = clientAuth +keyUsage = critical, digitalSignature, keyEncipherment +nsCertType = client +nsComment = "Admin Client Certificate" +subjectKeyIdentifier = hash diff --git a/nix/kubernetes/keys/package/k8s-ca/package.nix b/nix/kubernetes/keys/package/k8s-ca/package.nix index a2425cb5..eed2a777 100644 --- a/nix/kubernetes/keys/package/k8s-ca/package.nix +++ b/nix/kubernetes/keys/package/k8s-ca/package.nix @@ -9,13 +9,12 @@ # distPhase { stdenv, - sqlite, - cfssl, + openssl, ... }: stdenv.mkDerivation (finalAttrs: { name = "k8s-ca"; - nativeBuildInputs = [ cfssl ]; + nativeBuildInputs = [ openssl ]; buildInputs = [ ]; unpackPhase = "true"; @@ -23,6 +22,11 @@ stdenv.mkDerivation (finalAttrs: { installPhase = '' mkdir -p "$out" cd "$out" - cfssl gencert -initca ${./files/ca-csr.json} | cfssljson -bare ca + + openssl genrsa -out ca.key 4096 + openssl req -x509 -new -sha512 -noenc \ + -key ca.key -days 3653 \ + -config ${./files/ca.conf} \ + -out ca.crt ''; }) diff --git a/nix/kubernetes/keys/package/k8s-client-config/package.nix b/nix/kubernetes/keys/package/k8s-client-config/package.nix new file mode 100644 index 00000000..d81f44f4 --- /dev/null +++ b/nix/kubernetes/keys/package/k8s-client-config/package.nix @@ -0,0 +1,52 @@ +# unpackPhase +# patchPhase +# configurePhase +# buildPhase +# checkPhase +# installPhase +# fixupPhase +# installCheckPhase +# distPhase +{ + stdenv, + k8s, + kubectl, + config_name, + config_user, + config_server, + ... +}: +stdenv.mkDerivation (finalAttrs: { + name = "k8s-client-config-${config_name}"; + nativeBuildInputs = [ kubectl ]; + buildInputs = [ ]; + + unpackPhase = "true"; + + buildPhase = '' + kubectl config set-cluster kubernetes-the-hard-way \ + --certificate-authority=${k8s.ca}/ca.crt \ + --embed-certs=true \ + --server=${config_server} \ + --kubeconfig=${config_name}.kubeconfig + + kubectl config set-credentials ${config_user} \ + --client-certificate=${k8s.keys."${config_name}"}/${config_name}.crt \ + --client-key=${k8s.keys."${config_name}"}/${config_name}.key \ + --embed-certs=true \ + --kubeconfig=${config_name}.kubeconfig + + kubectl config set-context default \ + --cluster=kubernetes-the-hard-way \ + --user=${config_user} \ + --kubeconfig=${config_name}.kubeconfig + + kubectl config use-context default \ + --kubeconfig=${config_name}.kubeconfig + ''; + + installPhase = '' + mkdir "$out" + cp "${config_name}.kubeconfig" $out/ + ''; +}) diff --git a/nix/kubernetes/keys/package/k8s-controller-proxy/files/ca-config.json b/nix/kubernetes/keys/package/k8s-controller-proxy/files/ca-config.json deleted file mode 100644 index a63e0dd2..00000000 --- a/nix/kubernetes/keys/package/k8s-controller-proxy/files/ca-config.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "signing": { - "default": { - "expiry": "8760h" - }, - "profiles": { - "kubernetes": { - "usages": ["signing", "key encipherment", "server auth", "client auth"], - "expiry": "8760h" - } - } - } -} diff --git a/nix/kubernetes/keys/package/k8s-controller-proxy/files/controller0-proxy-csr.json b/nix/kubernetes/keys/package/k8s-controller-proxy/files/controller0-proxy-csr.json deleted file mode 100644 index 31a18eac..00000000 --- a/nix/kubernetes/keys/package/k8s-controller-proxy/files/controller0-proxy-csr.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "system:node:controller0", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "Portland", - "O": "system:nodes", - "OU": "Kubernetes The Hard Way", - "ST": "Oregon" - } - ] -} diff --git a/nix/kubernetes/keys/package/k8s-controller-proxy/files/controller1-proxy-csr.json b/nix/kubernetes/keys/package/k8s-controller-proxy/files/controller1-proxy-csr.json deleted file mode 100644 index b5defb2b..00000000 --- a/nix/kubernetes/keys/package/k8s-controller-proxy/files/controller1-proxy-csr.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "system:node:controller1", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "Portland", - "O": "system:nodes", - "OU": "Kubernetes The Hard Way", - "ST": "Oregon" - } - ] -} diff --git a/nix/kubernetes/keys/package/k8s-controller-proxy/files/controller2-proxy-csr.json b/nix/kubernetes/keys/package/k8s-controller-proxy/files/controller2-proxy-csr.json deleted file mode 100644 index 09c26666..00000000 --- a/nix/kubernetes/keys/package/k8s-controller-proxy/files/controller2-proxy-csr.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "system:node:controller2", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "Portland", - "O": "system:nodes", - "OU": "Kubernetes The Hard Way", - "ST": "Oregon" - } - ] -} diff --git a/nix/kubernetes/keys/package/k8s-controller-proxy/package.nix b/nix/kubernetes/keys/package/k8s-controller-proxy/package.nix deleted file mode 100644 index ba965bbb..00000000 --- a/nix/kubernetes/keys/package/k8s-controller-proxy/package.nix +++ /dev/null @@ -1,48 +0,0 @@ -# unpackPhase -# patchPhase -# configurePhase -# buildPhase -# checkPhase -# installPhase -# fixupPhase -# installCheckPhase -# distPhase -{ - lib, - stdenv, - sqlite, - cfssl, - k8s, - all_hostnames, - controllers, - ... -}: -let - get_hostnames = ( - hostname: (builtins.concatStringsSep "," ([ hostname ] ++ controllers."${hostname}".internal_ips)) - ); - install_body = ( - lib.concatMapStringsSep "\n" (hostname: '' - cfssl gencert \ - -ca=${k8s.requestheader-client-ca}/requestheader-client-ca.pem \ - -ca-key=${k8s.requestheader-client-ca}/requestheader-client-ca-key.pem \ - -config=${./files/ca-config.json} \ - -hostname=${get_hostnames hostname} \ - -profile=kubernetes \ - ${./files}/${hostname}-proxy-csr.json | cfssljson -bare ${hostname}-proxy - '') (builtins.attrNames controllers) - ); -in -stdenv.mkDerivation (finalAttrs: { - name = "k8s-controller-proxy"; - nativeBuildInputs = [ cfssl ]; - buildInputs = [ ]; - - unpackPhase = "true"; - - installPhase = '' - mkdir -p "$out" - cd "$out" - '' - + install_body; -}) diff --git a/nix/kubernetes/keys/package/k8s-keys/files/ca-config.json b/nix/kubernetes/keys/package/k8s-keys/files/ca-config.json deleted file mode 100644 index a63e0dd2..00000000 --- a/nix/kubernetes/keys/package/k8s-keys/files/ca-config.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "signing": { - "default": { - "expiry": "8760h" - }, - "profiles": { - "kubernetes": { - "usages": ["signing", "key encipherment", "server auth", "client auth"], - "expiry": "8760h" - } - } - } -} diff --git a/nix/kubernetes/keys/package/k8s-keys/files/kubernetes-csr.json b/nix/kubernetes/keys/package/k8s-keys/files/kubernetes-csr.json deleted file mode 100644 index 778db632..00000000 --- a/nix/kubernetes/keys/package/k8s-keys/files/kubernetes-csr.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "kubernetes", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "Portland", - "O": "Kubernetes", - "OU": "Kubernetes The Hard Way", - "ST": "Oregon" - } - ] -} diff --git a/nix/kubernetes/keys/package/k8s-keys/package.nix b/nix/kubernetes/keys/package/k8s-keys/package.nix index 151e9ecb..fd858828 100644 --- a/nix/kubernetes/keys/package/k8s-keys/package.nix +++ b/nix/kubernetes/keys/package/k8s-keys/package.nix @@ -6,10 +6,8 @@ symlinkJoin { name = "k8s-keys"; paths = [ - k8s.kubernetes k8s.ca - k8s.service_account - k8s.requestheader-client-ca - k8s.controller-proxy - ]; + ] + ++ (builtins.attrValues k8s.keys) + ++ (builtins.attrValues k8s.client-configs); } diff --git a/nix/kubernetes/keys/package/k8s-kubernetes/files/ca-config.json b/nix/kubernetes/keys/package/k8s-kubernetes/files/ca-config.json deleted file mode 100644 index a63e0dd2..00000000 --- a/nix/kubernetes/keys/package/k8s-kubernetes/files/ca-config.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "signing": { - "default": { - "expiry": "8760h" - }, - "profiles": { - "kubernetes": { - "usages": ["signing", "key encipherment", "server auth", "client auth"], - "expiry": "8760h" - } - } - } -} diff --git a/nix/kubernetes/keys/package/k8s-kubernetes/files/kubernetes-csr.json b/nix/kubernetes/keys/package/k8s-kubernetes/files/kubernetes-csr.json deleted file mode 100644 index 778db632..00000000 --- a/nix/kubernetes/keys/package/k8s-kubernetes/files/kubernetes-csr.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "kubernetes", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "Portland", - "O": "Kubernetes", - "OU": "Kubernetes The Hard Way", - "ST": "Oregon" - } - ] -} diff --git a/nix/kubernetes/keys/package/k8s-kubernetes/package.nix b/nix/kubernetes/keys/package/k8s-kubernetes/package.nix deleted file mode 100644 index daadf888..00000000 --- a/nix/kubernetes/keys/package/k8s-kubernetes/package.nix +++ /dev/null @@ -1,36 +0,0 @@ -# unpackPhase -# patchPhase -# configurePhase -# buildPhase -# checkPhase -# installPhase -# fixupPhase -# installCheckPhase -# distPhase -{ - stdenv, - sqlite, - cfssl, - k8s, - all_hostnames, - ... -}: -stdenv.mkDerivation (finalAttrs: { - name = "k8s-kubernetes"; - nativeBuildInputs = [ cfssl ]; - buildInputs = [ ]; - - unpackPhase = "true"; - - installPhase = '' - mkdir -p "$out" - cd "$out" - cfssl gencert \ - -ca=${k8s.ca}/ca.pem \ - -ca-key=${k8s.ca}/ca-key.pem \ - -config=${./files/ca-config.json} \ - -hostname=${builtins.concatStringsSep "," all_hostnames} \ - -profile=kubernetes \ - ${./files/kubernetes-csr.json} | cfssljson -bare kubernetes - ''; -}) diff --git a/nix/kubernetes/keys/package/k8s-requestheader-client-ca/files/requestheader-client-ca-csr.json b/nix/kubernetes/keys/package/k8s-requestheader-client-ca/files/requestheader-client-ca-csr.json deleted file mode 100644 index 8145e503..00000000 --- a/nix/kubernetes/keys/package/k8s-requestheader-client-ca/files/requestheader-client-ca-csr.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "Kubernetes", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "Portland", - "O": "Kubernetes", - "OU": "CA", - "ST": "Oregon" - } - ] -} diff --git a/nix/kubernetes/keys/package/k8s-service-account/files/ca-config.json b/nix/kubernetes/keys/package/k8s-service-account/files/ca-config.json deleted file mode 100644 index a63e0dd2..00000000 --- a/nix/kubernetes/keys/package/k8s-service-account/files/ca-config.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "signing": { - "default": { - "expiry": "8760h" - }, - "profiles": { - "kubernetes": { - "usages": ["signing", "key encipherment", "server auth", "client auth"], - "expiry": "8760h" - } - } - } -} diff --git a/nix/kubernetes/keys/package/k8s-service-account/files/service-account-csr.json b/nix/kubernetes/keys/package/k8s-service-account/files/service-account-csr.json deleted file mode 100644 index be3c0ca4..00000000 --- a/nix/kubernetes/keys/package/k8s-service-account/files/service-account-csr.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "CN": "service-accounts", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "Portland", - "O": "Kubernetes", - "OU": "Kubernetes The Hard Way", - "ST": "Oregon" - } - ] -} diff --git a/nix/kubernetes/keys/package/k8s-service-account/package.nix b/nix/kubernetes/keys/package/k8s-service-account/package.nix deleted file mode 100644 index 717f0595..00000000 --- a/nix/kubernetes/keys/package/k8s-service-account/package.nix +++ /dev/null @@ -1,35 +0,0 @@ -# unpackPhase -# patchPhase -# configurePhase -# buildPhase -# checkPhase -# installPhase -# fixupPhase -# installCheckPhase -# distPhase -{ - stdenv, - sqlite, - cfssl, - k8s, - all_hostnames, - ... -}: -stdenv.mkDerivation (finalAttrs: { - name = "k8s-service-account"; - nativeBuildInputs = [ cfssl ]; - buildInputs = [ ]; - - unpackPhase = "true"; - - installPhase = '' - mkdir -p "$out" - cd "$out" - cfssl gencert \ - -ca=${k8s.ca}/ca.pem \ - -ca-key=${k8s.ca}/ca-key.pem \ - -config=${./files/ca-config.json} \ - -profile=kubernetes \ - ${./files/service-account-csr.json} | cfssljson -bare service-account - ''; -}) diff --git a/nix/kubernetes/keys/package/tls-key/package.nix b/nix/kubernetes/keys/package/tls-key/package.nix new file mode 100644 index 00000000..437099e1 --- /dev/null +++ b/nix/kubernetes/keys/package/tls-key/package.nix @@ -0,0 +1,45 @@ +# unpackPhase +# patchPhase +# configurePhase +# buildPhase +# checkPhase +# installPhase +# fixupPhase +# installCheckPhase +# distPhase +{ + stdenv, + openssl, + k8s, + key_name, + ... +}: +stdenv.mkDerivation (finalAttrs: { + name = "tls-key-${key_name}"; + nativeBuildInputs = [ openssl ]; + buildInputs = [ ]; + + unpackPhase = "true"; + + buildPhase = '' + cp ${k8s.ca}/ca.crt ${k8s.ca}/ca.key ./ + + openssl genrsa -out "${key_name}.key" 4096 + + openssl req -new -key "${key_name}.key" -sha256 \ + -config "${../k8s-ca/files/ca.conf}" -section ${key_name} \ + -out "${key_name}.csr" + + openssl x509 -req -days 3653 -in "${key_name}.csr" \ + -copy_extensions copyall \ + -sha256 -CA "./ca.crt" \ + -CAkey "./ca.key" \ + -CAcreateserial \ + -out "${key_name}.crt" + ''; + + installPhase = '' + mkdir "$out" + cp "${key_name}.crt" "${key_name}.key" $out/ + ''; +}) diff --git a/nix/kubernetes/keys/scope.nix b/nix/kubernetes/keys/scope.nix index 21acdcec..4e32a2dd 100644 --- a/nix/kubernetes/keys/scope.nix +++ b/nix/kubernetes/keys/scope.nix @@ -250,13 +250,74 @@ makeScope newScope ( in { ca = (callPackage ./package/k8s-ca/package.nix additional_vars); - kubernetes = (callPackage ./package/k8s-kubernetes/package.nix additional_vars); - service_account = (callPackage ./package/k8s-service-account/package.nix additional_vars); - requestheader-client-ca = ( - callPackage ./package/k8s-requestheader-client-ca/package.nix additional_vars + keys = ( + lib.genAttrs [ + "admin" + "controller0" + "controller1" + "controller2" + "worker0" + "worker1" + "worker2" + "kube-proxy" + "kube-scheduler" + "kube-controller-manager" + "kube-api-server" + "service-accounts" + ] (key_name: (callPackage ./package/tls-key/package.nix (additional_vars // { inherit key_name; }))) ); - controller-proxy = (callPackage ./package/k8s-controller-proxy/package.nix additional_vars); - keys = (callPackage ./package/k8s-keys/package.nix additional_vars); - deploy_script = (writeShellScript "deploy-keys" deploy_script); + client-configs = ( + builtins.mapAttrs + ( + config_name: config: + (callPackage ./package/k8s-client-config/package.nix ( + additional_vars // { inherit config_name; } // config + )) + ) + { + controller0 = { + config_user = "system:node:controller0"; + config_server = "https://server.kubernetes.local:6443"; + }; + controller1 = { + config_user = "system:node:controller1"; + config_server = "https://server.kubernetes.local:6443"; + }; + controller2 = { + config_user = "system:node:controller2"; + config_server = "https://server.kubernetes.local:6443"; + }; + worker0 = { + config_user = "system:node:worker0"; + config_server = "https://server.kubernetes.local:6443"; + }; + worker1 = { + config_user = "system:node:worker1"; + config_server = "https://server.kubernetes.local:6443"; + }; + worker2 = { + config_user = "system:node:worker2"; + config_server = "https://server.kubernetes.local:6443"; + }; + kube-proxy = { + config_user = "system:kube-proxy"; + config_server = "https://server.kubernetes.local:6443"; + }; + kube-controller-manager = { + config_user = "system:kube-controller-manager"; + config_server = "https://server.kubernetes.local:6443"; + }; + kube-scheduler = { + config_user = "system:kube-scheduler"; + config_server = "https://server.kubernetes.local:6443"; + }; + admin = { + config_user = "admin"; + config_server = "https://127.0.0.1:6443"; + }; + } + ); + all_keys = (callPackage ./package/k8s-keys/package.nix additional_vars); + deploy_script = (callPackage ./package/deploy-script/package.nix additional_vars); } )