From 626055e06398643fe1bcd7f71f7e72069f96eb51 Mon Sep 17 00:00:00 2001 From: Tom Alexander Date: Sun, 14 Dec 2025 13:37:46 -0500 Subject: [PATCH] Add service account. --- .../keys/package/k8s-keys/package.nix | 1 + .../keys/package/k8s-kubernetes/package.nix | 2 +- .../k8s-service-account/files/ca-config.json | 13 +++++++ .../files/service-account-csr.json | 16 +++++++++ .../package/k8s-service-account/package.nix | 35 +++++++++++++++++++ nix/kubernetes/keys/scope.nix | 15 ++++++++ .../roles/kube_apiserver/default.nix | 4 +-- 7 files changed, 83 insertions(+), 3 deletions(-) create mode 100644 nix/kubernetes/keys/package/k8s-service-account/files/ca-config.json create mode 100644 nix/kubernetes/keys/package/k8s-service-account/files/service-account-csr.json create mode 100644 nix/kubernetes/keys/package/k8s-service-account/package.nix diff --git a/nix/kubernetes/keys/package/k8s-keys/package.nix b/nix/kubernetes/keys/package/k8s-keys/package.nix index a890aa3c..497f1e07 100644 --- a/nix/kubernetes/keys/package/k8s-keys/package.nix +++ b/nix/kubernetes/keys/package/k8s-keys/package.nix @@ -8,5 +8,6 @@ symlinkJoin { paths = [ k8s.kubernetes k8s.ca + k8s.service_account ]; } diff --git a/nix/kubernetes/keys/package/k8s-kubernetes/package.nix b/nix/kubernetes/keys/package/k8s-kubernetes/package.nix index 4bef3ed8..daadf888 100644 --- a/nix/kubernetes/keys/package/k8s-kubernetes/package.nix +++ b/nix/kubernetes/keys/package/k8s-kubernetes/package.nix @@ -16,7 +16,7 @@ ... }: stdenv.mkDerivation (finalAttrs: { - name = "k8s-keys"; + name = "k8s-kubernetes"; nativeBuildInputs = [ cfssl ]; buildInputs = [ ]; diff --git a/nix/kubernetes/keys/package/k8s-service-account/files/ca-config.json b/nix/kubernetes/keys/package/k8s-service-account/files/ca-config.json new file mode 100644 index 00000000..a63e0dd2 --- /dev/null +++ b/nix/kubernetes/keys/package/k8s-service-account/files/ca-config.json @@ -0,0 +1,13 @@ +{ + "signing": { + "default": { + "expiry": "8760h" + }, + "profiles": { + "kubernetes": { + "usages": ["signing", "key encipherment", "server auth", "client auth"], + "expiry": "8760h" + } + } + } +} diff --git a/nix/kubernetes/keys/package/k8s-service-account/files/service-account-csr.json b/nix/kubernetes/keys/package/k8s-service-account/files/service-account-csr.json new file mode 100644 index 00000000..be3c0ca4 --- /dev/null +++ b/nix/kubernetes/keys/package/k8s-service-account/files/service-account-csr.json @@ -0,0 +1,16 @@ +{ + "CN": "service-accounts", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "US", + "L": "Portland", + "O": "Kubernetes", + "OU": "Kubernetes The Hard Way", + "ST": "Oregon" + } + ] +} diff --git a/nix/kubernetes/keys/package/k8s-service-account/package.nix b/nix/kubernetes/keys/package/k8s-service-account/package.nix new file mode 100644 index 00000000..717f0595 --- /dev/null +++ b/nix/kubernetes/keys/package/k8s-service-account/package.nix @@ -0,0 +1,35 @@ +# unpackPhase +# patchPhase +# configurePhase +# buildPhase +# checkPhase +# installPhase +# fixupPhase +# installCheckPhase +# distPhase +{ + stdenv, + sqlite, + cfssl, + k8s, + all_hostnames, + ... +}: +stdenv.mkDerivation (finalAttrs: { + name = "k8s-service-account"; + nativeBuildInputs = [ cfssl ]; + buildInputs = [ ]; + + unpackPhase = "true"; + + installPhase = '' + mkdir -p "$out" + cd "$out" + cfssl gencert \ + -ca=${k8s.ca}/ca.pem \ + -ca-key=${k8s.ca}/ca-key.pem \ + -config=${./files/ca-config.json} \ + -profile=kubernetes \ + ${./files/service-account-csr.json} | cfssljson -bare service-account + ''; +}) diff --git a/nix/kubernetes/keys/scope.nix b/nix/kubernetes/keys/scope.nix index 402c7338..9135e969 100644 --- a/nix/kubernetes/keys/scope.nix +++ b/nix/kubernetes/keys/scope.nix @@ -137,6 +137,20 @@ makeScope newScope ( group = 10024; mode = "0600"; } + { + dest_dir = "/vm/${vm_name}/persist/keys/kube"; + file = "${self.service_account}/service-account.pem"; + owner = 10024; + group = 10024; + mode = "0600"; + } + { + dest_dir = "/vm/${vm_name}/persist/keys/kube"; + file = "${self.service_account}/service-account-key.pem"; + owner = 10024; + group = 10024; + mode = "0600"; + } ]) ) ); @@ -181,6 +195,7 @@ makeScope newScope ( { ca = (callPackage ./package/k8s-ca/package.nix additional_vars); kubernetes = (callPackage ./package/k8s-kubernetes/package.nix additional_vars); + service_account = (callPackage ./package/k8s-service-account/package.nix additional_vars); keys = (callPackage ./package/k8s-keys/package.nix additional_vars); deploy_script = (writeShellScript "deploy-keys" deploy_script); } diff --git a/nix/kubernetes/roles/kube_apiserver/default.nix b/nix/kubernetes/roles/kube_apiserver/default.nix index 4c67ff16..bbaee42d 100644 --- a/nix/kubernetes/roles/kube_apiserver/default.nix +++ b/nix/kubernetes/roles/kube_apiserver/default.nix @@ -77,8 +77,8 @@ in "--kubelet-client-certificate=/.persist/keys/kube/kubernetes.pem" "--kubelet-client-key=/.persist/keys/kube/kubernetes-key.pem" "--runtime-config='api/all=true'" - "--service-account-key-file=/var/lib/kubernetes/service-account.pem" - "--service-account-signing-key-file=/var/lib/kubernetes/service-account-key.pem" + "--service-account-key-file=/.persist/keys/kube/service-account.pem" + "--service-account-signing-key-file=/.persist/keys/kube/service-account-key.pem" "--service-account-issuer=https://{{ kubernetes_public_address }}:6443" "--service-node-port-range=30000-32767" "--tls-cert-file=/.persist/keys/kube/kubernetes.pem"