diff --git a/nix/kubernetes/keys/package/deploy-script/package.nix b/nix/kubernetes/keys/package/deploy-script/package.nix index 7e21d75f..6d325436 100644 --- a/nix/kubernetes/keys/package/deploy-script/package.nix +++ b/nix/kubernetes/keys/package/deploy-script/package.nix @@ -85,6 +85,49 @@ let group = 10016; mode = "0640"; } + { + dest_dir = "/vm/${vm_name}/persist/keys/kube"; + file = "${k8s.ca}/ca.crt"; + owner = 10024; + group = 10024; + mode = "0640"; + } + { + dest_dir = "/vm/${vm_name}/persist/keys/kube"; + file = "${k8s.keys.kube-api-server}/kube-api-server.crt"; + owner = 10024; + group = 10024; + mode = "0640"; + } + { + dest_dir = "/vm/${vm_name}/persist/keys/kube"; + file = "${k8s.keys.kube-api-server}/kube-api-server.key"; + owner = 10024; + group = 10024; + mode = "0600"; + } + { + dest_dir = "/vm/${vm_name}/persist/keys/kube"; + file = "${k8s.encryption_config}/encryption-config.yaml"; + name = "encryption-config.yaml"; + owner = 10024; + group = 10024; + mode = "0600"; + } + { + dest_dir = "/vm/${vm_name}/persist/keys/kube"; + file = "${k8s.keys.service-accounts}/service-accounts.crt"; + owner = 10024; + group = 10024; + mode = "0640"; + } + { + dest_dir = "/vm/${vm_name}/persist/keys/kube"; + file = "${k8s.keys.service-accounts}/service-accounts.key"; + owner = 10024; + group = 10024; + mode = "0600"; + } # { # dest_dir = "/vm/${vm_name}/persist/keys/kube"; # file = "${self.kubernetes}/kubernetes.pem"; diff --git a/nix/kubernetes/roles/kube_apiserver/default.nix b/nix/kubernetes/roles/kube_apiserver/default.nix index 4a0881f0..2a76188f 100644 --- a/nix/kubernetes/roles/kube_apiserver/default.nix +++ b/nix/kubernetes/roles/kube_apiserver/default.nix @@ -6,7 +6,8 @@ }: let - shellCommand = cmd: (lib.concatMapStringsSep " " lib.strings.escapeShellArg cmd); + # shellCommand = cmd: (lib.concatMapStringsSep " " lib.strings.escapeShellArg cmd); + shellCommand = cmd: (builtins.concatStringsSep " " cmd); in { imports = [ ]; @@ -54,47 +55,78 @@ in Type = "notify"; ExecStart = ( shellCommand [ + # NEW: "${pkgs.kubernetes}/bin/kube-apiserver" - "--advertise-address=${config.me.kube_apiserver.internal_ip}" "--allow-privileged=true" - "--apiserver-count=3" "--audit-log-maxage=30" "--audit-log-maxbackup=3" "--audit-log-maxsize=100" "--audit-log-path=/var/log/audit.log" "--authorization-mode=Node,RBAC" "--bind-address=0.0.0.0" - "--client-ca-file=/.persist/keys/kube/ca.pem" - "--requestheader-client-ca-file=/.persist/keys/kube/requestheader-client-ca.pem" - ''--requestheader-allowed-names=""'' - "--requestheader-extra-headers-prefix=X-Remote-Extra-" - "--requestheader-group-headers=X-Remote-Group" - "--requestheader-username-headers=X-Remote-User" - "--proxy-client-cert-file=/.persist/keys/kube/${config.networking.hostName}-proxy.pem" - "--proxy-client-key-file=/.persist/keys/kube/${config.networking.hostName}-proxy-key.pem" + "--client-ca-file=/.persist/keys/kube/ca.crt" "--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota" "--etcd-cafile=/.persist/keys/kube/ca.pem" - "--etcd-certfile=/.persist/keys/kube/kubernetes.pem" - "--etcd-keyfile=/.persist/keys/kube/kubernetes-key.pem" + "--etcd-certfile=/.persist/keys/kube/kube-api-server.crt" + "--etcd-keyfile=/.persist/keys/kube/kube-api-server.key" "--etcd-servers=${builtins.concatStringsSep "," config.me.kube_apiserver.etcd_services}" "--event-ttl=1h" "--encryption-provider-config=/.persist/keys/kube/encryption-config.yaml" - "--kubelet-certificate-authority=/.persist/keys/kube/ca.pem" - "--kubelet-client-certificate=/.persist/keys/kube/kubernetes.pem" - "--kubelet-client-key=/.persist/keys/kube/kubernetes-key.pem" + "--kubelet-certificate-authority=/.persist/keys/kube/ca.crt" + "--kubelet-client-certificate=/.persist/keys/kube/kube-api-server.crt" + "--kubelet-client-key=/.persist/keys/kube/kube-api-server.key" "--runtime-config='api/all=true'" - "--service-account-key-file=/.persist/keys/kube/service-account.pem" - "--service-account-signing-key-file=/.persist/keys/kube/service-account-key.pem" - "--service-account-issuer=https://${config.me.kube_apiserver.external_ip}:6443" + "--service-account-key-file=/.persist/keys/kube/service-accounts.crt" + "--service-account-signing-key-file=/.persist/keys/kube/service-accounts.key" + "--service-account-issuer=https://server.kubernetes.local:6443" "--service-node-port-range=30000-32767" - "--tls-cert-file=/.persist/keys/kube/kubernetes.pem" - "--tls-private-key-file=/.persist/keys/kube/kubernetes-key.pem" + "--tls-cert-file=/.persist/keys/kube/kube-api-server.crt" + "--tls-private-key-file=/.persist/keys/kube/kube-api-server.key" "--tls-min-version=VersionTLS13" - "--kubelet-preferred-address-types=InternalIP,ExternalDNS,ExternalIP,Hostname,InternalDNS" - # "--service-cluster-ip-range=10.197.0.0/16" - "--service-cluster-ip-range=2620:11f:7001:7:ffff:ffff:0ac5:0000/16" - "--enable-aggregator-routing=true" "--v=2" + + # OLD: + # "${pkgs.kubernetes}/bin/kube-apiserver" + # "--advertise-address=${config.me.kube_apiserver.internal_ip}" + # "--allow-privileged=true" + # "--apiserver-count=3" + # "--audit-log-maxage=30" + # "--audit-log-maxbackup=3" + # "--audit-log-maxsize=100" + # "--audit-log-path=/var/log/audit.log" + # "--authorization-mode=Node,RBAC" + # "--bind-address=0.0.0.0" + # "--client-ca-file=/.persist/keys/kube/ca.pem" + # "--requestheader-client-ca-file=/.persist/keys/kube/requestheader-client-ca.pem" + # ''--requestheader-allowed-names=""'' + # "--requestheader-extra-headers-prefix=X-Remote-Extra-" + # "--requestheader-group-headers=X-Remote-Group" + # "--requestheader-username-headers=X-Remote-User" + # "--proxy-client-cert-file=/.persist/keys/kube/${config.networking.hostName}-proxy.pem" + # "--proxy-client-key-file=/.persist/keys/kube/${config.networking.hostName}-proxy-key.pem" + # "--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota" + # "--etcd-cafile=/.persist/keys/kube/ca.pem" + # "--etcd-certfile=/.persist/keys/kube/kubernetes.pem" + # "--etcd-keyfile=/.persist/keys/kube/kubernetes-key.pem" + # "--etcd-servers=${builtins.concatStringsSep "," config.me.kube_apiserver.etcd_services}" + # "--event-ttl=1h" + # "--encryption-provider-config=/.persist/keys/kube/encryption-config.yaml" + # "--kubelet-certificate-authority=/.persist/keys/kube/ca.pem" + # "--kubelet-client-certificate=/.persist/keys/kube/kubernetes.pem" + # "--kubelet-client-key=/.persist/keys/kube/kubernetes-key.pem" + # "--runtime-config='api/all=true'" + # "--service-account-key-file=/.persist/keys/kube/service-account.pem" + # "--service-account-signing-key-file=/.persist/keys/kube/service-account-key.pem" + # "--service-account-issuer=https://${config.me.kube_apiserver.external_ip}:6443" + # "--service-node-port-range=30000-32767" + # "--tls-cert-file=/.persist/keys/kube/kubernetes.pem" + # "--tls-private-key-file=/.persist/keys/kube/kubernetes-key.pem" + # "--tls-min-version=VersionTLS13" + # "--kubelet-preferred-address-types=InternalIP,ExternalDNS,ExternalIP,Hostname,InternalDNS" + # # "--service-cluster-ip-range=10.197.0.0/16" + # "--service-cluster-ip-range=2620:11f:7001:7:ffff:ffff:0ac5:0000/16" + # "--enable-aggregator-routing=true" + # "--v=2" ] ); Restart = "on-failure";