Add controller proxy certs.

2025-12-14 14:48:53 -05:00
parent b33bb736e6
commit 771ec2e38a
8 changed files with 165 additions and 4 deletions
--- a/nix/kubernetes/keys/scope.nix
+++ b/nix/kubernetes/keys/scope.nix
@@ -44,12 +44,47 @@ let
  ]
  ++ public_addresses
  ++ internal_addresses;
+  controllers = {
+    "controller0" = {
+      "internal_ips" = [
+        "10.215.1.221"
+        "2620:11f:7001:7:ffff:ffff:0ad7:01dd"
+      ];
+      "external_ips" = [
+        "2620:11f:7001:7:ffff:ffff:0ad7:01dd"
+      ];
+    };
+    "controller1" = {
+      "internal_ips" = [
+        "10.215.1.222"
+        "2620:11f:7001:7:ffff:ffff:0ad7:01de"
+      ];
+      "external_ips" = [
+        "2620:11f:7001:7:ffff:ffff:0ad7:01de"
+      ];
+    };
+    "controller2" = {
+      "internal_ips" = [
+        "10.215.1.223"
+        "2620:11f:7001:7:ffff:ffff:0ad7:01df"
+      ];
+      "external_ips" = [
+        "2620:11f:7001:7:ffff:ffff:0ad7:01df"
+      ];
+    };
+  };
+  _vm_name_to_hostname = {
+    "nc0" = "controller0";
+    "nc1" = "controller1";
+    "nc2" = "controller2";
+  };
+  vm_name_to_hostname = (vm_name: _vm_name_to_hostname."${vm_name}");
 in
 makeScope newScope (
  self:
  let
    additional_vars = {
-      inherit all_hostnames;
+      inherit all_hostnames controllers;
      k8s = self;
    };
    deploy_file = (
@@ -158,6 +193,20 @@ makeScope newScope (
            group = 10024;
            mode = "0600";
          }
+          {
+            dest_dir = "/vm/${vm_name}/persist/keys/kube";
+            file = "${self.controller-proxy}/${vm_name_to_hostname vm_name}-proxy.pem";
+            owner = 10024;
+            group = 10024;
+            mode = "0600";
+          }
+          {
+            dest_dir = "/vm/${vm_name}/persist/keys/kube";
+            file = "${self.controller-proxy}/${vm_name_to_hostname vm_name}-proxy-key.pem";
+            owner = 10024;
+            group = 10024;
+            mode = "0600";
+          }
        ])
      )
    );
@@ -206,6 +255,7 @@ makeScope newScope (
    requestheader-client-ca = (
      callPackage ./package/k8s-requestheader-client-ca/package.nix additional_vars
    );
+    controller-proxy = (callPackage ./package/k8s-controller-proxy/package.nix additional_vars);
    keys = (callPackage ./package/k8s-keys/package.nix additional_vars);
    deploy_script = (writeShellScript "deploy-keys" deploy_script);
  }