Move the cluster bootstrap into the keys flake.
Bootstrapping the cluster needs access to secrets, so I am moving it into the keys flake.
This commit is contained in:
Tom Alexander
@@ -1,54 +0,0 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
{
|
||||
imports = [ ];
|
||||
|
||||
options.me = {
|
||||
bootstrap.enable = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
example = true;
|
||||
description = "Whether we want to install bootstrap.";
|
||||
};
|
||||
|
||||
bootstrap.manifests = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
default = [ ];
|
||||
example = lib.literalExpression ''[ ${./files/clusterrole.yaml} ]'';
|
||||
description = "List of kubernetes manifests to load into the cluster.";
|
||||
};
|
||||
};
|
||||
|
||||
config =
|
||||
lib.mkIf (config.me.bootstrap.enable && ((builtins.length config.me.bootstrap.manifests) > 0))
|
||||
{
|
||||
systemd.services.kube-bootstrap = {
|
||||
enable = true;
|
||||
description = "Load initial kubernetes manifests into the cluster";
|
||||
after = [ "kubernetes.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
path = with pkgs; [
|
||||
kubectl
|
||||
];
|
||||
unitConfig.DefaultDependencies = "no";
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
};
|
||||
script =
|
||||
let
|
||||
manifests = (lib.concatMapStringsSep "," lib.escapeShellArg config.me.bootstrap.manifests);
|
||||
in
|
||||
''
|
||||
set -o pipefail
|
||||
IFS=$'\n\t'
|
||||
|
||||
kubectl --kubeconfig=/.persist/keys/kube/kubelet.kubeconfig apply --server-side --force-conflicts -f ${manifests}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because it is too large
Load Diff
@@ -1,4 +0,0 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: flux-system
|
||||
@@ -1,33 +0,0 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
annotations:
|
||||
rbac.authorization.kubernetes.io/autoupdate: "true"
|
||||
labels:
|
||||
kubernetes.io/bootstrapping: rbac-defaults
|
||||
name: system:kube-apiserver-to-kubelet
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- nodes/proxy
|
||||
- nodes/stats
|
||||
- nodes/log
|
||||
- nodes/spec
|
||||
- nodes/metrics
|
||||
verbs:
|
||||
- "*"
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: system:kube-apiserver
|
||||
namespace: ""
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: system:kube-apiserver-to-kubelet
|
||||
subjects:
|
||||
- apiGroup: rbac.authorization.k8s.io
|
||||
kind: User
|
||||
name: kubernetes
|
||||
@@ -18,10 +18,6 @@
|
||||
};
|
||||
|
||||
config = lib.mkIf config.me.worker_node.enable {
|
||||
me.bootstrap.manifests = [
|
||||
"${../bootstrap/files/initial_clusterrole.yaml}"
|
||||
"${../bootstrap/files/cilium.yaml}"
|
||||
];
|
||||
me.cilium.enable = true;
|
||||
me.containerd.enable = true;
|
||||
me.firewall.enable = true;
|
||||
|
||||
Reference in New Issue
Block a user