Move the cluster bootstrap into the keys flake.

Bootstrapping the cluster needs access to secrets, so I am moving it into the keys flake.
2025-12-20 23:13:51 -05:00
parent fe35b4948a
commit cdac1cd091
11 changed files with 51 additions and 60 deletions
--- a/nix/kubernetes/keys/flake.nix
+++ b/nix/kubernetes/keys/flake.nix
@@ -20,6 +20,7 @@
        {
          deploy_script = appliedOverlay.k8s.deploy_script;
          default = appliedOverlay.k8s.all_keys;
+          bootstrap_script = appliedOverlay.k8s.bootstrap_script;
        }
      );
      overlays.default = (
--- a/nix/kubernetes/keys/package/bootstrap-script/files/manifests/cilium.yaml
+++ b/nix/kubernetes/keys/package/bootstrap-script/files/manifests/cilium.yaml
--- a/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux.yaml
+++ b/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux.yaml
--- a/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_namespace.yaml
+++ b/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: flux-system
--- a/nix/kubernetes/keys/package/bootstrap-script/files/manifests/initial_clusterrole.yaml
+++ b/nix/kubernetes/keys/package/bootstrap-script/files/manifests/initial_clusterrole.yaml
@@ -0,0 +1,33 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+  name: system:kube-apiserver-to-kubelet
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes/proxy
+      - nodes/stats
+      - nodes/log
+      - nodes/spec
+      - nodes/metrics
+    verbs:
+      - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:kube-apiserver
+  namespace: ""
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:kube-apiserver-to-kubelet
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: kubernetes
--- a/nix/kubernetes/keys/package/bootstrap-script/package.nix
+++ b/nix/kubernetes/keys/package/bootstrap-script/package.nix
@@ -0,0 +1,49 @@
+# unpackPhase
+# patchPhase
+# configurePhase
+# buildPhase
+# checkPhase
+# installPhase
+# fixupPhase
+# installCheckPhase
+# distPhase
+{
+  config,
+  lib,
+  stdenv,
+  writeShellScript,
+  k8s,
+  openssh,
+  ...
+}:
+let
+  bootstrap_script = (writeShellScript "bootstrap-script" bootstrap_script_body);
+  bootstrap_script_body = (''
+    set -euo pipefail
+    IFS=$'\n\t'
+    DIR="$( cd "$( dirname "''${BASH_SOURCE[0]}" )" && pwd )"
+
+    ${apply_manifests}
+    echo "Bootstrap finished"
+  '');
+  manifests = (
+    lib.concatMapStringsSep "," lib.escapeShellArg [
+      ./files/manifests/initial_clusterrole.yaml
+      ./files/manifests/cilium.yaml
+      ./files/manifests/flux_namespace.yaml
+      ./files/manifests/flux.yaml
+    ]
+  );
+  apply_manifests = "kubectl --kubeconfig=${k8s.client-configs.admin}/admin.kubeconfig apply --server-side --force-conflicts -f ${manifests}";
+in
+stdenv.mkDerivation (finalAttrs: {
+  name = "bootstrap-script";
+  nativeBuildInputs = [ ];
+  buildInputs = [ ];
+
+  unpackPhase = "true";
+
+  installPhase = ''
+    cp ${bootstrap_script} "$out"
+  '';
+})
--- a/nix/kubernetes/keys/scope.nix
+++ b/nix/kubernetes/keys/scope.nix
@@ -166,5 +166,6 @@ makeScope newScope (
    encryption_config = (callPackage ./package/k8s-encryption-key/package.nix additional_vars);
    all_keys = (callPackage ./package/k8s-keys/package.nix additional_vars);
    deploy_script = (callPackage ./package/deploy-script/package.nix additional_vars);
+    bootstrap_script = (callPackage ./package/bootstrap-script/package.nix additional_vars);
  }
 )