Move the cluster bootstrap into the keys flake.

Bootstrapping the cluster needs access to secrets, so I am moving it into the keys flake.
2025-12-20 23:13:51 -05:00
parent fe35b4948a
commit cdac1cd091
11 changed files with 51 additions and 60 deletions
--- a/nix/kubernetes/keys/package/bootstrap-script/files/manifests/cilium.yaml
+++ b/nix/kubernetes/keys/package/bootstrap-script/files/manifests/cilium.yaml
--- a/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux.yaml
+++ b/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux.yaml
--- a/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_namespace.yaml
+++ b/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: flux-system
--- a/nix/kubernetes/keys/package/bootstrap-script/files/manifests/initial_clusterrole.yaml
+++ b/nix/kubernetes/keys/package/bootstrap-script/files/manifests/initial_clusterrole.yaml
@@ -0,0 +1,33 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+  name: system:kube-apiserver-to-kubelet
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes/proxy
+      - nodes/stats
+      - nodes/log
+      - nodes/spec
+      - nodes/metrics
+    verbs:
+      - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:kube-apiserver
+  namespace: ""
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:kube-apiserver-to-kubelet
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: kubernetes