talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Move the cluster bootstrap into the keys flake.

Browse Source 
Bootstrapping the cluster needs access to secrets, so I am moving it into the keys flake.
This commit is contained in:
Tom Alexander 2025-12-20 23:13:51 -05:00 committed by Tom Alexander
parent c9450ff9fa
commit d97edf0add
Signed by: talexander
GPG Key ID: 36C99E8B3C39D85F
11 changed files with 51 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
nix/kubernetes/configuration.nix
View File

@ -7,7 +7,6 @@
{ {
imports = [ imports = [
./roles/boot ./roles/boot
./roles/bootstrap
./roles/cilium ./roles/cilium
./roles/containerd ./roles/containerd
./roles/control_plane ./roles/control_plane

1
nix/kubernetes/hosts/worker0/default.nix
View File

@ -102,7 +102,6 @@
# nix.sshServe.enable = true; # nix.sshServe.enable = true;
# nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ]; # nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
me.bootstrap.enable = true;
me.dont_use_substituters.enable = true; me.dont_use_substituters.enable = true;
me.minimal_base.enable = true; me.minimal_base.enable = true;
me.worker_node.enable = true; me.worker_node.enable = true;

1
nix/kubernetes/keys/flake.nix
View File

@ -20,6 +20,7 @@
{ {
deploy_script = appliedOverlay.k8s.deploy_script; deploy_script = appliedOverlay.k8s.deploy_script;
default = appliedOverlay.k8s.all_keys; default = appliedOverlay.k8s.all_keys;
bootstrap_script = appliedOverlay.k8s.bootstrap_script;
} }
); );
overlays.default = ( overlays.default = (

0
nix/kubernetes/roles/bootstrap/files/cilium.yaml → nix/kubernetes/keys/package/bootstrap-script/files/manifests/cilium.yaml
View File

0
nix/kubernetes/roles/bootstrap/files/flux.yaml → nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux.yaml
View File

0
nix/kubernetes/roles/bootstrap/files/flux_namespace.yaml → nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_namespace.yaml
View File

0
nix/kubernetes/roles/bootstrap/files/initial_clusterrole.yaml → nix/kubernetes/keys/package/bootstrap-script/files/manifests/initial_clusterrole.yaml
View File

49
nix/kubernetes/keys/package/bootstrap-script/package.nix Normal file
View File

@ -0,0 +1,49 @@
# unpackPhase
# patchPhase
# configurePhase
# buildPhase
# checkPhase
# installPhase
# fixupPhase
# installCheckPhase
# distPhase
{
config,
lib,
stdenv,
writeShellScript,
k8s,
openssh,
...
}:
let
bootstrap_script = (writeShellScript "bootstrap-script" bootstrap_script_body);
bootstrap_script_body = (''
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "''${BASH_SOURCE[0]}" )" && pwd )"
${apply_manifests}
echo "Bootstrap finished"
'');
manifests = (
lib.concatMapStringsSep "," lib.escapeShellArg [
./files/manifests/initial_clusterrole.yaml
./files/manifests/cilium.yaml
./files/manifests/flux_namespace.yaml
./files/manifests/flux.yaml
]
);
apply_manifests = "kubectl --kubeconfig=${k8s.client-configs.admin}/admin.kubeconfig apply --server-side --force-conflicts -f ${manifests}";
in
stdenv.mkDerivation (finalAttrs: {
name = "bootstrap-script";
nativeBuildInputs = [ ];
buildInputs = [ ];
unpackPhase = "true";
installPhase = ''
cp ${bootstrap_script} "$out"
'';
})

1
nix/kubernetes/keys/scope.nix
View File

@ -166,5 +166,6 @@ makeScope newScope (
encryption_config = (callPackage ./package/k8s-encryption-key/package.nix additional_vars); encryption_config = (callPackage ./package/k8s-encryption-key/package.nix additional_vars);
all_keys = (callPackage ./package/k8s-keys/package.nix additional_vars); all_keys = (callPackage ./package/k8s-keys/package.nix additional_vars);
deploy_script = (callPackage ./package/deploy-script/package.nix additional_vars); deploy_script = (callPackage ./package/deploy-script/package.nix additional_vars);
bootstrap_script = (callPackage ./package/bootstrap-script/package.nix additional_vars);
} }
) )

54
nix/kubernetes/roles/bootstrap/default.nix
View File

@ -1,54 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [ ];
options.me = {
bootstrap.enable = lib.mkOption {
type = lib.types.bool;
default = false;
example = true;
description = "Whether we want to install bootstrap.";
};
bootstrap.manifests = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = lib.literalExpression ''[ ${./files/clusterrole.yaml} ]'';
description = "List of kubernetes manifests to load into the cluster.";
};
};
config =
lib.mkIf (config.me.bootstrap.enable && ((builtins.length config.me.bootstrap.manifests) > 0))
{
systemd.services.kube-bootstrap = {
enable = true;
description = "Load initial kubernetes manifests into the cluster";
after = [ "kubernetes.target" ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [
kubectl
];
unitConfig.DefaultDependencies = "no";
serviceConfig = {
Type = "oneshot";
};
script =
let
manifests = (lib.concatMapStringsSep "," lib.escapeShellArg config.me.bootstrap.manifests);
in
''
set -o pipefail
IFS=$'\n\t'
kubectl --kubeconfig=/.persist/keys/kube/kubelet.kubeconfig apply --server-side --force-conflicts -f ${manifests}
'';
};
};
}

4
nix/kubernetes/roles/worker_node/default.nix
View File

@ -18,10 +18,6 @@
}; };
config = lib.mkIf config.me.worker_node.enable { config = lib.mkIf config.me.worker_node.enable {
me.bootstrap.manifests = [
"${../bootstrap/files/initial_clusterrole.yaml}"
"${../bootstrap/files/cilium.yaml}"
];
me.cilium.enable = true; me.cilium.enable = true;
me.containerd.enable = true; me.containerd.enable = true;
me.firewall.enable = true; me.firewall.enable = true;