Generate certificates for the aggregation layer.

nix/kubernetes/keys/package/k8s-ca/files/requestheader-client-ca.conf

@@ -0,0 +1,95 @@
+[req]
+distinguished_name = req_distinguished_name
+prompt             = no
+x509_extensions    = ca_x509_extensions
+
+[ca_x509_extensions]
+basicConstraints = CA:TRUE
+keyUsage         = cRLSign, keyCertSign
+
+[req_distinguished_name]
+C   = US
+ST  = Washington
+L   = Seattle
+CN  = CA
+
+[controller0-proxy]
+distinguished_name = controller0_distinguished_name
+prompt             = no
+req_extensions     = controller0_req_extensions
+
+[controller0_req_extensions]
+basicConstraints     = CA:FALSE
+extendedKeyUsage     = clientAuth, serverAuth
+keyUsage             = critical, digitalSignature, keyEncipherment
+nsCertType           = client
+nsComment            = "controller0 Certificate"
+subjectAltName       = @controller0_alt_names
+subjectKeyIdentifier = hash
+
+[controller0_distinguished_name]
+CN = system:node:controller0
+O  = system:nodes
+C  = US
+ST = Washington
+L  = Seattle
+
+[controller0_alt_names]
+IP.0  = 127.0.0.1
+IP.4  = 10.215.1.221
+IP.5  = 2620:11f:7001:7:ffff:ffff:0ad7:01dd
+DNS.0 = controller0
+
+[controller1-proxy]
+distinguished_name = controller1_distinguished_name
+prompt             = no
+req_extensions     = controller1_req_extensions
+
+[controller1_req_extensions]
+basicConstraints     = CA:FALSE
+extendedKeyUsage     = clientAuth, serverAuth
+keyUsage             = critical, digitalSignature, keyEncipherment
+nsCertType           = client
+nsComment            = "controller1 Certificate"
+subjectAltName       = @controller1_alt_names
+subjectKeyIdentifier = hash
+
+[controller1_distinguished_name]
+CN = system:node:controller1
+O  = system:nodes
+C  = US
+ST = Washington
+L  = Seattle
+
+[controller1_alt_names]
+IP.0  = 127.0.0.1
+IP.4  = 10.215.1.222
+IP.5  = 2620:11f:7001:7:ffff:ffff:0ad7:01de
+DNS.0 = controller1
+
+[controller2-proxy]
+distinguished_name = controller2_distinguished_name
+prompt             = no
+req_extensions     = controller2_req_extensions
+
+[controller2_req_extensions]
+basicConstraints     = CA:FALSE
+extendedKeyUsage     = clientAuth, serverAuth
+keyUsage             = critical, digitalSignature, keyEncipherment
+nsCertType           = client
+nsComment            = "controller2 Certificate"
+subjectAltName       = @controller2_alt_names
+subjectKeyIdentifier = hash
+
+[controller2_distinguished_name]
+CN = system:node:controller2
+O  = system:nodes
+C  = US
+ST = Washington
+L  = Seattle
+
+[controller2_alt_names]
+IP.0  = 127.0.0.1
+IP.6  = 10.215.1.223
+IP.7  = 2620:11f:7001:7:ffff:ffff:0ad7:01df
+DNS.0 = controller2

nix/kubernetes/keys/package/k8s-ca/package.nix

@@ -10,23 +10,28 @@
 {
   stdenv,
   openssl,
+  ca_name,
+  ca_config,
   ...
 }:
 stdenv.mkDerivation (finalAttrs: {
-  name = "k8s-ca";
+  name = "k8s-ca-${ca_name}";
   nativeBuildInputs = [ openssl ];
   buildInputs = [ ];
 
   unpackPhase = "true";
 
-  installPhase = ''
-    mkdir -p "$out"
-    cd "$out"
+  buildPhase = ''
+    openssl genrsa -out "${ca_name}-ca.key" 4096
 
-    openssl genrsa -out ca.key 4096
     openssl req -x509 -new -sha512 -noenc \
-            -key ca.key -days 3653 \
-            -config ${./files/ca.conf} \
-            -out ca.crt
+            -key "${ca_name}-ca.key" -days 3653 \
+            -config "${ca_config}" \
+            -out "${ca_name}-ca.crt"
+  '';
+
+  installPhase = ''
+    mkdir "$out"
+    cp "${ca_name}-ca.crt" "${ca_name}-ca.key" $out/
   '';
 })