Generate certificates for the aggregation layer.

2026-01-09 18:19:34 -05:00
parent fa99555467
commit e43d7d2a96
13 changed files with 204 additions and 43 deletions
--- a/nix/kubernetes/keys/scope.nix
+++ b/nix/kubernetes/keys/scope.nix
@@ -78,24 +78,48 @@ makeScope newScope (
      inherit all_hostnames controllers;
      k8s = self;
    };
+    certificate_authorities = {
+      "client" = {
+        ca_config = ./package/k8s-ca/files/client-ca.conf;
+      };
+      "requestheader-client" = {
+        ca_config = ./package/k8s-ca/files/requestheader-client-ca.conf;
+      };
+    };
+    certificate_authorities_merged = (
+      builtins.mapAttrs (ca_name: ca_config: { inherit ca_name; } // ca_config) certificate_authorities
+    );
  in
  {
-    ca = (callPackage ./package/k8s-ca/package.nix additional_vars);
+    ca = (
+      builtins.mapAttrs (
+        ca_name: ca_config:
+        (callPackage ./package/k8s-ca/package.nix (additional_vars // { inherit ca_name; } // ca_config))
+      ) certificate_authorities
+    );
    keys = (
-      lib.genAttrs [
-        "admin"
-        "controller0"
-        "controller1"
-        "controller2"
-        "worker0"
-        "worker1"
-        "worker2"
-        "kube-proxy"
-        "kube-scheduler"
-        "kube-controller-manager"
-        "kube-api-server"
-        "service-accounts"
-      ] (key_name: (callPackage ./package/tls-key/package.nix (additional_vars // { inherit key_name; })))
+      builtins.mapAttrs
+        (
+          key_name: key_config:
+          (callPackage ./package/tls-key/package.nix (additional_vars // { inherit key_name; } // key_config))
+        )
+        {
+          "admin" = { } // certificate_authorities_merged.client;
+          "controller0" = { } // certificate_authorities_merged.client;
+          "controller1" = { } // certificate_authorities_merged.client;
+          "controller2" = { } // certificate_authorities_merged.client;
+          "worker0" = { } // certificate_authorities_merged.client;
+          "worker1" = { } // certificate_authorities_merged.client;
+          "worker2" = { } // certificate_authorities_merged.client;
+          "kube-proxy" = { } // certificate_authorities_merged.client;
+          "kube-scheduler" = { } // certificate_authorities_merged.client;
+          "kube-controller-manager" = { } // certificate_authorities_merged.client;
+          "kube-api-server" = { } // certificate_authorities_merged.client;
+          "service-accounts" = { } // certificate_authorities_merged.client;
+          "controller0-proxy" = { } // certificate_authorities_merged.requestheader-client;
+          "controller1-proxy" = { } // certificate_authorities_merged.requestheader-client;
+          "controller2-proxy" = { } // certificate_authorities_merged.requestheader-client;
+        }
    );
    ssh-keys = (
      lib.genAttrs [