talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Move the encryption config into a package.

Browse Source
This commit is contained in:
Tom Alexander 2025-12-14 20:28:48 -05:00 committed by Tom Alexander
parent 5d660cced8
commit f8b8005ab2
Signed by: talexander
GPG Key ID: 36C99E8B3C39D85F
6 changed files with 222 additions and 178 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

138
nix/kubernetes/keys/package/deploy-script/package.nix
View File

@ -8,14 +8,150 @@
# installCheckPhase # installCheckPhase
# distPhase # distPhase
{ {
lib,
stdenv, stdenv,
writeShellScript, writeShellScript,
k8s, k8s,
openssh,
... ...
}: }:
let let
deploy_script_body = ""; deploy_script_body = (
''
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "''${BASH_SOURCE[0]}" )" && pwd )"
''
+ (lib.concatMapStringsSep "\n" deploy_machine [
"nc0"
"nc1"
"nc2"
])
);
deploy_script = (writeShellScript "deploy-script" deploy_script_body); deploy_script = (writeShellScript "deploy-script" deploy_script_body);
deploy_file = (
{
dest_dir,
file,
name ? (builtins.baseNameOf file),
owner,
group,
mode,
}:
''
##
## deploy ${name} to ${dest_dir}
##
${openssh}/bin/ssh mrmanager doas rm -f ${dest_dir}/${name} ~/${name}
${openssh}/bin/scp ${file} mrmanager:~/${name}
${openssh}/bin/ssh mrmanager doas install -o ${toString owner} -g ${toString group} -m ${mode} ~/${name} ${dest_dir}/${name}
${openssh}/bin/ssh mrmanager doas rm -f ~/${name}
''
);
deploy_machine = (
vm_name:
(
''
##
## Create directories on ${vm_name}
##
${openssh}/bin/ssh mrmanager doas install -d -o 11235 -g 11235 -m 0755 /vm/${vm_name}/persist/keys
${openssh}/bin/ssh mrmanager doas install -d -o 10016 -g 10016 -m 0755 /vm/${vm_name}/persist/keys/etcd
${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube
''
+ (lib.concatMapStringsSep "\n" deploy_file [
{
dest_dir = "/vm/${vm_name}/persist/keys/etcd";
file = "${k8s.keys.kube-api-server}/kube-api-server.crt";
owner = 10016;
group = 10016;
mode = "0640";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/etcd";
file = "${k8s.keys.kube-api-server}/kube-api-server.key";
owner = 10016;
group = 10016;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/etcd";
file = "${k8s.ca}/ca.crt";
owner = 10016;
group = 10016;
mode = "0640";
}
# {
# dest_dir = "/vm/${vm_name}/persist/keys/kube";
# file = "${self.kubernetes}/kubernetes.pem";
# owner = 10024;
# group = 10024;
# mode = "0640";
# }
# {
# dest_dir = "/vm/${vm_name}/persist/keys/kube";
# file = "${self.kubernetes}/kubernetes-key.pem";
# owner = 10024;
# group = 10024;
# mode = "0640";
# }
# {
# dest_dir = "/vm/${vm_name}/persist/keys/kube";
# file = "${self.ca}/ca.pem";
# owner = 10024;
# group = 10024;
# mode = "0600";
# }
# {
# dest_dir = "/vm/${vm_name}/persist/keys/kube";
# file = (writeText "encryption-config.yaml" (lib.generators.toYAML { } kube_encryption_config));
# name = "encryption-config.yaml";
# owner = 10024;
# group = 10024;
# mode = "0600";
# }
# {
# dest_dir = "/vm/${vm_name}/persist/keys/kube";
# file = "${self.service_account}/service-account.pem";
# owner = 10024;
# group = 10024;
# mode = "0600";
# }
# {
# dest_dir = "/vm/${vm_name}/persist/keys/kube";
# file = "${self.service_account}/service-account-key.pem";
# owner = 10024;
# group = 10024;
# mode = "0600";
# }
# {
# dest_dir = "/vm/${vm_name}/persist/keys/kube";
# file = "${self.requestheader-client-ca}/requestheader-client-ca.pem";
# owner = 10024;
# group = 10024;
# mode = "0600";
# }
# {
# dest_dir = "/vm/${vm_name}/persist/keys/kube";
# file = "${self.controller-proxy}/${vm_name_to_hostname vm_name}-proxy.pem";
# owner = 10024;
# group = 10024;
# mode = "0600";
# }
# {
# dest_dir = "/vm/${vm_name}/persist/keys/kube";
# file = "${self.controller-proxy}/${vm_name_to_hostname vm_name}-proxy-key.pem";
# owner = 10024;
# group = 10024;
# mode = "0600";
# }
])
)
);
in in
stdenv.mkDerivation (finalAttrs: { stdenv.mkDerivation (finalAttrs: {
name = "deploy-script"; name = "deploy-script";

14
nix/kubernetes/keys/package/k8s-ca/files/ca.conf
View File

@ -266,7 +266,19 @@ subjectKeyIdentifier = hash
[kube-api-server_alt_names] [kube-api-server_alt_names]
IP.0 = 127.0.0.1 IP.0 = 127.0.0.1
IP.1 = 10.32.0.1 IP.1 = 10.0.0.1
IP.2 = 10.215.1.221
IP.3 = 2620:11f:7001:7:ffff:ffff:0ad7:01dd
IP.4 = 10.215.1.222
IP.5 = 2620:11f:7001:7:ffff:ffff:0ad7:01de
IP.6 = 10.215.1.223
IP.7 = 2620:11f:7001:7:ffff:ffff:0ad7:01df
IP.8 = 10.215.1.224
IP.9 = 2620:11f:7001:7:ffff:ffff:0ad7:01e0
IP.10 = 10.215.1.225
IP.11 = 2620:11f:7001:7:ffff:ffff:0ad7:01e1
IP.12 = 10.215.1.226
IP.13 = 2620:11f:7001:7:ffff:ffff:0ad7:01e2
DNS.0 = kubernetes DNS.0 = kubernetes
DNS.1 = kubernetes.default DNS.1 = kubernetes.default
DNS.2 = kubernetes.default.svc DNS.2 = kubernetes.default.svc

58
nix/kubernetes/keys/package/k8s-encryption-key/package.nix Normal file
View File

@ -0,0 +1,58 @@
# unpackPhase
# patchPhase
# configurePhase
# buildPhase
# checkPhase
# installPhase
# fixupPhase
# installCheckPhase
# distPhase
{
lib,
stdenv,
runCommand,
writeText,
...
}:
let
kube_encryption_key = runCommand "kube_encryption_key" { } ''
head -c 32 /dev/urandom | base64 | tee $out
'';
kube_encryption_config = {
kind = "EncryptionConfig";
apiVersion = "v1";
resources = [
{
resources = [ "secrets" ];
providers = [
{
aescbc = {
keys = [
{
name = "key1";
secret = (builtins.readFile "${kube_encryption_key}");
}
];
};
}
{ identity = { }; }
];
}
];
};
kube_encryption_config_yaml = (
writeText "encryption-config.yaml" (lib.generators.toYAML { } kube_encryption_config)
);
in
stdenv.mkDerivation (finalAttrs: {
name = "k8s-encryption-key";
nativeBuildInputs = [ ];
buildInputs = [ ];
unpackPhase = "true";
installPhase = ''
mkdir "$out"
cp "${kube_encryption_config_yaml}" $out/encryption-config.yaml
'';
})

1
nix/kubernetes/keys/package/k8s-keys/package.nix
View File

@ -7,6 +7,7 @@ symlinkJoin {
name = "k8s-keys"; name = "k8s-keys";
paths = [ paths = [
k8s.ca k8s.ca
k8s.encryption_config
] ]
++ (builtins.attrValues k8s.keys) ++ (builtins.attrValues k8s.keys)
++ (builtins.attrValues k8s.client-configs); ++ (builtins.attrValues k8s.client-configs);

177
nix/kubernetes/keys/scope.nix
View File

@ -2,10 +2,6 @@
makeScope, makeScope,
newScope, newScope,
callPackage, callPackage,
writeShellScript,
openssh,
runCommand,
writeText,
lib, lib,
}: }:
let let
@ -73,12 +69,12 @@ let
]; ];
}; };
}; };
_vm_name_to_hostname = { # _vm_name_to_hostname = {
"nc0" = "controller0"; # "nc0" = "controller0";
"nc1" = "controller1"; # "nc1" = "controller1";
"nc2" = "controller2"; # "nc2" = "controller2";
}; # };
vm_name_to_hostname = (vm_name: _vm_name_to_hostname."${vm_name}"); # vm_name_to_hostname = (vm_name: _vm_name_to_hostname."${vm_name}");
in in
makeScope newScope ( makeScope newScope (
self: self:
@ -87,166 +83,6 @@ makeScope newScope (
inherit all_hostnames controllers; inherit all_hostnames controllers;
k8s = self; k8s = self;
}; };
deploy_file = (
{
dest_dir,
file,
name ? (builtins.baseNameOf file),
owner,
group,
mode,
}:
''
##
## deploy ${name} to ${dest_dir}
##
${openssh}/bin/ssh mrmanager doas rm -f ${dest_dir}/${name} ~/${name}
${openssh}/bin/scp ${file} mrmanager:~/${name}
${openssh}/bin/ssh mrmanager doas install -o ${toString owner} -g ${toString group} -m ${mode} ~/${name} ${dest_dir}/${name}
${openssh}/bin/ssh mrmanager doas rm -f ~/${name}
''
);
deploy_machine = (
vm_name:
(
''
##
## Create directories on ${vm_name}
##
${openssh}/bin/ssh mrmanager doas install -d -o 11235 -g 11235 -m 0755 /vm/${vm_name}/persist/keys
${openssh}/bin/ssh mrmanager doas install -d -o 10016 -g 10016 -m 0755 /vm/${vm_name}/persist/keys/etcd
${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube
''
+ (lib.concatMapStringsSep "\n" deploy_file [
{
dest_dir = "/vm/${vm_name}/persist/keys/etcd";
file = "${self.kubernetes}/kubernetes.pem";
owner = 10016;
group = 10016;
mode = "0640";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/etcd";
file = "${self.kubernetes}/kubernetes-key.pem";
owner = 10016;
group = 10016;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/etcd";
file = "${self.ca}/ca.pem";
owner = 10016;
group = 10016;
mode = "0640";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = "${self.kubernetes}/kubernetes.pem";
owner = 10024;
group = 10024;
mode = "0640";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = "${self.kubernetes}/kubernetes-key.pem";
owner = 10024;
group = 10024;
mode = "0640";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = "${self.ca}/ca.pem";
owner = 10024;
group = 10024;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = (writeText "encryption-config.yaml" (lib.generators.toYAML { } kube_encryption_config));
name = "encryption-config.yaml";
owner = 10024;
group = 10024;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = "${self.service_account}/service-account.pem";
owner = 10024;
group = 10024;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = "${self.service_account}/service-account-key.pem";
owner = 10024;
group = 10024;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = "${self.requestheader-client-ca}/requestheader-client-ca.pem";
owner = 10024;
group = 10024;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = "${self.controller-proxy}/${vm_name_to_hostname vm_name}-proxy.pem";
owner = 10024;
group = 10024;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = "${self.controller-proxy}/${vm_name_to_hostname vm_name}-proxy-key.pem";
owner = 10024;
group = 10024;
mode = "0600";
}
])
)
);
deploy_script = (
''
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "''${BASH_SOURCE[0]}" )" && pwd )"
''
+ (lib.concatMapStringsSep "\n" deploy_machine [
"nc0"
"nc1"
"nc2"
])
);
kube_encryption_key = runCommand "kube_encryption_key" { } ''
head -c 32 /dev/urandom | base64 | tee $out
'';
kube_encryption_config = {
kind = "EncryptionConfig";
apiVersion = "v1";
resources = [
{
resources = [ "secrets" ];
providers = [
{
aescbc = {
keys = [
{
name = "key1";
secret = (builtins.readFile "${kube_encryption_key}");
}
];
};
}
{ identity = { }; }
];
}
];
};
in in
{ {
ca = (callPackage ./package/k8s-ca/package.nix additional_vars); ca = (callPackage ./package/k8s-ca/package.nix additional_vars);
@ -317,6 +153,7 @@ makeScope newScope (
}; };
} }
); );
encryption_config = (callPackage ./package/k8s-encryption-key/package.nix additional_vars);
all_keys = (callPackage ./package/k8s-keys/package.nix additional_vars); all_keys = (callPackage ./package/k8s-keys/package.nix additional_vars);
deploy_script = (callPackage ./package/deploy-script/package.nix additional_vars); deploy_script = (callPackage ./package/deploy-script/package.nix additional_vars);
} }

12
nix/kubernetes/roles/etcd/default.nix
View File

@ -55,12 +55,12 @@
enable = true; enable = true;
openFirewall = true; openFirewall = true;
name = config.networking.hostName; name = config.networking.hostName;
certFile = "/.persist/keys/etcd/kubernetes.pem"; certFile = "/.persist/keys/etcd/kube-api-server.crt";
keyFile = "/.persist/keys/etcd/kubernetes-key.pem"; keyFile = "/.persist/keys/etcd/kube-api-server.key";
peerCertFile = "/.persist/keys/etcd/kubernetes.pem"; peerCertFile = "/.persist/keys/etcd/kube-api-server.crt";
peerKeyFile = "/.persist/keys/etcd/kubernetes-key.pem"; peerKeyFile = "/.persist/keys/etcd/kube-api-server.key";
trustedCaFile = "/.persist/keys/etcd/ca.pem"; trustedCaFile = "/.persist/keys/etcd/ca.crt";
peerTrustedCaFile = "/.persist/keys/etcd/ca.pem"; peerTrustedCaFile = "/.persist/keys/etcd/ca.crt";
peerClientCertAuth = true; peerClientCertAuth = true;
clientCertAuth = true; clientCertAuth = true;
initialAdvertisePeerUrls = ( initialAdvertisePeerUrls = (