talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity
machine_setup/nix/kubernetes/keys/Makefile
Tom Alexander 2b29530047
Add configs for a new kubernetes cluster on NixOS.
2026-02-06 08:53:23 -05:00

358 lines
12 KiB
Makefile
Raw Blame History

SHELL := bash
.ONESHELL:
.SHELLFLAGS := -eu -o pipefail -c
.DELETE_ON_ERROR:
MAKEFLAGS += --warn-undefined-variables
MAKEFLAGS += --no-builtin-rules
OUT=generated
ifeq ($(origin .RECIPEPREFIX), undefined)
$(error This Make does not support .RECIPEPREFIX. Please use GNU Make 4.0 or later)
endif
.RECIPEPREFIX = >
KUBERNETES_PUBLIC_ADDRESS := 74.80.180.138
WORKERS := worker0 worker1 worker2 controller0 controller1 controller2
.PHONY: all
all: \
$(OUT)/ca-key.pem \
$(OUT)/admin-key.pem \
$(OUT)/worker0-key.pem \
$(OUT)/worker1-key.pem \
$(OUT)/worker2-key.pem \
$(OUT)/controller0-proxy-key.pem \
$(OUT)/controller1-proxy-key.pem \
$(OUT)/controller2-proxy-key.pem \
$(OUT)/kube-controller-manager-key.pem \
$(OUT)/kube-proxy-key.pem \
$(OUT)/kube-scheduler-key.pem \
$(OUT)/kubernetes-key.pem \
$(OUT)/service-account-key.pem \
$(OUT)/worker0.kubeconfig \
$(OUT)/worker1.kubeconfig \
$(OUT)/worker2.kubeconfig \
$(OUT)/controller0.kubeconfig \
$(OUT)/controller1.kubeconfig \
$(OUT)/controller2.kubeconfig \
$(OUT)/kube-proxy.kubeconfig \
$(OUT)/kube-controller-manager.kubeconfig \
$(OUT)/kube-scheduler.kubeconfig \
$(OUT)/admin.kubeconfig \
$(OUT)/encryption-config.yaml \
$(OUT)/remote_admin.kubeconfig \
$(OUT)/requestheader-client-ca-key.pem
.PHONY: clean
clean:
> rm -rf $(OUT)
# Requestheader client ca
$(OUT)/requestheader-client-ca-key.pem: requestheader-client-ca-csr.json ca-config.json
> @mkdir -p $(@D)
> cd $(@D) && cfssl gencert -initca ../requestheader-client-ca-csr.json | cfssljson -bare requestheader-client-ca
# Certificate authority
$(OUT)/ca-key.pem: ca-csr.json ca-config.json
> @mkdir -p $(@D)
> cd $(@D) && cfssl gencert -initca ../ca-csr.json | cfssljson -bare ca
# Admin client certificate
$(OUT)/admin-key.pem: admin-csr.json ca-config.json
> @mkdir -p $(@D)
> cd $(@D) && cfssl gencert \
> -ca=ca.pem \
> -ca-key=ca-key.pem \
> -config=../ca-config.json \
> -profile=kubernetes \
> ../admin-csr.json | cfssljson -bare admin
# Worker kubelet client certificate
$(OUT)/worker0-key.pem: worker0-csr.json ca-config.json
> @mkdir -p $(@D)
> cd $(@D) && cfssl gencert \
> -ca=ca.pem \
> -ca-key=ca-key.pem \
> -config=../ca-config.json \
> -hostname=worker0,$(KUBERNETES_PUBLIC_ADDRESS),10.215.1.207 \
> -profile=kubernetes \
> ../worker0-csr.json | cfssljson -bare worker0
# Worker kubelet client certificate
$(OUT)/worker1-key.pem: worker1-csr.json ca-config.json
> @mkdir -p $(@D)
> cd $(@D) && cfssl gencert \
> -ca=ca.pem \
> -ca-key=ca-key.pem \
> -config=../ca-config.json \
> -hostname=worker1,$(KUBERNETES_PUBLIC_ADDRESS),10.215.1.208 \
> -profile=kubernetes \
> ../worker1-csr.json | cfssljson -bare worker1
# Worker kubelet client certificate
$(OUT)/worker2-key.pem: worker2-csr.json ca-config.json
> @mkdir -p $(@D)
> cd $(@D) && cfssl gencert \
> -ca=ca.pem \
> -ca-key=ca-key.pem \
> -config=../ca-config.json \
> -hostname=worker2,$(KUBERNETES_PUBLIC_ADDRESS),10.215.1.209 \
> -profile=kubernetes \
> ../worker2-csr.json | cfssljson -bare worker2
# Controller kubelet client certificate
$(OUT)/controller0-key.pem: controller0-csr.json ca-config.json
> @mkdir -p $(@D)
> cd $(@D) && cfssl gencert \
> -ca=ca.pem \
> -ca-key=ca-key.pem \
> -config=../ca-config.json \
> -hostname=controller0,$(KUBERNETES_PUBLIC_ADDRESS),10.215.1.204 \
> -profile=kubernetes \
> ../controller0-csr.json | cfssljson -bare controller0
# Controller kubelet client certificate
$(OUT)/controller1-key.pem: controller1-csr.json ca-config.json
> @mkdir -p $(@D)
> cd $(@D) && cfssl gencert \
> -ca=ca.pem \
> -ca-key=ca-key.pem \
> -config=../ca-config.json \
> -hostname=controller1,$(KUBERNETES_PUBLIC_ADDRESS),10.215.1.205 \
> -profile=kubernetes \
> ../controller1-csr.json | cfssljson -bare controller1
# Controller kubelet client certificate
$(OUT)/controller2-key.pem: controller2-csr.json ca-config.json
> @mkdir -p $(@D)
> cd $(@D) && cfssl gencert \
> -ca=ca.pem \
> -ca-key=ca-key.pem \
> -config=../ca-config.json \
> -hostname=controller2,$(KUBERNETES_PUBLIC_ADDRESS),10.215.1.206 \
> -profile=kubernetes \
> ../controller2-csr.json | cfssljson -bare controller2
# Controller kubelet client certificate
$(OUT)/controller0-proxy-key.pem: controller0-proxy-csr.json ca-config.json $(OUT)/requestheader-client-ca-key.pem
> @mkdir -p $(@D)
> cd $(@D) && cfssl gencert \
> -ca=requestheader-client-ca.pem \
> -ca-key=requestheader-client-ca-key.pem \
> -config=../ca-config.json \
> -hostname=controller0,$(KUBERNETES_PUBLIC_ADDRESS),10.215.1.204 \
> -profile=kubernetes \
> ../controller0-proxy-csr.json | cfssljson -bare controller0-proxy
# Controller kubelet client certificate
$(OUT)/controller1-proxy-key.pem: controller1-proxy-csr.json ca-config.json $(OUT)/requestheader-client-ca-key.pem
> @mkdir -p $(@D)
> cd $(@D) && cfssl gencert \
> -ca=requestheader-client-ca.pem \
> -ca-key=requestheader-client-ca-key.pem \
> -config=../ca-config.json \
> -hostname=controller1,$(KUBERNETES_PUBLIC_ADDRESS),10.215.1.205 \
> -profile=kubernetes \
> ../controller1-proxy-csr.json | cfssljson -bare controller1-proxy
# Controller kubelet client certificate
$(OUT)/controller2-proxy-key.pem: controller2-proxy-csr.json ca-config.json $(OUT)/requestheader-client-ca-key.pem
> @mkdir -p $(@D)
> cd $(@D) && cfssl gencert \
> -ca=requestheader-client-ca.pem \
> -ca-key=requestheader-client-ca-key.pem \
> -config=../ca-config.json \
> -hostname=controller2,$(KUBERNETES_PUBLIC_ADDRESS),10.215.1.206 \
> -profile=kubernetes \
> ../controller2-proxy-csr.json | cfssljson -bare controller2-proxy
# Controller manager client certificate
$(OUT)/kube-controller-manager-key.pem: kube-controller-manager-csr.json ca-config.json
> @mkdir -p $(@D)
> cd $(@D) && cfssl gencert \
> -ca=ca.pem \
> -ca-key=ca-key.pem \
> -config=../ca-config.json \
> -profile=kubernetes \
> ../kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
# Kube proxy client certificate
$(OUT)/kube-proxy-key.pem: kube-proxy-csr.json ca-config.json
> @mkdir -p $(@D)
> cd $(@D) && cfssl gencert \
> -ca=ca.pem \
> -ca-key=ca-key.pem \
> -config=../ca-config.json \
> -profile=kubernetes \
> ../kube-proxy-csr.json | cfssljson -bare kube-proxy
# Kube scheduler client certificate
$(OUT)/kube-scheduler-key.pem: kube-scheduler-csr.json ca-config.json
> @mkdir -p $(@D)
> cd $(@D) && cfssl gencert \
> -ca=ca.pem \
> -ca-key=ca-key.pem \
> -config=../ca-config.json \
> -profile=kubernetes \
> ../kube-scheduler-csr.json | cfssljson -bare kube-scheduler
# Kuberntes API server certificate
# TODO: Replace 10.32.0.1 with kubernetes api server local ip address from lab 8
$(OUT)/kubernetes-key.pem: kubernetes-csr.json ca-config.json
> @mkdir -p $(@D)
> cd $(@D) && cfssl gencert \
> -ca=ca.pem \
> -ca-key=ca-key.pem \
> -config=../ca-config.json \
> -hostname=10.197.0.1,10.0.0.1,10.215.1.204,10.215.1.205,10.215.1.206,10.215.1.207,10.215.1.208,10.215.1.209,$(KUBERNETES_PUBLIC_ADDRESS),127.0.0.1,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local \
> -profile=kubernetes \
> ../kubernetes-csr.json | cfssljson -bare kubernetes
# Service account keypair
$(OUT)/service-account-key.pem: service-account-csr.json ca-config.json
> @mkdir -p $(@D)
> cd $(@D) && cfssl gencert \
> -ca=ca.pem \
> -ca-key=ca-key.pem \
> -config=../ca-config.json \
> -profile=kubernetes \
> ../service-account-csr.json | cfssljson -bare service-account
# Generate worker kubeconfigs
$(patsubst %,$(OUT)/%.kubeconfig,$(WORKERS)): $(OUT)/%.kubeconfig: $(OUT)/%-key.pem $(OUT)/%.pem
> @mkdir -p $(@D)
> kubectl config set-cluster kubernetes-the-hard-way \
> --certificate-authority=$(OUT)/ca.pem \
> --embed-certs=true \
> --server=https://$(KUBERNETES_PUBLIC_ADDRESS):6443 \
> --kubeconfig=$@
>
> kubectl config set-credentials system:node:$* \
> --client-certificate=$(OUT)/$*.pem \
> --client-key=$(OUT)/$*-key.pem \
> --embed-certs=true \
> --kubeconfig=$@
>
> kubectl config set-context default \
> --cluster=kubernetes-the-hard-way \
> --user=system:node:$* \
> --kubeconfig=$@
>
> kubectl config use-context default --kubeconfig=$@
# Generate kube-proxy kubeconfig
$(OUT)/kube-proxy.kubeconfig: $(OUT)/%.kubeconfig: $(OUT)/%-key.pem $(OUT)/%.pem
> @mkdir -p $(@D)
> kubectl config set-cluster kubernetes-the-hard-way \
> --certificate-authority=$(OUT)/ca.pem \
> --embed-certs=true \
> --server=https://$(KUBERNETES_PUBLIC_ADDRESS):6443 \
> --kubeconfig=$@
>
> kubectl config set-credentials system:$* \
> --client-certificate=$(OUT)/$*.pem \
> --client-key=$(OUT)/$*-key.pem \
> --embed-certs=true \
> --kubeconfig=$@
>
> kubectl config set-context default \
> --cluster=kubernetes-the-hard-way \
> --user=system:$* \
> --kubeconfig=$@
>
> kubectl config use-context default --kubeconfig=$@
# Generate kube-controller-manager kubeconfig
$(OUT)/kube-controller-manager.kubeconfig: $(OUT)/%.kubeconfig: $(OUT)/%-key.pem $(OUT)/%.pem
> @mkdir -p $(@D)
> kubectl config set-cluster kubernetes-the-hard-way \
> --certificate-authority=$(OUT)/ca.pem \
> --embed-certs=true \
> --server=https://127.0.0.1:6443 \
> --kubeconfig=$@
>
> kubectl config set-credentials system:$* \
> --client-certificate=$(OUT)/$*.pem \
> --client-key=$(OUT)/$*-key.pem \
> --embed-certs=true \
> --kubeconfig=$@
>
> kubectl config set-context default \
> --cluster=kubernetes-the-hard-way \
> --user=system:$* \
> --kubeconfig=$@
>
> kubectl config use-context default --kubeconfig=$@
# Generate kube-scheduler kubeconfig
$(OUT)/kube-scheduler.kubeconfig: $(OUT)/%.kubeconfig: $(OUT)/%-key.pem $(OUT)/%.pem
> @mkdir -p $(@D)
> kubectl config set-cluster kubernetes-the-hard-way \
> --certificate-authority=$(OUT)/ca.pem \
> --embed-certs=true \
> --server=https://127.0.0.1:6443 \
> --kubeconfig=$@
>
> kubectl config set-credentials system:$* \
> --client-certificate=$(OUT)/$*.pem \
> --client-key=$(OUT)/$*-key.pem \
> --embed-certs=true \
> --kubeconfig=$@
>
> kubectl config set-context default \
> --cluster=kubernetes-the-hard-way \
> --user=system:$* \
> --kubeconfig=$@
>
> kubectl config use-context default --kubeconfig=$@
# Generate admin kubeconfig
$(OUT)/admin.kubeconfig: $(OUT)/%.kubeconfig: $(OUT)/%-key.pem $(OUT)/%.pem
> @mkdir -p $(@D)
> kubectl config set-cluster kubernetes-the-hard-way \
> --certificate-authority=$(OUT)/ca.pem \
> --embed-certs=true \
> --server=https://127.0.0.1:6443 \
> --kubeconfig=$@
>
> kubectl config set-credentials $* \
> --client-certificate=$(OUT)/$*.pem \
> --client-key=$(OUT)/$*-key.pem \
> --embed-certs=true \
> --kubeconfig=$@
>
> kubectl config set-context default \
> --cluster=kubernetes-the-hard-way \
> --user=$* \
> --kubeconfig=$@
>
> kubectl config use-context default --kubeconfig=$@
# Generate data encryption key for encrypting data at rest
$(OUT)/encryption-config.yaml:
> @mkdir -p $(@D)
> ENCRYPTION_KEY=$(shell head -c 32 /dev/urandom | base64)
> cat encryption-config-template.yaml | sed "s@ENCRYPTION_KEY@$$ENCRYPTION_KEY@g" > $@
# Generate remote admin kubeconfig
$(OUT)/remote_admin.kubeconfig: $(OUT)/remote_%.kubeconfig: $(OUT)/%-key.pem $(OUT)/%.pem
> @mkdir -p $(@D)
> kubectl config set-cluster kubernetes-the-hard-way \
> --certificate-authority=$(OUT)/ca.pem \
> --embed-certs=true \
> --server=https://$(KUBERNETES_PUBLIC_ADDRESS):6443 \
> --kubeconfig=$@
>
> kubectl config set-credentials $* \
> --client-certificate=$(OUT)/$*.pem \
> --client-key=$(OUT)/$*-key.pem \
> --embed-certs=true \
> --kubeconfig=$@
>
> kubectl config set-context default \
> --cluster=kubernetes-the-hard-way \
> --user=$* \
> --kubeconfig=$@
>
> kubectl config use-context default --kubeconfig=$@
Reference in New Issue View Git Blame Copy Permalink