*: rejigger tls certs and more This pretty large change does the following: - moves nix from bootstrap.hswaw.net to nix/ - changes clustercfg to use cfssl and moves it to cluster/clustercfg - changes clustercfg to source information about target location of certs from nix - changes clustercfg to push nix config - changes tls certs to have more than one CA - recalculates all TLS certs (it keeps the old serviceaccoutns key, otherwise we end up with invalid serviceaccounts - the cert doesn't match, but who cares, it's not used anyway)

commit: 73cef11c8534edeaab7763df1018c55b8afdd157 [log] [tgz]
author: Sergiusz Bazanski <q3k@q3k.org> Sun Apr 07 00:06:23 2019 +0200
committer: Sergiusz Bazanski <q3k@q3k.org> Sun Apr 07 00:06:23 2019 +0200
tree: 8d483998903ae47cf7e9467829071bbb8c5329a0
parent: 208f0058304f5c7a01d239d5bc58a78363982d6d [diff] [blame]
diff --git a/nix/toplevel.nix b/nix/toplevel.nix
new file mode 100644
index 0000000..15b552a
--- /dev/null
+++ b/nix/toplevel.nix

@@ -0,0 +1,90 @@
+rec {
+  domain = ".hswaw.net";
+  k8sapi = "k0.hswaw.net";
+  acmeEmail = "q3k@hackerspace.pl";
+
+  nodes = [
+    {
+      fqdn = "bc01n01.hswaw.net";
+      ipAddr = "185.236.240.35";
+      podNet = "10.10.16.0/24";
+      diskBoot = "/dev/sdb";
+    }
+    {
+      fqdn = "bc01n02.hswaw.net";
+      ipAddr = "185.236.240.36";
+      podNet = "10.10.17.0/24";
+      diskBoot = "/dev/sdb";
+    }
+    {
+      fqdn = "bc01n03.hswaw.net";
+      ipAddr = "185.236.240.37";
+      podNet = "10.10.18.0/24";
+      diskBoot = "/dev/sdb";
+    }
+  ];
+
+  pki = rec {
+    root = /opt/hscloud;
+
+    make = (radix: name: rec {
+      ca = root + "/${radix}-ca.crt";
+      cert = root + "/${radix}-${name}.crt";
+      key = root + "/${radix}-${name}.key";
+
+      json = (builtins.toJSON {
+        ca = (builtins.toString ca);
+        cert = (builtins.toString cert);
+        key = (builtins.toString key);
+      });
+    });
+
+    etcdPeer = (make "etcdpeer" "server");
+
+    etcd = {
+        server = (make "etcd" "server");
+        kube = (make "etcd" "kube");
+    };
+
+    makeKube = (name: (make "kube" name) // {
+      config = {
+        server = "https://${k8sapi}:${toString ports.k8sAPIServerSecure}";
+        certFile = (make "kube" name).cert;
+        keyFile = (make "kube" name).key;
+      };
+    });
+
+    kube = rec {
+      ca = apiserver.ca;
+      
+      # Used to identify apiserver.
+      apiserver = (makeKube "apiserver");
+
+      # Used to identify controller-manager.
+      controllermanager = (makeKube "controller-manager");
+
+      # Used to identify scheduler.
+      scheduler = (makeKube "scheduler");
+
+      # Used to identify kube-proxy.
+      proxy = (makeKube "proxy");
+
+      # Used to identify kubelet.
+      kubelet = (makeKube "node");
+
+      # Used to encrypt service accounts.
+      serviceaccounts = (makeKube "serviceaccounts");
+    };
+
+    kubeFront = {
+      apiserver = (make "kubeFront" "apiserver");
+    };
+  };
+
+  ports = {
+    k8sAPIServerPlain = 4000;
+    k8sAPIServerSecure = 4001;
+    k8sControllerManagerPlain = 0; # 4002; do not serve plain http
+    k8sControllerManagerSecure = 4003;
+  };
+}
commit	73cef11c8534edeaab7763df1018c55b8afdd157	[log] [tgz]
author	Sergiusz Bazanski <q3k@q3k.org>	Sun Apr 07 00:06:23 2019 +0200
committer	Sergiusz Bazanski <q3k@q3k.org>	Sun Apr 07 00:06:23 2019 +0200
tree	8d483998903ae47cf7e9467829071bbb8c5329a0
parent	208f0058304f5c7a01d239d5bc58a78363982d6d [diff] [blame]