*: rejigger tls certs and more
This pretty large change does the following:
- moves nix from bootstrap.hswaw.net to nix/
- changes clustercfg to use cfssl and moves it to cluster/clustercfg
- changes clustercfg to source information about target location of
certs from nix
- changes clustercfg to push nix config
- changes tls certs to have more than one CA
- recalculates all TLS certs
(it keeps the old serviceaccoutns key, otherwise we end up with
invalid serviceaccounts - the cert doesn't match, but who cares,
it's not used anyway)
diff --git a/nix/toplevel.nix b/nix/toplevel.nix
new file mode 100644
index 0000000..15b552a
--- /dev/null
+++ b/nix/toplevel.nix
@@ -0,0 +1,90 @@
+rec {
+ domain = ".hswaw.net";
+ k8sapi = "k0.hswaw.net";
+ acmeEmail = "q3k@hackerspace.pl";
+
+ nodes = [
+ {
+ fqdn = "bc01n01.hswaw.net";
+ ipAddr = "185.236.240.35";
+ podNet = "10.10.16.0/24";
+ diskBoot = "/dev/sdb";
+ }
+ {
+ fqdn = "bc01n02.hswaw.net";
+ ipAddr = "185.236.240.36";
+ podNet = "10.10.17.0/24";
+ diskBoot = "/dev/sdb";
+ }
+ {
+ fqdn = "bc01n03.hswaw.net";
+ ipAddr = "185.236.240.37";
+ podNet = "10.10.18.0/24";
+ diskBoot = "/dev/sdb";
+ }
+ ];
+
+ pki = rec {
+ root = /opt/hscloud;
+
+ make = (radix: name: rec {
+ ca = root + "/${radix}-ca.crt";
+ cert = root + "/${radix}-${name}.crt";
+ key = root + "/${radix}-${name}.key";
+
+ json = (builtins.toJSON {
+ ca = (builtins.toString ca);
+ cert = (builtins.toString cert);
+ key = (builtins.toString key);
+ });
+ });
+
+ etcdPeer = (make "etcdpeer" "server");
+
+ etcd = {
+ server = (make "etcd" "server");
+ kube = (make "etcd" "kube");
+ };
+
+ makeKube = (name: (make "kube" name) // {
+ config = {
+ server = "https://${k8sapi}:${toString ports.k8sAPIServerSecure}";
+ certFile = (make "kube" name).cert;
+ keyFile = (make "kube" name).key;
+ };
+ });
+
+ kube = rec {
+ ca = apiserver.ca;
+
+ # Used to identify apiserver.
+ apiserver = (makeKube "apiserver");
+
+ # Used to identify controller-manager.
+ controllermanager = (makeKube "controller-manager");
+
+ # Used to identify scheduler.
+ scheduler = (makeKube "scheduler");
+
+ # Used to identify kube-proxy.
+ proxy = (makeKube "proxy");
+
+ # Used to identify kubelet.
+ kubelet = (makeKube "node");
+
+ # Used to encrypt service accounts.
+ serviceaccounts = (makeKube "serviceaccounts");
+ };
+
+ kubeFront = {
+ apiserver = (make "kubeFront" "apiserver");
+ };
+ };
+
+ ports = {
+ k8sAPIServerPlain = 4000;
+ k8sAPIServerSecure = 4001;
+ k8sControllerManagerPlain = 0; # 4002; do not serve plain http
+ k8sControllerManagerSecure = 4003;
+ };
+}