cluster: move kubernetes services to temporary CA bundle
This is already deployed, and it allows Kubernetes components
(temporary) freedom to use the old or new CA cert.
Change-Id: I8ac7f773a333c30fa22902b8edc327c0c700a482
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1490
Reviewed-by: q3k <q3k@hackerspace.pl>
diff --git a/cluster/machines/modules/kube-common.nix b/cluster/machines/modules/kube-common.nix
index 6707efa..f4c6066 100644
--- a/cluster/machines/modules/kube-common.nix
+++ b/cluster/machines/modules/kube-common.nix
@@ -86,7 +86,9 @@
# We do not use any nixpkgs predefined roles for k8s. Instead, we enable
# k8s components manually.
roles = [];
- caFile = cfg.pki.kube.apiserver.ca;
+ # TODO(q3k): undo after CA migration done
+ #caFile = cfg.pki.kube.apiserver.ca;
+ caFile = ../../certs/ca-kube-new-and-old.crt;
clusterCidr = "10.10.16.0/20";
addons.dns.enable = false;
};
diff --git a/cluster/machines/modules/kube-controlplane.nix b/cluster/machines/modules/kube-controlplane.nix
index 8efda58..d38b91f 100644
--- a/cluster/machines/modules/kube-controlplane.nix
+++ b/cluster/machines/modules/kube-controlplane.nix
@@ -82,7 +82,8 @@
# k8s components manually.
roles = [];
addons.dns.enable = false;
- caFile = pki.kube.apiserver.ca;
+ # TODO(q3k): undo after CA migration done
+ #caFile = pki.kube.apiserver.ca;
clusterCidr = "10.10.16.0/20";
apiserver = rec {
@@ -102,11 +103,15 @@
tlsCertFile = pki.kube.apiserver.cert;
tlsKeyFile = pki.kube.apiserver.key;
- clientCaFile = pki.kube.apiserver.ca;
+ # TODO(q3k): undo after CA migration done
+ #clientCaFile = pki.kube.apiserver.ca;
+ clientCaFile = ../../certs/ca-kube-new-and-old.crt;
kubeletHttps = true;
# Same CA as main APIServer CA.
- kubeletClientCaFile = pki.kube.apiserver.ca;
+ # TODO(q3k): undo after CA migration done
+ #kubeletClientCaFile = pki.kube.apiserver.ca;
+ kubeletClientCaFile = ../../certs/ca-kube-new-and-old.crt;
kubeletClientCertFile = pki.kube.apiserver.cert;
kubeletClientKeyFile = pki.kube.apiserver.key;
@@ -145,21 +150,24 @@
leaderElect = true;
serviceAccountKeyFile = pki.kube.serviceaccounts.key;
rootCaFile = pki.kube.ca;
+ # TODO(q3k): undo after CA migration done
extraOpts = ''
--service-cluster-ip-range=10.10.12.0/24 \
--use-service-account-credentials=true \
--secure-port=${toString cfg.portControllerManagerSecure}\
--authentication-kubeconfig=${kubeconfig}\
--authorization-kubeconfig=${kubeconfig}\
+ --root-ca-file=${../../certs/ca-kube-new-and-old.crt}\
'';
kubeconfig = pki.kube.controllermanager.config;
};
scheduler = let
top = config.services.kubernetes;
- # BUG: this should be scheduler
- # TODO(q3k): change after big nix change
- kubeconfig = top.lib.mkKubeConfig "scheduler" pki.kube.controllermanager.config;
+ # TODO(q3k): undo after CA migration done
+ kubeconfig = top.lib.mkKubeConfig "scheduler" (pki.kube.scheduler.config // {
+ ca = ../../certs/ca-kube-new-and-old.crt;
+ });
in {
enable = true;
address = "0.0.0.0";
diff --git a/cluster/machines/modules/kube-dataplane.nix b/cluster/machines/modules/kube-dataplane.nix
index 45efcd2..fd87dbc 100644
--- a/cluster/machines/modules/kube-dataplane.nix
+++ b/cluster/machines/modules/kube-dataplane.nix
@@ -72,7 +72,9 @@
hostname = fqdn;
tlsCertFile = pki.kube.kubelet.cert;
tlsKeyFile = pki.kube.kubelet.key;
- clientCaFile = pki.kube.kubelet.ca;
+ # TODO(q3k): undo after CA migration done
+ #clientCaFile = pki.kube.kubelet.ca;
+ clientCaFile = ../../certs/ca-kube-new-and-old.crt;
nodeIp = config.hscloud.base.ipAddr;
networkPlugin = "cni";
clusterDns = "10.10.12.254";