cluster/machines/modules/kube-common.nix - hscloud - Gitiles

 { config, pkgs, lib, machines, ... }:

 with lib;

 let
   cfg = config.hscloud.kube;
   fqdn = config.hscloud.base.fqdn;

 in {
   options.hscloud.kube = {
     package = mkOption {
       description = "Kubernetes package to use for everything but kubelet.";
       type = types.package;
       default = (import (fetchGit {
         # Now at 1.16.5
         name = "nixos-unstable-2020-01-22";
         url = https://github.com/nixos/nixpkgs-channels/;
         rev = "a96ed5d70427bdc2fbb9e805784e1b9621157a98";
       }) {}).kubernetes;
       defaultText = "pkgs.kubernetes";
     };
     packageKubelet = mkOption {
       description = "Kubernetes package to use for kubelet.";
       type = types.package;
       default = cfg.package;
       defaultText = "pkgs.kubernetes";
     };
     portAPIServerSecure = mkOption {
       type = types.int;
       description = "Port at which k8s apiserver will listen.";
       default = 4001;
     };
     pki = let
       mk = (radix: name: rec {
         ca = ./../../certs + "/ca-${radix}.crt";
         cert = ./../../certs + "/${radix}-${name}.cert";
         key = ./../../secrets/plain + "/${radix}-${name}.key";
       });
       mkKube = (name: (mk "kube" name) // {
         config = {
           server = "https://k0.hswaw.net:${toString cfg.portAPIServerSecure}";
           certFile = (mk "kube" name).cert;
           keyFile = (mk "kube" name).key;
         };
       });
     in mkOption {
       type = types.attrs;
       default = {
         kube = rec {
           ca = apiserver.ca;

           # Used to identify apiserver.
           apiserver = mkKube "apiserver";

           # Used to identify controller-manager.
           controllermanager = mkKube "controllermanager";

           # Used to identify scheduler.
           scheduler = mkKube "scheduler";

           # Used to encrypt service accounts.
           serviceaccounts = mkKube "serviceaccounts";

           # Used to identify kube-proxy.
           proxy = mkKube "proxy";

           # Used to identify kubelet.
           kubelet = mkKube "kubelet-${fqdn}";
         };

         kubeFront = {
           apiserver = mk "kubefront" "apiserver";
         };

         etcd = {
           peer = mk "etcdpeer" fqdn;
           server = mk "etcd" fqdn;
           kube = mk "etcd" "kube";
         };
       };
     };
   };

   config = {
     services.kubernetes = {
       # We do not use any nixpkgs predefined roles for k8s. Instead, we enable
       # k8s components manually.
       roles = [];
       # TODO(q3k): undo after CA migration done
       #caFile = cfg.pki.kube.apiserver.ca;
       caFile = ../../certs/ca-kube-new-and-old.crt;
       clusterCidr = "10.10.16.0/20";
       addons.dns.enable = false;
     };
   };
 }
	{ config, pkgs, lib, machines, ... }:

	with lib;

	let
	cfg = config.hscloud.kube;
	fqdn = config.hscloud.base.fqdn;

	in {
	options.hscloud.kube = {
	package = mkOption {
	description = "Kubernetes package to use for everything but kubelet.";
	type = types.package;
	default = (import (fetchGit {
	# Now at 1.16.5
	name = "nixos-unstable-2020-01-22";
	url = https://github.com/nixos/nixpkgs-channels/;
	rev = "a96ed5d70427bdc2fbb9e805784e1b9621157a98";
	}) {}).kubernetes;
	defaultText = "pkgs.kubernetes";
	};
	packageKubelet = mkOption {
	description = "Kubernetes package to use for kubelet.";
	type = types.package;
	default = cfg.package;
	defaultText = "pkgs.kubernetes";
	};
	portAPIServerSecure = mkOption {
	type = types.int;
	description = "Port at which k8s apiserver will listen.";
	default = 4001;
	};
	pki = let
	mk = (radix: name: rec {
	ca = ./../../certs + "/ca-${radix}.crt";
	cert = ./../../certs + "/${radix}-${name}.cert";
	key = ./../../secrets/plain + "/${radix}-${name}.key";
	});
	mkKube = (name: (mk "kube" name) // {
	config = {
	server = "https://k0.hswaw.net:${toString cfg.portAPIServerSecure}";
	certFile = (mk "kube" name).cert;
	keyFile = (mk "kube" name).key;
	};
	});
	in mkOption {
	type = types.attrs;
	default = {
	kube = rec {
	ca = apiserver.ca;

	# Used to identify apiserver.
	apiserver = mkKube "apiserver";

	# Used to identify controller-manager.
	controllermanager = mkKube "controllermanager";

	# Used to identify scheduler.
	scheduler = mkKube "scheduler";

	# Used to encrypt service accounts.
	serviceaccounts = mkKube "serviceaccounts";

	# Used to identify kube-proxy.
	proxy = mkKube "proxy";

	# Used to identify kubelet.
	kubelet = mkKube "kubelet-${fqdn}";
	};

	kubeFront = {
	apiserver = mk "kubefront" "apiserver";
	};

	etcd = {
	peer = mk "etcdpeer" fqdn;
	server = mk "etcd" fqdn;
	kube = mk "etcd" "kube";
	};
	};
	};
	};

	config = {
	services.kubernetes = {
	# We do not use any nixpkgs predefined roles for k8s. Instead, we enable
	# k8s components manually.
	roles = [];
	# TODO(q3k): undo after CA migration done
	#caFile = cfg.pki.kube.apiserver.ca;
	caFile = ../../certs/ca-kube-new-and-old.crt;
	clusterCidr = "10.10.16.0/20";
	addons.dns.enable = false;
	};
	};
	}