Blame - cluster/machines/modules/kube-common.nix - hscloud

blob: 41206ff021da40d2a464dbe3c38eb1cc0abbdf51 [file] [log] [blame]

Serge Bazanski	55a486a	2022-06-11 18:27:01 +0000	[diff] [blame]	1	{ config, pkgs, lib, machines, ... }:
				2
				3	with lib;
				4
				5	let
				6	cfg = config.hscloud.kube;
				7	fqdn = config.hscloud.base.fqdn;
				8
				9	in {
				10	options.hscloud.kube = {
				11	package = mkOption {
				12	description = "Kubernetes package to use for everything but kubelet.";
				13	type = types.package;
Piotr Dobrowolski	4d3a0cc	2023-10-16 19:09:20 +0200	[diff] [blame^]	14	default = (import (pkgs.fetchFromGitHub {
Serge Bazanski	55a486a	2022-06-11 18:27:01 +0000	[diff] [blame]	15	# Now at 1.16.5
Piotr Dobrowolski	4d3a0cc	2023-10-16 19:09:20 +0200	[diff] [blame^]	16	owner = "nixos";
				17	repo = "nixpkgs-channels";
Serge Bazanski	55a486a	2022-06-11 18:27:01 +0000	[diff] [blame]	18	rev = "a96ed5d70427bdc2fbb9e805784e1b9621157a98";
Piotr Dobrowolski	4d3a0cc	2023-10-16 19:09:20 +0200	[diff] [blame^]	19	sha256 = "sha256-vwGMEQ2lKi8kuo/VYDIPv/95dQVL8z9YMB/uZkoDOKQ=";
Serge Bazanski	55a486a	2022-06-11 18:27:01 +0000	[diff] [blame]	20	}) {}).kubernetes;
				21	defaultText = "pkgs.kubernetes";
				22	};
				23	packageKubelet = mkOption {
				24	description = "Kubernetes package to use for kubelet.";
				25	type = types.package;
				26	default = cfg.package;
				27	defaultText = "pkgs.kubernetes";
				28	};
				29	portAPIServerSecure = mkOption {
				30	type = types.int;
				31	description = "Port at which k8s apiserver will listen.";
				32	default = 4001;
				33	};
				34	pki = let
				35	mk = (radix: name: rec {
				36	ca = ./../../certs + "/ca-${radix}.crt";
				37	cert = ./../../certs + "/${radix}-${name}.cert";
				38	key = ./../../secrets/plain + "/${radix}-${name}.key";
				39	});
				40	mkKube = (name: (mk "kube" name) // {
				41	config = {
				42	server = "https://k0.hswaw.net:${toString cfg.portAPIServerSecure}";
				43	certFile = (mk "kube" name).cert;
				44	keyFile = (mk "kube" name).key;
				45	};
				46	});
				47	in mkOption {
				48	type = types.attrs;
				49	default = {
				50	kube = rec {
				51	ca = apiserver.ca;
				52
				53	# Used to identify apiserver.
				54	apiserver = mkKube "apiserver";
				55
				56	# Used to identify controller-manager.
				57	controllermanager = mkKube "controllermanager";
				58
				59	# Used to identify scheduler.
				60	scheduler = mkKube "scheduler";
				61
				62	# Used to encrypt service accounts.
				63	serviceaccounts = mkKube "serviceaccounts";
				64
				65	# Used to identify kube-proxy.
				66	proxy = mkKube "proxy";
				67
				68	# Used to identify kubelet.
				69	kubelet = mkKube "kubelet-${fqdn}";
				70	};
				71
				72	kubeFront = {
				73	apiserver = mk "kubefront" "apiserver";
				74	};
				75
				76	etcd = {
				77	peer = mk "etcdpeer" fqdn;
				78	server = mk "etcd" fqdn;
				79	kube = mk "etcd" "kube";
				80	};
				81	};
				82	};
				83	};
				84
				85	config = {
				86	services.kubernetes = {
				87	# We do not use any nixpkgs predefined roles for k8s. Instead, we enable
				88	# k8s components manually.
				89	roles = [];
Serge Bazanski	9251121	2023-04-01 13:50:02 +0000	[diff] [blame]	90	caFile = cfg.pki.kube.apiserver.ca;
Serge Bazanski	55a486a	2022-06-11 18:27:01 +0000	[diff] [blame]	91	clusterCidr = "10.10.16.0/20";
				92	addons.dns.enable = false;
				93	};
				94	};
				95	}