Serge Bazanski | 55a486a | 2022-06-11 18:27:01 +0000 | [diff] [blame] | 1 | { config, pkgs, lib, machines, ... }: |
| 2 | |
| 3 | with lib; |
| 4 | |
| 5 | let |
| 6 | cfg = config.hscloud.kube; |
| 7 | fqdn = config.hscloud.base.fqdn; |
| 8 | |
| 9 | in { |
| 10 | options.hscloud.kube = { |
| 11 | package = mkOption { |
| 12 | description = "Kubernetes package to use for everything but kubelet."; |
| 13 | type = types.package; |
| 14 | default = (import (fetchGit { |
| 15 | # Now at 1.16.5 |
| 16 | name = "nixos-unstable-2020-01-22"; |
| 17 | url = https://github.com/nixos/nixpkgs-channels/; |
| 18 | rev = "a96ed5d70427bdc2fbb9e805784e1b9621157a98"; |
| 19 | }) {}).kubernetes; |
| 20 | defaultText = "pkgs.kubernetes"; |
| 21 | }; |
| 22 | packageKubelet = mkOption { |
| 23 | description = "Kubernetes package to use for kubelet."; |
| 24 | type = types.package; |
| 25 | default = cfg.package; |
| 26 | defaultText = "pkgs.kubernetes"; |
| 27 | }; |
| 28 | portAPIServerSecure = mkOption { |
| 29 | type = types.int; |
| 30 | description = "Port at which k8s apiserver will listen."; |
| 31 | default = 4001; |
| 32 | }; |
| 33 | pki = let |
| 34 | mk = (radix: name: rec { |
| 35 | ca = ./../../certs + "/ca-${radix}.crt"; |
| 36 | cert = ./../../certs + "/${radix}-${name}.cert"; |
| 37 | key = ./../../secrets/plain + "/${radix}-${name}.key"; |
| 38 | }); |
| 39 | mkKube = (name: (mk "kube" name) // { |
| 40 | config = { |
| 41 | server = "https://k0.hswaw.net:${toString cfg.portAPIServerSecure}"; |
| 42 | certFile = (mk "kube" name).cert; |
| 43 | keyFile = (mk "kube" name).key; |
| 44 | }; |
| 45 | }); |
| 46 | in mkOption { |
| 47 | type = types.attrs; |
| 48 | default = { |
| 49 | kube = rec { |
| 50 | ca = apiserver.ca; |
| 51 | |
| 52 | # Used to identify apiserver. |
| 53 | apiserver = mkKube "apiserver"; |
| 54 | |
| 55 | # Used to identify controller-manager. |
| 56 | controllermanager = mkKube "controllermanager"; |
| 57 | |
| 58 | # Used to identify scheduler. |
| 59 | scheduler = mkKube "scheduler"; |
| 60 | |
| 61 | # Used to encrypt service accounts. |
| 62 | serviceaccounts = mkKube "serviceaccounts"; |
| 63 | |
| 64 | # Used to identify kube-proxy. |
| 65 | proxy = mkKube "proxy"; |
| 66 | |
| 67 | # Used to identify kubelet. |
| 68 | kubelet = mkKube "kubelet-${fqdn}"; |
| 69 | }; |
| 70 | |
| 71 | kubeFront = { |
| 72 | apiserver = mk "kubefront" "apiserver"; |
| 73 | }; |
| 74 | |
| 75 | etcd = { |
| 76 | peer = mk "etcdpeer" fqdn; |
| 77 | server = mk "etcd" fqdn; |
| 78 | kube = mk "etcd" "kube"; |
| 79 | }; |
| 80 | }; |
| 81 | }; |
| 82 | }; |
| 83 | |
| 84 | config = { |
| 85 | services.kubernetes = { |
| 86 | # We do not use any nixpkgs predefined roles for k8s. Instead, we enable |
| 87 | # k8s components manually. |
| 88 | roles = []; |
Serge Bazanski | 9251121 | 2023-04-01 13:50:02 +0000 | [diff] [blame] | 89 | caFile = cfg.pki.kube.apiserver.ca; |
Serge Bazanski | 55a486a | 2022-06-11 18:27:01 +0000 | [diff] [blame] | 90 | clusterCidr = "10.10.16.0/20"; |
| 91 | addons.dns.enable = false; |
| 92 | }; |
| 93 | }; |
| 94 | } |