Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / a5ba55444657987624e95d3aec1a19a072fd2997 / . / cluster / machines / modules / kube-dataplane.nix
blob: 7e2066f9261a88590c2e496c27c5bc4e1f6e7896 [file] [log] [blame]
Serge Bazanski55a486a2022-06-11 18:27:01 +0000[diff] [blame]1{ config, pkgs, lib, machines, ... }:
2
3with lib;
4
5let
6 # Pin for kubelet and proxy.
7 k8spkgs = import (fetchGit {
8 # Now at 1.16.5
9 name = "nixos-unstable-2020-01-22";
10 url = https://github.com/nixos/nixpkgs-channels/;
11 rev = "a96ed5d70427bdc2fbb9e805784e1b9621157a98";
12 }) {};
13
14 cfg = config.hscloud.kube.data;
15
16 # All control plane nodes.
17 controlNodes = let
18 list = mapAttrsToList (_: v: v) machines;
19 filtered = filter (m: (m.config ? hscloud.kube.control) && (m.config.hscloud.kube.control.enable)) list;
20 sorted = sort (a: b: a.config.hscloud.base.fqdn < b.config.hscloud.base.fqdn) filtered;
21 in sorted;
22
23 fqdn = config.hscloud.base.fqdn;
24
25 pki = config.hscloud.kube.pki;
26
27in {
28 options.hscloud.kube.data = {
29 enable = mkEnableOption "kubernetes data plane";
30 podNet = mkOption {
31 type = types.str;
32 description = "Subnet in which this node will run pods. Must be exclusive with podNets of other nodes.";
33 };
34 };
35
Serge Bazanski55a486a2022-06-11 18:27:01 +0000[diff] [blame]36 imports = [
Serge Bazanski55a486a2022-06-11 18:27:01 +0000[diff] [blame]37 ./kube-common.nix
38 ];
39
Serge Bazanski55a486a2022-06-11 18:27:01 +0000[diff] [blame]40 config = mkIf cfg.enable {
41 # If we're not running the control plane, render a hostsfile that points at
42 # all other control plane nodes. Otherwise, the control plane module will
43 # make this hostsfile contain the node itself.
44 networking.extraHosts = mkIf (!config.hscloud.kube.control.enable) (concatStringsSep "\n" (map
45 (n: ''
46 ${n.config.hscloud.base.mgmtIf} ${n.config.hscloud.base.fqdn}
47 '')
48 controlNodes));
Bartosz Stebel9a88f282023-10-08 22:26:20 +0200[diff] [blame]49
50 networking.firewall.enable = false;
Serge Bazanski55a486a2022-06-11 18:27:01 +0000[diff] [blame]51
52 # this seems to depend on flannel
53 # TODO(q3k): file issue
54 systemd.services.kubelet-online = {
55 script = pkgs.lib.mkForce "sleep 1";
56 };
57
58 services.kubernetes = {
59 # The kubelet wants to mkfs.ext4 when mounting pvcs.
60 path = [ pkgs.e2fsprogs ];
61
62 proxy = {
63 enable = true;
64 kubeconfig = pki.kube.proxy.config;
65 extraOpts = ''
66 --hostname-override=${fqdn}\
67 --proxy-mode=iptables
68 '';
69 };
70
71 kubelet = {
72 enable = true;
73 unschedulable = false;
74 hostname = fqdn;
75 tlsCertFile = pki.kube.kubelet.cert;
76 tlsKeyFile = pki.kube.kubelet.key;
Serge Bazanski92511212023-04-01 13:50:02 +0000[diff] [blame]77 clientCaFile = pki.kube.kubelet.ca;
Serge Bazanski55a486a2022-06-11 18:27:01 +0000[diff] [blame]78 nodeIp = config.hscloud.base.ipAddr;
79 networkPlugin = "cni";
80 clusterDns = "10.10.12.254";
81 kubeconfig = pki.kube.kubelet.config;
82 extraOpts = ''
Serge Bazanskia5ba5542023-10-11 23:08:39 +0000[diff] [blame^]83 --read-only-port=0 \
84 --image-gc-high-threshold=60 \
85 --image-gc-low-threshold=40
Serge Bazanski55a486a2022-06-11 18:27:01 +0000[diff] [blame]86 '';
87 package = config.hscloud.kube.packageKubelet;
88 };
89 };
90 };
91}