BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
nixpkgs-suyu/nixos/tests/kubernetes/kubernetes-common.nix
Matej Cotman 7f9d1a7aaf kubernetes: add tests
2017-09-24 11:44:25 +02:00

131 lines
3.9 KiB
Nix
Raw Blame History

{ config, pkgs, certs, servers }:
let
etcd_key = "${certs}/etcd-key.pem";
etcd_cert = "${certs}/etcd.pem";
ca_pem = "${certs}/ca.pem";
etcd_client_cert = "${certs}/etcd-client.crt";
etcd_client_key = "${certs}/etcd-client-key.pem";
worker_key = "${certs}/worker-key.pem";
worker_cert = "${certs}/worker.pem";
mkDockerOpts = "${pkgs.kubernetes.src}/cluster/centos/node/bin/mk-docker-opts.sh";
rootCaFile = pkgs.writeScript "rootCaFile.pem" ''
${pkgs.lib.readFile "${certs}/ca.pem"}
${pkgs.lib.readFile ("${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt")}
'';
mkHosts =
pkgs.lib.concatMapStringsSep "\n" (v: "${v.ip} ${v.name}.nixos.xyz") (pkgs.lib.mapAttrsToList (n: v: {name = n; ip = v;}) servers);
in
{
programs.bash.enableCompletion = true;
environment.systemPackages = with pkgs; [ netcat bind etcd.bin ];
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
10250 80 443
];
allowedUDPPorts = [
8285 # flannel udp
8472 # flannel vxlan
];
};
extraHosts = ''
# register "external" domains
${servers.master} etcd.kubernetes.nixos.xyz
${servers.master} kubernetes.nixos.xyz
${mkHosts}
'';
};
virtualisation.docker.extraOptions = ''
--iptables=false $DOCKER_OPTS
'';
# lets create environment file for docker startup - network stuff
systemd.services."pre-docker" = {
description = "Pre-Docker Actions";
wantedBy = [ "flannel.service" ];
before = [ "docker.service" ];
after = [ "flannel.service" ];
path = [ pkgs.gawk pkgs.gnugrep ];
script = ''
mkdir -p /run/flannel
# bashInteractive needed for `compgen`
${pkgs.bashInteractive}/bin/bash ${mkDockerOpts} -d /run/flannel/docker
cat /run/flannel/docker # just for debugging
# allow container to host communication for DNS traffic
${pkgs.iptables}/bin/iptables -I nixos-fw -p tcp -m tcp -i docker0 --dport 53 -j nixos-fw-accept
${pkgs.iptables}/bin/iptables -I nixos-fw -p udp -m udp -i docker0 --dport 53 -j nixos-fw-accept
'';
serviceConfig.Type = "simple";
};
systemd.services.docker.serviceConfig.EnvironmentFile = "/run/flannel/docker";
services.flannel = {
enable = true;
network = "10.2.0.0/16";
iface = "eth1";
etcd = {
endpoints = ["https://etcd.kubernetes.nixos.xyz:2379"];
keyFile = etcd_client_key;
certFile = etcd_client_cert;
caFile = ca_pem;
};
};
environment.variables = {
ETCDCTL_CERT_FILE = "${etcd_client_cert}";
ETCDCTL_KEY_FILE = "${etcd_client_key}";
ETCDCTL_CA_FILE = "${rootCaFile}";
ETCDCTL_PEERS = "https://etcd.kubernetes.nixos.xyz:2379";
};
services.kubernetes = {
kubelet = {
networkPlugin = "cni";
cni.config = [{
name = "mynet";
type = "flannel";
delegate = {
isDefaultGateway = true;
bridge = "docker0";
};
}];
tlsKeyFile = worker_key;
tlsCertFile = worker_cert;
hostname = "${config.networking.hostName}.nixos.xyz";
extraOpts = "--node-ip ${config.networking.primaryIPAddress}";
clusterDns = config.networking.primaryIPAddress;
};
etcd = {
servers = ["https://etcd.kubernetes.nixos.xyz:2379"];
keyFile = etcd_client_key;
certFile = etcd_client_cert;
caFile = ca_pem;
};
kubeconfig = {
server = "https://kubernetes.nixos.xyz:4443";
caFile = rootCaFile;
certFile = worker_cert;
keyFile = worker_key;
};
# make sure you cover kubernetes.apiserver.portalNet and flannel networks
clusterCidr = "10.0.0.0/8";
dns.enable = true;
dns.port = 4453;
};
services.dnsmasq.enable = true;
services.dnsmasq.servers = ["/${config.services.kubernetes.dns.domain}/127.0.0.1#4453"];
virtualisation.docker.enable = true;
virtualisation.docker.storageDriver = "overlay";
}
Reference in a new issue View git blame Copy permalink