diff options
| author | Johan Thomsen <jth@dbc.dk> | 2019-02-12 16:48:23 +0100 |
|---|---|---|
| committer | Franz Pletz <fpletz@fnordicwalking.de> | 2019-02-20 21:08:56 +0100 |
| commit | 466beb02143f99815eef90ef8a69c91cd898a998 (patch) | |
| tree | 019499759ad73754e40833ea2698ad26aeb485a7 /nixos/modules/services/cluster/kubernetes/pki.nix | |
| parent | 1f49c2160a074b6cb36389a05fd3395cee432d64 (diff) | |
| download | nixpkgs-466beb02143f99815eef90ef8a69c91cd898a998.tar nixpkgs-466beb02143f99815eef90ef8a69c91cd898a998.tar.gz nixpkgs-466beb02143f99815eef90ef8a69c91cd898a998.tar.bz2 nixpkgs-466beb02143f99815eef90ef8a69c91cd898a998.tar.lz nixpkgs-466beb02143f99815eef90ef8a69c91cd898a998.tar.xz nixpkgs-466beb02143f99815eef90ef8a69c91cd898a998.tar.zst nixpkgs-466beb02143f99815eef90ef8a69c91cd898a998.zip | |
nixos/kubernetes: let flannel use kubernetes as storage backend
+ isolate etcd on the master node by letting it listen only on loopback + enabling kubelet on master and taint master with NoSchedule The reason for the latter is that flannel requires all nodes to be "registered" in the cluster in order to setup the cluster network. This means that the kubelet is needed even at nodes on which we don't plan to schedule anything.
Diffstat (limited to 'nixos/modules/services/cluster/kubernetes/pki.nix')
| -rw-r--r-- | nixos/modules/services/cluster/kubernetes/pki.nix | 23 |
1 files changed, 18 insertions, 5 deletions
diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index 4587373d519..38deca23a99 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -305,7 +305,7 @@ in ''} ${optionalString top.flannel.enable '' - while [ ! -f ${cfg.certs.flannelEtcdClient.cert} ]; do sleep 1; done + while [ ! -f ${cfg.certs.flannelClient.cert} ]; do sleep 1; done echo "Restarting flannel..." >&1 systemctl restart flannel ''} @@ -313,22 +313,35 @@ in echo "Node joined succesfully" '')]; + # isolate etcd on loopback at the master node + # easyCerts doesn't support multimaster clusters anyway atm. services.etcd = with cfg.certs.etcd; { + listenClientUrls = ["https://127.0.0.1:2379"]; + listenPeerUrls = ["https://127.0.0.1:2380"]; + advertiseClientUrls = ["https://etcd.local:2379"]; + initialCluster = ["${top.masterAddress}=https://etcd.local:2380"]; + initialAdvertisePeerUrls = ["https://etcd.local:2380"]; certFile = mkDefault cert; keyFile = mkDefault key; trustedCaFile = mkDefault caCert; }; + networking.extraHosts = mkIf (config.services.etcd.enable) '' + 127.0.0.1 etcd.${top.addons.dns.clusterDomain} etcd.local + ''; - services.flannel.etcd = with cfg.certs.flannelEtcdClient; { - certFile = mkDefault cert; - keyFile = mkDefault key; - caFile = mkDefault caCert; + services.flannel = with cfg.certs.flannelClient; { + kubeconfig = top.lib.mkKubeConfig "flannel" { + server = top.apiserverAddress; + certFile = cert; + keyFile = key; + }; }; services.kubernetes = { apiserver = mkIf top.apiserver.enable (with cfg.certs.apiServer; { etcd = with cfg.certs.apiserverEtcdClient; { + servers = ["https://etcd.local:2379"]; certFile = mkDefault cert; keyFile = mkDefault key; caFile = mkDefault caCert; |