2018-07-22 13:14:20 +02:00
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
lib,
|
|
|
|
|
pkgs,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
let
|
|
|
|
|
top = config.services.kubernetes;
|
|
|
|
|
cfg = top.addonManager;
|
|
|
|
|
|
2024-12-08 13:18:23 +01:00
|
|
|
isRBACEnabled = lib.elem "RBAC" top.apiserver.authorizationMode;
|
2018-07-22 13:14:20 +02:00
|
|
|
|
|
|
|
|
addons = pkgs.runCommand "kubernetes-addons" { } ''
|
|
|
|
|
mkdir -p $out
|
|
|
|
|
# since we are mounting the addons to the addon manager, they need to be copied
|
2024-12-08 13:18:23 +01:00
|
|
|
${lib.concatMapStringsSep ";" (a: "cp -v ${a}/* $out/") (
|
2018-07-22 13:14:20 +02:00
|
|
|
lib.mapAttrsToList (name: addon: pkgs.writeTextDir "${name}.json" (builtins.toJSON addon)) (
|
|
|
|
|
cfg.addons
|
|
|
|
|
)
|
|
|
|
|
)}
|
|
|
|
|
'';
|
|
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
###### interface
|
|
|
|
|
options.services.kubernetes.addonManager = with lib.types; {
|
|
|
|
|
|
2024-12-08 13:18:23 +01:00
|
|
|
bootstrapAddons = lib.mkOption {
|
2018-07-22 13:14:20 +02:00
|
|
|
description = ''
|
2022-12-17 19:31:14 -05:00
|
|
|
Bootstrap addons are like regular addons, but they are applied with cluster-admin rights.
|
2018-07-22 13:14:20 +02:00
|
|
|
They are applied at addon-manager startup only.
|
|
|
|
|
'';
|
|
|
|
|
default = { };
|
|
|
|
|
type = attrsOf attrs;
|
2024-12-08 13:18:23 +01:00
|
|
|
example = lib.literalExpression ''
|
2018-07-22 13:14:20 +02:00
|
|
|
{
|
|
|
|
|
"my-service" = {
|
|
|
|
|
"apiVersion" = "v1";
|
|
|
|
|
"kind" = "Service";
|
|
|
|
|
"metadata" = {
|
|
|
|
|
"name" = "my-service";
|
|
|
|
|
"namespace" = "default";
|
|
|
|
|
};
|
|
|
|
|
"spec" = { ... };
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2024-12-08 13:18:23 +01:00
|
|
|
addons = lib.mkOption {
|
2018-07-22 13:14:20 +02:00
|
|
|
description = "Kubernetes addons (any kind of Kubernetes resource can be an addon).";
|
|
|
|
|
default = { };
|
|
|
|
|
type = attrsOf (either attrs (listOf attrs));
|
2024-12-08 13:18:23 +01:00
|
|
|
example = lib.literalExpression ''
|
2018-07-22 13:14:20 +02:00
|
|
|
{
|
|
|
|
|
"my-service" = {
|
|
|
|
|
"apiVersion" = "v1";
|
|
|
|
|
"kind" = "Service";
|
|
|
|
|
"metadata" = {
|
|
|
|
|
"name" = "my-service";
|
|
|
|
|
"namespace" = "default";
|
|
|
|
|
};
|
|
|
|
|
"spec" = { ... };
|
|
|
|
|
};
|
|
|
|
|
}
|
2021-12-14 11:03:48 +10:00
|
|
|
// import <nixpkgs/nixos/modules/services/cluster/kubernetes/dns.nix> { cfg = config.services.kubernetes; };
|
2018-07-22 13:14:20 +02:00
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2024-12-08 13:18:23 +01:00
|
|
|
enable = lib.mkEnableOption "Kubernetes addon manager";
|
2018-07-22 13:14:20 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
###### implementation
|
2024-12-08 13:18:23 +01:00
|
|
|
config = lib.mkIf cfg.enable {
|
2018-07-22 13:14:20 +02:00
|
|
|
environment.etc."kubernetes/addons".source = "${addons}/";
|
|
|
|
|
|
|
|
|
|
systemd.services.kube-addon-manager = {
|
|
|
|
|
description = "Kubernetes addon manager";
|
2019-03-11 10:44:24 +01:00
|
|
|
wantedBy = [ "kubernetes.target" ];
|
2019-08-24 12:52:32 +02:00
|
|
|
after = [ "kube-apiserver.service" ];
|
|
|
|
|
environment.ADDON_PATH = "/etc/kubernetes/addons/";
|
|
|
|
|
path = [ pkgs.gawk ];
|
2018-07-22 13:14:20 +02:00
|
|
|
serviceConfig = {
|
|
|
|
|
Slice = "kubernetes.slice";
|
|
|
|
|
ExecStart = "${top.package}/bin/kube-addons";
|
|
|
|
|
WorkingDirectory = top.dataDir;
|
|
|
|
|
User = "kubernetes";
|
|
|
|
|
Group = "kubernetes";
|
|
|
|
|
Restart = "on-failure";
|
|
|
|
|
RestartSec = 10;
|
|
|
|
|
};
|
2021-07-30 16:16:23 +01:00
|
|
|
unitConfig = {
|
|
|
|
|
StartLimitIntervalSec = 0;
|
|
|
|
|
};
|
2019-03-11 10:44:24 +01:00
|
|
|
};
|
|
|
|
|
|
2024-12-08 13:18:23 +01:00
|
|
|
services.kubernetes.addonManager.bootstrapAddons = lib.mkIf isRBACEnabled (
|
2018-07-22 13:14:20 +02:00
|
|
|
let
|
2020-03-31 21:11:51 -04:00
|
|
|
name = "system:kube-addon-manager";
|
2018-07-22 13:14:20 +02:00
|
|
|
namespace = "kube-system";
|
|
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
kube-addon-manager-r = {
|
|
|
|
|
apiVersion = "rbac.authorization.k8s.io/v1";
|
|
|
|
|
kind = "Role";
|
|
|
|
|
metadata = {
|
|
|
|
|
inherit name namespace;
|
2024-12-10 20:27:17 +01:00
|
|
|
};
|
|
|
|
|
rules = [
|
|
|
|
|
{
|
2018-07-22 13:14:20 +02:00
|
|
|
apiGroups = [ "*" ];
|
|
|
|
|
resources = [ "*" ];
|
|
|
|
|
verbs = [ "*" ];
|
2024-12-10 20:27:17 +01:00
|
|
|
}
|
|
|
|
|
];
|
2018-07-22 13:14:20 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
kube-addon-manager-rb = {
|
|
|
|
|
apiVersion = "rbac.authorization.k8s.io/v1";
|
|
|
|
|
kind = "RoleBinding";
|
|
|
|
|
metadata = {
|
|
|
|
|
inherit name namespace;
|
2024-12-10 20:27:17 +01:00
|
|
|
};
|
2018-07-22 13:14:20 +02:00
|
|
|
roleRef = {
|
|
|
|
|
apiGroup = "rbac.authorization.k8s.io";
|
|
|
|
|
kind = "Role";
|
|
|
|
|
inherit name;
|
2024-12-10 20:27:17 +01:00
|
|
|
};
|
2018-07-22 13:14:20 +02:00
|
|
|
subjects = [
|
2024-12-10 20:27:17 +01:00
|
|
|
{
|
2018-07-22 13:14:20 +02:00
|
|
|
apiGroup = "rbac.authorization.k8s.io";
|
|
|
|
|
kind = "User";
|
|
|
|
|
inherit name;
|
2024-12-10 20:27:17 +01:00
|
|
|
}
|
|
|
|
|
];
|
2018-07-22 13:14:20 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
kube-addon-manager-cluster-lister-cr = {
|
|
|
|
|
apiVersion = "rbac.authorization.k8s.io/v1";
|
|
|
|
|
kind = "ClusterRole";
|
|
|
|
|
metadata = {
|
|
|
|
|
name = "${name}:cluster-lister";
|
2024-12-10 20:27:17 +01:00
|
|
|
};
|
|
|
|
|
rules = [
|
|
|
|
|
{
|
2018-07-22 13:14:20 +02:00
|
|
|
apiGroups = [ "*" ];
|
|
|
|
|
resources = [ "*" ];
|
|
|
|
|
verbs = [ "list" ];
|
2024-12-10 20:27:17 +01:00
|
|
|
}
|
|
|
|
|
];
|
2018-07-22 13:14:20 +02:00
|
|
|
};
|
2024-12-10 20:27:17 +01:00
|
|
|
|
2018-07-22 13:14:20 +02:00
|
|
|
kube-addon-manager-cluster-lister-crb = {
|
|
|
|
|
apiVersion = "rbac.authorization.k8s.io/v1";
|
|
|
|
|
kind = "ClusterRoleBinding";
|
|
|
|
|
metadata = {
|
|
|
|
|
name = "${name}:cluster-lister";
|
2024-12-10 20:27:17 +01:00
|
|
|
};
|
2018-07-22 13:14:20 +02:00
|
|
|
roleRef = {
|
|
|
|
|
apiGroup = "rbac.authorization.k8s.io";
|
|
|
|
|
kind = "ClusterRole";
|
|
|
|
|
name = "${name}:cluster-lister";
|
2024-12-10 20:27:17 +01:00
|
|
|
};
|
2018-07-22 13:14:20 +02:00
|
|
|
subjects = [
|
2024-12-10 20:27:17 +01:00
|
|
|
{
|
2018-07-22 13:14:20 +02:00
|
|
|
kind = "User";
|
|
|
|
|
inherit name;
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
services.kubernetes.pki.certs = {
|
|
|
|
|
addonManager = top.lib.mkCert {
|
|
|
|
|
name = "kube-addon-manager";
|
|
|
|
|
CN = "system:kube-addon-manager";
|
|
|
|
|
action = "systemctl restart kube-addon-manager.service";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2022-01-08 07:10:25 +01:00
|
|
|
meta.buildDocsInSandbox = false;
|
2018-07-22 13:14:20 +02:00
|
|
|
}
|
