movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-12 20:55:31 +03:00
Code Issues Projects Releases Packages Wiki Activity
nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

359 lines
9.7 KiB
Nix
Raw Normal View History

treewide: set defaultText for options using simple path defaults adds defaultText for all options that set their default to a path expression using the ubiquitous `cfg` shortcut bindings.
2021-12-05 20:40:24 +01:00
{
config,
lib,
options,
pkgs,
...
}:
nixos: add kubernetes module
2014-11-23 01:27:04 +01:00
let
nixos: move kubernetes & fleet to services/cluster
2014-12-11 23:32:37 +01:00
cfg = config.services.kubernetes;
treewide: set defaultText for options using simple path defaults adds defaultText for all options that set their default to a path expression using the ubiquitous `cfg` shortcut bindings.
2021-12-05 20:40:24 +01:00
opt = options.services.kubernetes;
nixos: add kubernetes module
2014-11-23 01:27:04 +01:00
nixos/kubernetes: fix deprecation warning The option `containerd.configFile` has been replaced by an equivalent `settings` attribute set.
2021-09-22 16:11:49 +02:00
defaultContainerdSettings = {
version = 2;
root = "/var/lib/containerd";
state = "/run/containerd";
oom_score = 0;
grpc = {
address = "/run/containerd/containerd.sock";
};
nixos/kubernetes: docker -> containerd also, nixos/containerd: module init
2021-02-25 16:00:59 +01:00
nixos/kubernetes: fix deprecation warning The option `containerd.configFile` has been replaced by an equivalent `settings` attribute set.
2021-09-22 16:11:49 +02:00
plugins."io.containerd.grpc.v1.cri" = {
sandbox_image = "pause:latest";
nixos/kubernetes: docker -> containerd also, nixos/containerd: module init
2021-02-25 16:00:59 +01:00
nixos/kubernetes: fix deprecation warning The option `containerd.configFile` has been replaced by an equivalent `settings` attribute set.
2021-09-22 16:11:49 +02:00
cni = {
bin_dir = "/opt/cni/bin";
max_conf_num = 0;
};
nixos/kubernetes: docker -> containerd also, nixos/containerd: module init
2021-02-25 16:00:59 +01:00
nixos/kubernetes: fix deprecation warning The option `containerd.configFile` has been replaced by an equivalent `settings` attribute set.
2021-09-22 16:11:49 +02:00
containerd.runtimes.runc = {
runtime_type = "io.containerd.runc.v2";
nixos/kubernetes: actually set containerd to use systemd cgroups The correct configuration is listed in the kubernetes documentation https://kubernetes.io/docs/setup/production-environment/container-runtimes/#containerd-systemd The correct option can also be seen in `containerd config default`
2021-12-18 22:18:10 +09:00
options.SystemdCgroup = true;
nixos/kubernetes: fix deprecation warning The option `containerd.configFile` has been replaced by an equivalent `settings` attribute set.
2021-09-22 16:11:49 +02:00
};
};
};
nixos/kubernetes: docker -> containerd also, nixos/containerd: module init
2021-02-25 16:00:59 +01:00
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
mkKubeConfig =
name: conf:
pkgs.writeText "${name}-kubeconfig" (
builtins.toJSON {
kubernetes module: support for kubernetes 1.4
2016-11-16 16:29:35 +01:00
apiVersion = "v1";
kind = "Config";
clusters = [
{
name = "local";
nixos/kubernetes: minor module fixes - mkDefault etcd instance name - make sure ca-cert in mkKubeConfig can be overriden - fix controller-manager "tls-private-key-file" flag name
2019-02-28 15:12:58 +01:00
cluster.certificate-authority = conf.caFile or cfg.caFile;
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
cluster.server = conf.server;
kubernetes module: support for kubernetes 1.4
2016-11-16 16:29:35 +01:00
}
];
users = [
{
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
inherit name;
kubernetes module: support for kubernetes 1.4
2016-11-16 16:29:35 +01:00
user = {
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
client-certificate = conf.certFile;
client-key = conf.keyFile;
kubernetes module: support for kubernetes 1.4
2016-11-16 16:29:35 +01:00
};
}
];
contexts = [
{
context = {
cluster = "local";
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
user = name;
kubernetes module: support for kubernetes 1.4
2016-11-16 16:29:35 +01:00
};
kubernetes: fix generated kubeconfig The absence of current-context in the right place resulted in obscure bugs. The reason this has not been detected before can only be that it was unused.
2021-05-20 16:52:08 -04:00
name = "local";
kubernetes module: support for kubernetes 1.4
2016-11-16 16:29:35 +01:00
}
];
kubernetes: fix generated kubeconfig The absence of current-context in the right place resulted in obscure bugs. The reason this has not been detected before can only be that it was unused.
2021-05-20 16:52:08 -04:00
current-context = "local";
kubernetes module: support for kubernetes 1.4
2016-11-16 16:29:35 +01:00
}
);
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
caCert = secret "ca";
etcdEndpoints = [ "https://${cfg.masterAddress}:2379" ];
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
mkCert =
{
name,
CN,
hosts ? [ ],
fields ? { },
action ? "",
nixos/kubernetes: adds argument to mkCert defaulting to kubernetes group
2024-06-21 21:26:08 -03:00
privateKeyOwner ? "kubernetes",
privateKeyGroup ? "kubernetes",
}:
rec {
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
inherit
name
caCert
CN
hosts
fields
action
;
cert = secret name;
key = secret "${name}-key";
privateKeyOptions = {
owner = privateKeyOwner;
nixos/kubernetes: adds argument to mkCert defaulting to kubernetes group
2024-06-21 21:26:08 -03:00
group = privateKeyGroup;
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
mode = "0600";
path = key;
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
};
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
};
secret = name: "${cfg.secretsPath}/${name}.pem";
kubernetes module: per service kubeconfig support
2017-05-30 11:26:32 +02:00
mkKubeConfigOptions = prefix: {
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
server = lib.mkOption {
kubernetes module: per service kubeconfig support
2017-05-30 11:26:32 +02:00
description = "${prefix} kube-apiserver server address.";
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
type = lib.types.str;
kubernetes module: per service kubeconfig support
2017-05-30 11:26:32 +02:00
};
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
caFile = lib.mkOption {
kubernetes: corrected spelling mistake in docs (#41439)
2018-06-04 15:45:25 +10:00
description = "${prefix} certificate authority file used to connect to kube-apiserver.";
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
type = lib.types.nullOr lib.types.path;
kubernetes module: add support for common CA file
2017-05-30 11:57:52 +02:00
default = cfg.caFile;
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
defaultText = lib.literalExpression "config.${opt.caFile}";
kubernetes module: per service kubeconfig support
2017-05-30 11:26:32 +02:00
};
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
certFile = lib.mkOption {
kubernetes module: per service kubeconfig support
2017-05-30 11:26:32 +02:00
description = "${prefix} client certificate file used to connect to kube-apiserver.";
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
type = lib.types.nullOr lib.types.path;
kubernetes module: per service kubeconfig support
2017-05-30 11:26:32 +02:00
default = null;
};
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
keyFile = lib.mkOption {
kubernetes module: per service kubeconfig support
2017-05-30 11:26:32 +02:00
description = "${prefix} client key file used to connect to kube-apiserver.";
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
type = lib.types.nullOr lib.types.path;
kubernetes module: per service kubeconfig support
2017-05-30 11:26:32 +02:00
default = null;
};
};
nixos: add kubernetes module
2014-11-23 01:27:04 +01:00
in
{
nixos/treewide: Move rename.nix imports to their respective modules A centralized list for these renames is not good because: - It breaks disabledModules for modules that have a rename defined - Adding/removing renames for a module means having to find them in the central file - Merge conflicts due to multiple people editing the central file
2019-12-10 02:51:19 +01:00
imports = [
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
(lib.mkRemovedOptionModule [
"services"
"kubernetes"
"addons"
"dashboard"
] "Removed due to it being an outdated version")
(lib.mkRemovedOptionModule [ "services" "kubernetes" "verbose" ] "")
nixos/treewide: Move rename.nix imports to their respective modules A centralized list for these renames is not good because: - It breaks disabledModules for modules that have a rename defined - Adding/removing renames for a module means having to find them in the central file - Merge conflicts due to multiple people editing the central file
2019-12-10 02:51:19 +01:00
];
nixos: add kubernetes module
2014-11-23 01:27:04 +01:00
###### interface
nixos: move kubernetes & fleet to services/cluster
2014-12-11 23:32:37 +01:00
options.services.kubernetes = {
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
roles = lib.mkOption {
kubernetes module: support for kubernetes 1.4
2016-11-16 16:29:35 +01:00
description = ''
Kubernetes role that this machine should take.
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
Master role will enable etcd, apiserver, scheduler, controller manager
addon manager, flannel and proxy services.
Node role will enable flannel, docker, kubelet and proxy services.
kubernetes module: support for kubernetes 1.4
2016-11-16 16:29:35 +01:00
'';
default = [ ];
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
type = lib.types.listOf (
lib.types.enum [
"master"
"node"
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
]
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
);
kubernetes module: support for kubernetes 1.4
2016-11-16 16:29:35 +01:00
};
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
package = lib.mkPackageOption pkgs "kubernetes" { };
nixos: add kubernetes module
2014-11-23 01:27:04 +01:00
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
kubeconfig = mkKubeConfigOptions "Default kubeconfig";
kubernetes module: support for kubernetes 1.4
2016-11-16 16:29:35 +01:00
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
apiserverAddress = lib.mkOption {
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
description = ''
Clusterwide accessible address for the kubernetes apiserver,
including protocol and optional port.
'';
example = "https://kubernetes-apiserver.example.com:6443";
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
type = lib.types.str;
nixos: add kubernetes module
2014-11-23 01:27:04 +01:00
};
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
caFile = lib.mkOption {
kubernetes module: add support for common CA file
2017-05-30 11:57:52 +02:00
description = "Default kubernetes certificate authority";
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
type = lib.types.nullOr lib.types.path;
kubernetes module: add support for common CA file
2017-05-30 11:57:52 +02:00
default = null;
};
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
dataDir = lib.mkOption {
nixos: add kubernetes module
2014-11-23 01:27:04 +01:00
description = "Kubernetes root directory for managing kubelet files.";
default = "/var/lib/kubernetes";
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
type = lib.types.path;
nixos: add kubernetes module
2014-11-23 01:27:04 +01:00
};
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
easyCerts = lib.mkOption {
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
description = "Automatically setup x509 certificates and keys for the entire cluster.";
default = false;
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
type = lib.types.bool;
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
};
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
featureGates = lib.mkOption {
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
description = "List set of feature gates.";
nixos/kubernetes: refactor feature gates to attrsOf bool, making it possible to disable featureGates This is a breaking change, requiring users of `featureGates` to change from a `listOf str` to `attrsOf bool`. Before: ```nix featureGates = [ "EphemeralContainers" ]; extraOpts = pkgs.lib.concatStringsSep " " ( [ "--container-runtime=remote" ''--feature-gates="CSIMigration=false"'' }); ``` After: ```nix featureGates = {EphemeralContainers = true; CSIMigration=false;}; ``` This is much nicer, and sets us up for later work of migrating to configuration files for other services, like e.g. has been happening with kubelet (see: #290119). Signed-off-by: Christina Sørensen <christina@cafkafk.com>
2024-07-17 09:10:17 +02:00
default = { };
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
type = lib.types.attrsOf lib.types.bool;
kubernetes module: add featureGates option
2017-09-01 12:14:00 +02:00
};
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
masterAddress = lib.mkOption {
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
description = "Clusterwide available network address or hostname for the kubernetes master server.";
example = "master.example.com";
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
type = lib.types.str;
kubernetes: update service
2017-04-26 22:44:38 +02:00
};
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
path = lib.mkOption {
kubernetes: update service
2017-04-26 22:44:38 +02:00
description = "Packages added to the services' PATH environment variable. Both the bin and sbin subdirectories of each package are added.";
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
type = lib.types.listOf lib.types.package;
kubernetes: 1.5.6 -> 1.6.4
2017-04-21 15:25:05 +02:00
default = [ ];
nixos/kubernetes: skydns integration
2015-06-08 13:15:26 +02:00
};
kubernetes: 1.5.6 -> 1.6.4
2017-04-21 15:25:05 +02:00
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
clusterCidr = lib.mkOption {
kubernetes: update service
2017-04-26 22:44:38 +02:00
description = "Kubernetes controller manager and proxy CIDR Range for Pods in cluster.";
kubernetes module: fix cidr ranges
2017-05-30 14:54:29 +02:00
default = "10.1.0.0/16";
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
type = lib.types.nullOr lib.types.str;
kubernetes: update service
2017-04-26 22:44:38 +02:00
};
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
lib = lib.mkOption {
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
description = "Common functions for the kubernetes modules.";
default = {
inherit mkCert;
inherit mkKubeConfig;
inherit mkKubeConfigOptions;
};
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
type = lib.types.attrs;
kubernetes module: flannel support, minor fixes - add flannel support - remove deprecated authorizationRBACSuperAdmin option - rename from deprecated poratalNet to serviceClusterIpRange - add nodeIp option for kubelet - kubelet, add br_netfilter to kernelModules - enable firewall by default - enable dns by default on node and on master - disable iptables for docker by default on nodes - dns, restart on failure - update tests and other minor changes
2017-05-26 23:21:17 +02:00
};
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
secretsPath = lib.mkOption {
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
description = "Default location for kubernetes secrets. Not a store location.";
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
type = lib.types.path;
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
default = cfg.dataDir + "/secrets";
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
defaultText = lib.literalExpression ''
nixos/kubernetes: add missing defaultText to expression default
2021-12-08 05:08:23 +01:00
config.${opt.dataDir} + "/secrets"
'';
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
};
nixos: add kubernetes module
2014-11-23 01:27:04 +01:00
};
###### implementation
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
config = lib.mkMerge [
kubernetes module: seedDockerImages option for seeding docker images built with nix
2017-09-01 12:22:12 +02:00
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
(lib.mkIf cfg.easyCerts {
services.kubernetes.pki.enable = lib.mkDefault true;
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
services.kubernetes.caFile = caCert;
kubernetes module: support for kubernetes 1.4
2016-11-16 16:29:35 +01:00
})
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
(lib.mkIf (lib.elem "master" cfg.roles) {
services.kubernetes.apiserver.enable = lib.mkDefault true;
services.kubernetes.scheduler.enable = lib.mkDefault true;
services.kubernetes.controllerManager.enable = lib.mkDefault true;
services.kubernetes.addonManager.enable = lib.mkDefault true;
services.kubernetes.proxy.enable = lib.mkDefault true;
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
services.etcd.enable = true; # Cannot mkDefault because of flannel default options
nixos/kubernetes: let flannel use kubernetes as storage backend + isolate etcd on the master node by letting it listen only on loopback + enabling kubelet on master and taint master with NoSchedule The reason for the latter is that flannel requires all nodes to be "registered" in the cluster in order to setup the cluster network. This means that the kubelet is needed even at nodes on which we don't plan to schedule anything.
2019-02-12 16:48:23 +01:00
services.kubernetes.kubelet = {
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
enable = lib.mkDefault true;
taints = lib.mkIf (!(lib.elem "node" cfg.roles)) {
nixos/kubernetes: let flannel use kubernetes as storage backend + isolate etcd on the master node by letting it listen only on loopback + enabling kubelet on master and taint master with NoSchedule The reason for the latter is that flannel requires all nodes to be "registered" in the cluster in order to setup the cluster network. This means that the kubelet is needed even at nodes on which we don't plan to schedule anything.
2019-02-12 16:48:23 +01:00
master = {
key = "node-role.kubernetes.io/master";
value = "true";
effect = "NoSchedule";
};
};
};
nixos: add kubernetes module
2014-11-23 01:27:04 +01:00
})
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
(lib.mkIf (lib.all (el: el == "master") cfg.roles) {
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
# if this node is only a master make it unschedulable by default
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
services.kubernetes.kubelet.unschedulable = lib.mkDefault true;
kubernetes: update service
2017-04-26 22:44:38 +02:00
})
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
(lib.mkIf (lib.elem "node" cfg.roles) {
services.kubernetes.kubelet.enable = lib.mkDefault true;
services.kubernetes.proxy.enable = lib.mkDefault true;
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
})
# Using "services.kubernetes.roles" will automatically enable easyCerts and flannel
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
(lib.mkIf (cfg.roles != [ ]) {
services.kubernetes.flannel.enable = lib.mkDefault true;
services.flannel.etcd.endpoints = lib.mkDefault etcdEndpoints;
services.kubernetes.easyCerts = lib.mkDefault true;
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
})
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
(lib.mkIf cfg.apiserver.enable {
services.kubernetes.pki.etcClusterAdminKubeconfig = lib.mkDefault "kubernetes/cluster-admin.kubeconfig";
services.kubernetes.apiserver.etcd.servers = lib.mkDefault etcdEndpoints;
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
})
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
(lib.mkIf cfg.kubelet.enable {
nixos/kubernetes: docker -> containerd also, nixos/containerd: module init
2021-02-25 16:00:59 +01:00
virtualisation.containerd = {
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
enable = lib.mkDefault true;
settings = lib.mapAttrsRecursive (name: lib.mkDefault) defaultContainerdSettings;
kubernetes module: flannel support, minor fixes - add flannel support - remove deprecated authorizationRBACSuperAdmin option - rename from deprecated poratalNet to serviceClusterIpRange - add nodeIp option for kubelet - kubelet, add br_netfilter to kernelModules - enable firewall by default - enable dns by default on node and on master - disable iptables for docker by default on nodes - dns, restart on failure - update tests and other minor changes
2017-05-26 23:21:17 +02:00
};
nixos: add kubernetes module
2014-11-23 01:27:04 +01:00
})
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
(lib.mkIf (cfg.apiserver.enable || cfg.controllerManager.enable) {
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
services.kubernetes.pki.certs = {
serviceAccount = mkCert {
name = "service-account";
CN = "system:service-account-signer";
action = ''
nixos/kubernetes: fix service reload to restart
2024-06-22 07:52:46 +02:00
systemctl restart \
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
kube-apiserver.service \
kube-controller-manager.service
'';
kubernetes: update service
2017-04-26 22:44:38 +02:00
};
};
})
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
(lib.mkIf
(
nixos: add kubernetes module
2014-11-23 01:27:04 +01:00
cfg.apiserver.enable
|| cfg.scheduler.enable
|| cfg.controllerManager.enable
|| cfg.kubelet.enable
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
|| cfg.proxy.enable
|| cfg.addonManager.enable
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
)
{
treewide: use attrs instead of list for types.loaOf options
2019-09-14 19:51:29 +02:00
systemd.targets.kubernetes = {
nixos: add kubernetes module
2014-11-23 01:27:04 +01:00
description = "Kubernetes";
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
wantedBy = [ "multi-user.target" ];
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
};
kubernetes module: flannel support, minor fixes - add flannel support - remove deprecated authorizationRBACSuperAdmin option - rename from deprecated poratalNet to serviceClusterIpRange - add nodeIp option for kubelet - kubelet, add br_netfilter to kernelModules - enable firewall by default - enable dns by default on node and on master - disable iptables for docker by default on nodes - dns, restart on failure - update tests and other minor changes
2017-05-26 23:21:17 +02:00
kubernetes module: support for kubernetes 1.4
2016-11-16 16:29:35 +01:00
systemd.tmpfiles.rules = [
"d /opt/cni/bin 0755 root root -"
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
"d /run/kubernetes 0755 kubernetes kubernetes -"
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
"d ${cfg.dataDir} 0755 kubernetes kubernetes -"
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
];
nixos/modules: users.(extraUsers|extraGroup->users|group)
2018-06-30 01:58:35 +02:00
users.users.kubernetes = {
nixos: add kubernetes module
2014-11-23 01:27:04 +01:00
uid = config.ids.uids.kubernetes;
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
description = "Kubernetes user";
nixos: add kubernetes module
2014-11-23 01:27:04 +01:00
group = "kubernetes";
home = cfg.dataDir;
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
createHome = true;
nixos/kubernetes: set k8 home permissions correctly
2024-02-14 14:42:02 -08:00
homeMode = "755";
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
};
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
users.groups.kubernetes.gid = config.ids.gids.kubernetes;
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
# dns addon is enabled by default
services.kubernetes.addons.dns.enable = lib.mkDefault true;
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
nixos/services.kubernetes: remove `with lib;`
2024-12-08 13:18:23 +01:00
services.kubernetes.apiserverAddress = lib.mkDefault (
"https://${
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
if cfg.apiserver.advertiseAddress != null then
kubernetes module: per service kubeconfig support
2017-05-30 11:26:32 +02:00
cfg.apiserver.advertiseAddress
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI
2018-07-22 13:14:20 +02:00
else
"${cfg.masterAddress}:${toString cfg.apiserver.securePort}"
}"
);
kubernetes module: flannel support, minor fixes - add flannel support - remove deprecated authorizationRBACSuperAdmin option - rename from deprecated poratalNet to serviceClusterIpRange - add nodeIp option for kubelet - kubelet, add br_netfilter to kernelModules - enable firewall by default - enable dns by default on node and on master - disable iptables for docker by default on nodes - dns, restart on failure - update tests and other minor changes
2017-05-26 23:21:17 +02:00
}
)
nixos: add kubernetes module
2014-11-23 01:27:04 +01:00
];
nixos/kubernetes: move all k8s docs out of the sandbox otherwise the manual won't build. ideally they'll move back into the sandbox at some point, but we're obviously not qualified to put them there.
2022-01-08 07:10:25 +01:00
meta.buildDocsInSandbox = false;
nixos: add kubernetes module
2014-11-23 01:27:04 +01:00
}
Reference in a new issue Copy permalink