nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix

{ config, lib, pkgs, ... }:

with lib;

let
  top = config.services.kubernetes;
  cfg = top.flannel;

  # needed for flannel to pass options to docker
  mkDockerOpts = pkgs.runCommand "mk-docker-opts" {
    buildInputs = [ pkgs.makeWrapper ];
  } ''
    mkdir -p $out
    cp ${pkgs.kubernetes.src}/cluster/centos/node/bin/mk-docker-opts.sh $out/mk-docker-opts.sh

    # bashInteractive needed for `compgen`
    makeWrapper ${pkgs.bashInteractive}/bin/bash $out/mk-docker-opts --add-flags "$out/mk-docker-opts.sh"
  '';
in
{
  ###### interface
  options.services.kubernetes.flannel = {
    enable = mkEnableOption "enable flannel networking";
  };

  ###### implementation
  config = mkIf cfg.enable {
    services.flannel = {

      enable = mkDefault true;
      network = mkDefault top.clusterCidr;
    };

    services.kubernetes.kubelet = {
      networkPlugin = mkDefault "cni";
      cni.config = mkDefault [{
        name = "mynet";
        type = "flannel";
        delegate = {
          isDefaultGateway = true;
          bridge = "docker0";
        };
      }];
    };

    systemd.services."mk-docker-opts" = {
      description = "Pre-Docker Actions";
      wantedBy = [ "flannel.service" ];
      before = [ "docker.service" ];
      after = [ "flannel.service" ];
      path = with pkgs; [ gawk gnugrep ];
      script = ''
        mkdir -p /run/flannel
        ${mkDockerOpts}/mk-docker-opts -d /run/flannel/docker
      '';
      serviceConfig.Type = "oneshot";
    };
    systemd.services.docker.serviceConfig.EnvironmentFile = "/run/flannel/docker";

    # read environment variables generated by mk-docker-opts
    virtualisation.docker.extraOptions = "$DOCKER_OPTS";

    networking = {
      firewall.allowedUDPPorts = [
        8285  # flannel udp
        8472  # flannel vxlan
      ];
      dhcpcd.denyInterfaces = [ "docker*" "flannel*" ];
    };

    services.kubernetes.pki.certs = {
      flannelEtcdClient = top.lib.mkCert {
        name = "flannel-etcd-client";
        CN = "flannel-etcd-client";
        action = "systemctl restart flannel.service";
      };
    };
  };
}
nixos/kubernetes: major module refactor - All kubernetes components have been seperated into different files - All TLS-enabled ports have been deprecated and disabled by default - EasyCert option added to support automatic cluster PKI-bootstrap - RBAC has been enforced for all cluster components by default - NixOS kubernetes test cases make use of easyCerts to setup PKI 2018-07-22 04:14:20 -07:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`
			`top = config.services.kubernetes;`
			`cfg = top.flannel;`

			`# needed for flannel to pass options to docker`
			`mkDockerOpts = pkgs.runCommand "mk-docker-opts" {`
			`buildInputs = [ pkgs.makeWrapper ];`
			`} ''`
			`mkdir -p $out`
			`cp ${pkgs.kubernetes.src}/cluster/centos/node/bin/mk-docker-opts.sh $out/mk-docker-opts.sh`

			# bashInteractive needed for `compgen`
			`makeWrapper ${pkgs.bashInteractive}/bin/bash $out/mk-docker-opts --add-flags "$out/mk-docker-opts.sh"`
			`'';`
			`in`
			`{`
			`###### interface`
			`options.services.kubernetes.flannel = {`
			`enable = mkEnableOption "enable flannel networking";`
			`};`

			`###### implementation`
			`config = mkIf cfg.enable {`
			`services.flannel = {`

			`enable = mkDefault true;`
			`network = mkDefault top.clusterCidr;`
			`};`

			`services.kubernetes.kubelet = {`
			`networkPlugin = mkDefault "cni";`
			`cni.config = mkDefault [{`
			`name = "mynet";`
			`type = "flannel";`
			`delegate = {`
			`isDefaultGateway = true;`
			`bridge = "docker0";`
			`};`
			`}];`
			`};`

			`systemd.services."mk-docker-opts" = {`
			`description = "Pre-Docker Actions";`
			`wantedBy = [ "flannel.service" ];`
			`before = [ "docker.service" ];`
			`after = [ "flannel.service" ];`
			`path = with pkgs; [ gawk gnugrep ];`
			`script = ''`
			`mkdir -p /run/flannel`
			`${mkDockerOpts}/mk-docker-opts -d /run/flannel/docker`
			`'';`
			`serviceConfig.Type = "oneshot";`
			`};`
			`systemd.services.docker.serviceConfig.EnvironmentFile = "/run/flannel/docker";`

			`# read environment variables generated by mk-docker-opts`
			`virtualisation.docker.extraOptions = "$DOCKER_OPTS";`

			`networking = {`
			`firewall.allowedUDPPorts = [`
			`8285 # flannel udp`
			`8472 # flannel vxlan`
			`];`
			`dhcpcd.denyInterfaces = [ "docker" "flannel" ];`
			`};`

			`services.kubernetes.pki.certs = {`
			`flannelEtcdClient = top.lib.mkCert {`
			`name = "flannel-etcd-client";`
			`CN = "flannel-etcd-client";`
			`action = "systemctl restart flannel.service";`
			`};`
			`};`
			`};`
			`}`