338 lines
12 KiB
Nix
338 lines
12 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
cfg = config.services.rke2;
|
|
in
|
|
{
|
|
imports = [ ];
|
|
|
|
options.services.rke2 = {
|
|
enable = lib.mkEnableOption "rke2";
|
|
|
|
package = lib.mkPackageOption pkgs "rke2" { };
|
|
|
|
role = lib.mkOption {
|
|
type = lib.types.enum [
|
|
"server"
|
|
"agent"
|
|
];
|
|
description = ''
|
|
Whether rke2 should run as a server or agent.
|
|
|
|
If it's a server:
|
|
|
|
- By default it also runs workloads as an agent.
|
|
- any optionals is allowed.
|
|
|
|
If it's an agent:
|
|
|
|
- `serverAddr` is required.
|
|
- `token` or `tokenFile` is required.
|
|
- `agentToken` or `agentTokenFile` or `disable` or `cni` are not allowed.
|
|
'';
|
|
default = "server";
|
|
};
|
|
|
|
configPath = lib.mkOption {
|
|
type = lib.types.path;
|
|
description = "Load configuration from FILE.";
|
|
default = "/etc/rancher/rke2/config.yaml";
|
|
};
|
|
|
|
debug = lib.mkOption {
|
|
type = lib.types.bool;
|
|
description = "Turn on debug logs.";
|
|
default = false;
|
|
};
|
|
|
|
dataDir = lib.mkOption {
|
|
type = lib.types.path;
|
|
description = "The folder to hold state in.";
|
|
default = "/var/lib/rancher/rke2";
|
|
};
|
|
|
|
token = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = ''
|
|
Shared secret used to join a server or agent to a cluster.
|
|
|
|
> WARNING: This option will expose store your token unencrypted world-readable in the nix store.
|
|
If this is undesired use the `tokenFile` option instead.
|
|
'';
|
|
default = "";
|
|
};
|
|
|
|
tokenFile = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.path;
|
|
description = "File path containing rke2 token to use when connecting to the server.";
|
|
default = null;
|
|
};
|
|
|
|
disable = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
description = "Do not deploy packaged components and delete any deployed components.";
|
|
default = [ ];
|
|
};
|
|
|
|
nodeName = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.str;
|
|
description = "Node name.";
|
|
default = null;
|
|
};
|
|
|
|
nodeLabel = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
description = "Registering and starting kubelet with set of labels.";
|
|
default = [ ];
|
|
};
|
|
|
|
nodeTaint = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
description = "Registering kubelet with set of taints.";
|
|
default = [ ];
|
|
};
|
|
|
|
nodeIP = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.str;
|
|
description = "IPv4/IPv6 addresses to advertise for node.";
|
|
default = null;
|
|
};
|
|
|
|
agentToken = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = ''
|
|
Shared secret used to join agents to the cluster, but not servers.
|
|
|
|
> **WARNING**: This option will expose store your token unencrypted world-readable in the nix store.
|
|
If this is undesired use the `agentTokenFile` option instead.
|
|
'';
|
|
default = "";
|
|
};
|
|
|
|
agentTokenFile = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.path;
|
|
description = "File path containing rke2 agent token to use when connecting to the server.";
|
|
default = null;
|
|
};
|
|
|
|
serverAddr = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "The rke2 server to connect to, used to join a cluster.";
|
|
example = "https://10.0.0.10:6443";
|
|
default = "";
|
|
};
|
|
|
|
selinux = lib.mkOption {
|
|
type = lib.types.bool;
|
|
description = "Enable SELinux in containerd.";
|
|
default = false;
|
|
};
|
|
|
|
cni = lib.mkOption {
|
|
type = lib.types.enum [
|
|
"none"
|
|
"canal"
|
|
"cilium"
|
|
"calico"
|
|
"flannel"
|
|
];
|
|
description = ''
|
|
CNI Plugins to deploy, one of `none`, `calico`, `canal`, `cilium` or `flannel`.
|
|
|
|
All CNI plugins get installed via a helm chart after the main components are up and running
|
|
and can be [customized by modifying the helm chart options](https://docs.rke2.io/helm).
|
|
|
|
[Learn more about RKE2 and CNI plugins](https://docs.rke2.io/networking/basic_network_options)
|
|
|
|
> **WARNING**: Flannel support in RKE2 is currently experimental.
|
|
'';
|
|
default = "canal";
|
|
};
|
|
|
|
cisHardening = lib.mkOption {
|
|
type = lib.types.bool;
|
|
description = ''
|
|
Enable CIS Hardening for RKE2.
|
|
|
|
It will set the configurations and controls required to address Kubernetes benchmark controls
|
|
from the Center for Internet Security (CIS).
|
|
|
|
Learn more about [CIS Hardening for RKE2](https://docs.rke2.io/security/hardening_guide).
|
|
|
|
> **NOTICE**:
|
|
>
|
|
> You may need restart the `systemd-sysctl` muaually by:
|
|
>
|
|
> ```shell
|
|
> sudo systemctl restart systemd-sysctl
|
|
> ```
|
|
'';
|
|
default = false;
|
|
};
|
|
|
|
extraFlags = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
description = ''
|
|
Extra flags to pass to the rke2 service/agent.
|
|
|
|
Here you can find all the available flags:
|
|
|
|
- [Server Configuration Reference](https://docs.rke2.io/reference/server_config)
|
|
- [Agent Configuration Reference](https://docs.rke2.io/reference/linux_agent_config)
|
|
'';
|
|
example = [
|
|
"--disable-kube-proxy"
|
|
"--cluster-cidr=10.24.0.0/16"
|
|
];
|
|
default = [ ];
|
|
};
|
|
|
|
environmentVars = lib.mkOption {
|
|
type = lib.types.attrsOf lib.types.str;
|
|
description = ''
|
|
Environment variables for configuring the rke2 service/agent.
|
|
|
|
Here you can find all the available environment variables:
|
|
|
|
- [Server Configuration Reference](https://docs.rke2.io/reference/server_config)
|
|
- [Agent Configuration Reference](https://docs.rke2.io/reference/linux_agent_config)
|
|
|
|
Besides the options above, you can also active environment variables by edit/create those files:
|
|
|
|
- `/etc/default/rke2`
|
|
- `/etc/sysconfig/rke2`
|
|
- `/usr/local/lib/systemd/system/rke2.env`
|
|
'';
|
|
# See: https://github.com/rancher/rke2/blob/master/bundle/lib/systemd/system/rke2-server.env#L1
|
|
default = {
|
|
HOME = "/root";
|
|
};
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
assertions = [
|
|
{
|
|
assertion = cfg.role == "agent" -> (builtins.pathExists cfg.configPath || cfg.serverAddr != "");
|
|
message = "serverAddr or configPath (with 'server' key) should be set if role is 'agent'";
|
|
}
|
|
{
|
|
assertion =
|
|
cfg.role == "agent"
|
|
-> (builtins.pathExists cfg.configPath || cfg.tokenFile != null || cfg.token != "");
|
|
message = "token or tokenFile or configPath (with 'token' or 'token-file' keys) should be set if role is 'agent'";
|
|
}
|
|
{
|
|
assertion = cfg.role == "agent" -> !(cfg.agentTokenFile != null || cfg.agentToken != "");
|
|
message = "agentToken or agentTokenFile should be set if role is 'agent'";
|
|
}
|
|
{
|
|
assertion = cfg.role == "agent" -> !(cfg.disable != [ ]);
|
|
message = "disable should not be set if role is 'agent'";
|
|
}
|
|
{
|
|
assertion = cfg.role == "agent" -> !(cfg.cni != "canal");
|
|
message = "cni should not be set if role is 'agent'";
|
|
}
|
|
];
|
|
|
|
environment.systemPackages = [ config.services.rke2.package ];
|
|
# To configure NetworkManager to ignore calico/flannel related network interfaces.
|
|
# See: https://docs.rke2.io/known_issues#networkmanager
|
|
environment.etc."NetworkManager/conf.d/rke2-canal.conf" = {
|
|
enable = config.networking.networkmanager.enable;
|
|
text = ''
|
|
[keyfile]
|
|
unmanaged-devices=interface-name:cali*;interface-name:flannel*
|
|
'';
|
|
};
|
|
# See: https://docs.rke2.io/security/hardening_guide#set-kernel-parameters
|
|
boot.kernel.sysctl = lib.mkIf cfg.cisHardening {
|
|
"vm.panic_on_oom" = 0;
|
|
"vm.overcommit_memory" = 1;
|
|
"kernel.panic" = 10;
|
|
"kernel.panic_on_oops" = 1;
|
|
};
|
|
|
|
systemd.services."rke2-${cfg.role}" = {
|
|
description = "Rancher Kubernetes Engine v2";
|
|
documentation = [ "https://github.com/rancher/rke2#readme" ];
|
|
after = [ "network-online.target" ];
|
|
wants = [ "network-online.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
serviceConfig = {
|
|
Type = if cfg.role == "agent" then "exec" else "notify";
|
|
EnvironmentFile = [
|
|
"-/etc/default/%N"
|
|
"-/etc/sysconfig/%N"
|
|
"-/usr/local/lib/systemd/system/%N.env"
|
|
];
|
|
Environment = lib.mapAttrsToList (k: v: "${k}=${v}") cfg.environmentVars;
|
|
KillMode = "process";
|
|
Delegate = "yes";
|
|
LimitNOFILE = 1048576;
|
|
LimitNPROC = "infinity";
|
|
LimitCORE = "infinity";
|
|
TasksMax = "infinity";
|
|
TimeoutStartSec = 0;
|
|
Restart = "always";
|
|
RestartSec = "5s";
|
|
ExecStartPre = [
|
|
# There is a conflict between RKE2 and `nm-cloud-setup.service`. This service add a routing table that
|
|
# interfere with the CNI plugin's configuration. This script checks if the service is enabled and if so,
|
|
# failed the RKE2 start.
|
|
# See: https://github.com/rancher/rke2/issues/1053
|
|
(pkgs.writeScript "check-nm-cloud-setup.sh" ''
|
|
#! ${pkgs.runtimeShell}
|
|
set -x
|
|
! /run/current-system/systemd/bin/systemctl is-enabled --quiet nm-cloud-setup.service
|
|
'')
|
|
"-${pkgs.kmod}/bin/modprobe br_netfilter"
|
|
"-${pkgs.kmod}/bin/modprobe overlay"
|
|
];
|
|
ExecStart = "${cfg.package}/bin/rke2 '${cfg.role}' ${
|
|
lib.escapeShellArgs (
|
|
(lib.optional (cfg.configPath != "/etc/rancher/rke2/config.yaml") "--config=${cfg.configPath}")
|
|
++ (lib.optional cfg.debug "--debug")
|
|
++ (lib.optional (cfg.dataDir != "/var/lib/rancher/rke2") "--data-dir=${cfg.dataDir}")
|
|
++ (lib.optional (cfg.token != "") "--token=${cfg.token}")
|
|
++ (lib.optional (cfg.tokenFile != null) "--token-file=${cfg.tokenFile}")
|
|
++ (lib.optionals (cfg.role == "server" && cfg.disable != [ ]) (
|
|
map (d: "--disable=${d}") cfg.disable
|
|
))
|
|
++ (lib.optional (cfg.nodeName != null) "--node-name=${cfg.nodeName}")
|
|
++ (lib.optionals (cfg.nodeLabel != [ ]) (map (l: "--node-label=${l}") cfg.nodeLabel))
|
|
++ (lib.optionals (cfg.nodeTaint != [ ]) (map (t: "--node-taint=${t}") cfg.nodeTaint))
|
|
++ (lib.optional (cfg.nodeIP != null) "--node-ip=${cfg.nodeIP}")
|
|
++ (lib.optional (cfg.role == "server" && cfg.agentToken != "") "--agent-token=${cfg.agentToken}")
|
|
++ (lib.optional (
|
|
cfg.role == "server" && cfg.agentTokenFile != null
|
|
) "--agent-token-file=${cfg.agentTokenFile}")
|
|
++ (lib.optional (cfg.serverAddr != "") "--server=${cfg.serverAddr}")
|
|
++ (lib.optional cfg.selinux "--selinux")
|
|
++ (lib.optional (cfg.role == "server" && cfg.cni != "canal") "--cni=${cfg.cni}")
|
|
++ (lib.optional cfg.cisHardening "--profile=${
|
|
if cfg.package.version >= "1.25" then "cis-1.23" else "cis-1.6"
|
|
}")
|
|
++ cfg.extraFlags
|
|
)
|
|
}";
|
|
ExecStopPost =
|
|
let
|
|
killProcess = pkgs.writeScript "kill-process.sh" ''
|
|
#! ${pkgs.runtimeShell}
|
|
/run/current-system/systemd/bin/systemd-cgls /system.slice/$1 | \
|
|
${pkgs.gnugrep}/bin/grep -Eo '[0-9]+ (containerd|kubelet)' | \
|
|
${pkgs.gawk}/bin/awk '{print $1}' | \
|
|
${pkgs.findutils}/bin/xargs -r ${pkgs.util-linux}/bin/kill
|
|
'';
|
|
in
|
|
"-${killProcess} %n";
|
|
};
|
|
};
|
|
};
|
|
}
|