#nixos-kubernetes on 2018-09-04

17:40 <samueldr> https://logs.nix.samueldr.com/nixos-kubernetes

17:42 <ixxie> cheers!

18:37 <ixxie> srhb: I am trying to get around https://github.com/NixOS/nixpkgs/issues/43395

18:38 <ixxie> I guess I need to specify a certificate / authority but me being quite the noob I am not quite sure how

18:47 <srhb> ixxie: Why not use johanots module? It takes care of all that for you

18:48 <srhb> Oh, actually, prereqs are missing merge still. Meh.

18:51 <ixxie> srhb: which module?

18:51 <ixxie> you mean the one available in nixpkgs?

18:51 <ixxie> I guess I am asking which options I need to set

18:52 <srhb> ixxie: I mean johanots revamped module with automatic TLS/RBAC bootstrapping.

18:52 <srhb> The module as-is in unstable is a bit cumbersome to set up, especially securely..

18:52 <ixxie> so you mean the PR that is in progress?

18:53 <srhb> Yes.

18:53 <ixxie> alright, I can give it a shot :)

18:53 <srhb> But I realized it's a bit more cumbersome since the certmgr/cfssl PRs also aren't in yet.

18:53 <ixxie> maybe I will just wait for the merge

18:53 <ixxie> its not like I am in a rush or anything

18:54 <srhb> johanot: Is there a happy path for testing the new module now that everything is split into several PRs?

18:54 <srhb> This might also help speed the review along

18:54 <srhb> And ixxie wants a functioning cluster :P

18:54 <srhb> (Meaning, can you do a quick nixos-unstable-based branch? :-P)

19:39 <johanot> heeellooo srhb and ixxie :) I can do a branch, of course.. With the certmgr patch rebased in as well?

19:40 <johanot> (I tried pinging another cloudflare person today, hope it works)

19:41 <ixxie> cool

19:42 <ixxie> then I guess I could be a guinea pig in exchange for you guys teaching me Zen & the Art of Kubernixos

19:42 <johanot> hehe.. deal!

19:44 <ixxie> but now is bed time for me, and I am beat

19:44 <ixxie> now that there is a log in place I will be able to backtrack all discussions here

19:44 <ixxie> johanot: since you missed it - https://logs.nix.samueldr.com/nixos-kubernetes

19:44 <srhb> (Thanks samueldr :))

19:44 <ixxie> indeed!

19:44 <johanot> great! :) thanks samueldr, indeed

19:46 <ixxie> so I before I go... I was wondering....

19:46 <ixxie> do you use helm with your NixOS Kube clusters?

19:48 <johanot> my colleagues do, I don't.. afaik helm/tiller works fine in "kubernixos"

19:49 <ixxie> so you just package whatever you need in Nix?

19:52 <johanot> oh wait I don't anything about any nix'y way of managing helm charts. I think my colleagues keep helm packages and nix separated. I can ask in the office tomorrow

19:52 <johanot> know anything*

19:53 <johanot> ixxie: https://github.com/johanot/nixpkgs/tree/nixos-unstable-kubernetes-1.11

19:54 <ixxie> cheers johanot!

19:54 <ixxie> I will give it a shot in the coming days

19:56 <johanot> great.. I'll try to be better to look for news in here, for my part :)

19:56 <ixxie> johanot: I didn't mean Nixified helm charts, I meant if I need to extend the system it seems most people use helm normally

19:56 <ixxie> so I was wondering how you do it (beyond containers of course)

19:56 <ixxie> I noticed this 'operator' pattern as well

19:58 <ixxie> its kinda tricky when you are learning some complex like Kubernetes and you ALSO need to learn how to do in on NixOS

19:59 <ixxie> so you google around and you see typically the general solutions but maybe its impossible/bad-practice on NixOS

19:59 <johanot> ixxie: I don't know that much about helm, but I could find someone who do maybe and invite them here tomorrow. Other than helm, we have sort of an extended/forked version of the kube-addon-manager (https://github.com/kubernetes/kubernetes/tree/master/cluster/addons/addon-manager)

20:00 <johanot> .. to which we supply manifests

20:01 <ixxie> johanot: well, no stress about that; I was just curious. I could start with my own simple deployment patterns, and try out your addon-manager

20:01 <ixxie> first thing first is learning basics of the cluster mgmt

20:01 <johanot> The official kube-addon-manager is part of the NixOS module now, but it is kinda limited, because it only allows for addons in the kube-system namespace

20:02 <johanot> btw. if you look at it, it is nothing more than a simple bash loop that runs "kubectl apply -f <manifest>; sleep XX;"

20:03 <ixxie> so you can just drop manifests somewhere and they get deployed

20:04 <ixxie> why not put them all in a big directory and do "kubectl apply -R -f dir/"?

20:05 <ixxie> along with your own manifests that is?

20:06 <johanot> we have our own internal option-set (not part of the upstream module) like this: "k8s.manifests = { my-deploy = { apiVersion = "v1"; kind = "Deployment; ... }; }; .. and then our "addon-manager" runs pkgs.writeText builtins.toJSON .. so the generated json manifests ends up in the store. Then we generate one systemd unit per manifest, actually. To have flexibility in "stopping/starting"

20:06 <johanot> individual addons.

20:08 <johanot> big disclaimer: this is far from optimal, which is why we haven't upstreamed it (at least yet) :P

20:08 <ixxie> so the service does something like "kubectl apply -f manifest.json" and "kubectl delete -f manifest.json"?

20:08 <johanot> ixxie: yes

20:08 <ixxie> nice

20:09 <johanot> AND you get systemd depedency chains for free, i.e. manifest A requires manifest B etc.

20:09 <ixxie> and I guess the main upshot is being able to wrap kubernetes objects in nixos services?

20:09 <ixxie> because the manifests could already be quite declarative

20:10 <ixxie> but of course normally without a language as expressive as Nix

20:12 <ixxie> johanot: for your branch, I can just do `services.kubernetes.roles = [ "master" "node" ];` and I should be good to go?

20:13 <johanot> right.. but i'm still not 100% satisfied :P it does not prevent someone imperatively modifying your cluster object, even though you created them in a declarative manner (for example).

20:13 <ixxie> yeah

20:13 <johanot> ixxie: Yes.. You'll need "services.kubernetes.masterAddress" as well

20:13 <johanot> 1 sec

20:13 <ixxie> I can see your motivation, and your approach seems cool

20:14 <johanot> and "easyCerts = true"

20:14 <johanot> ?

20:14 <johanot> Take a look here: https://github.com/johanot/machines-mirror/tree/master/configurations/nixos

20:15 <johanot> "nixos-1" is the master, 2 and 3 are nodes

20:15 <johanot> should work with a single master+node cluster as well though

20:15 <ixxie> awesome johanot! I have been looking for a minimal example for ages

20:16 <ixxie> I will try to modify it for my machine in the coming days

20:17 <johanot> ixxie: cool. I did setup nixos-1 -> nixos-3 for the purpose of this PR only, so they should be useful :)

20:18 <ixxie> sweet

20:18 <ixxie> I am planning to write up a nixos.wiki article after I get my bearings, maybe I could use that as an example?

20:23 <johanot> ixxie: sure! I think I checked the repo for secrets before pushing :P

20:34 <ixxie> I have a 1001 more questions but that is for another Nixian night

20:35 <ixxie> so thanks again johanot & srhb and see you here again soon

20:35 <srhb> o/