Use nixOS as single-node kubernetes cluster

NobbZ · September 2, 2020, 7:17am

I posted this question already yesterday in the discord, but didn’t receive a response so far. Therefore I repost here with a slight reword:

I just tried the “1 master + 1 node” approach from the Wiki, but without adding a second computer to the mix…

{
  services.kubernetes.roles = ["master" "node"];
  services.kubernetes.masterAddress = "192.168.178.76";
  services.kubernetes.kubelet.extraOpts = "--fail-swap-on=false";
  services.kubernetes.easyCerts = true;
  services.kubernetes.apiserver = {
    securePort = 8443;
    advertiseAddress = "192.168.178.76";
  };
}

Though when I switch then etcd.service can’t start as some files are missing:

Sep 01 23:07:00 tux-nixos etcd[22865]: peerTLS: cert = /var/lib/kubernetes/secrets/etcd.pem, key = /var/lib/kubernetes/secrets/etcd-key.pem, ca = , trusted-ca = /var/lib/kubernetes/secrets/ca.pem, client-cert-auth = false, crl-file = 
Sep 01 23:07:00 tux-nixos etcd[22865]: open /var/lib/kubernetes/secrets/etcd.pem: no such file or directory

Someone has an idea how to get kubernetes running?

scalavision · September 2, 2020, 1:16pm

Have you tried generating a certificate and put it into that path? Don’t know if NixOS is supposed to generate them or not …

NobbZ · September 2, 2020, 1:20pm

I wouldn’t know how to do so.

What kind of certificate is even needed? I’m really new to that kind of stuff. Though I expected that enabling easyCert would deal with that stuff for me…

NobbZ · September 3, 2020, 10:22pm

I just ran the test for kubernetes, it fails as well after trying ~300 times (~30 minutes) to restart some services…

Within those thousands of thousands of lines, I found some hints that it again can’t find some pem files.

So as even the tests fail, it seems to be a bug in nixos.

scalavision · September 10, 2020, 10:26pm

sorry for late replay on this, maybe this will be enough to generate such a key manually just for testing purposes?

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mykey.key -out mycert.pem

I used it for some jupyter notebook configuration a while back.

blaggacao · September 10, 2020, 11:27pm

Not direcly addressing your concern, but — if you can — you might try to use k3s it has good UX — generally speaking. We are on a similar journey at this moment, so in the days / weeks to come we might exchange eurekas and caveats (k3s bound).

NobbZ · September 11, 2020, 8:35am

I managed to get kubernetes up and running.

Well hidden in a github issue (which I can’t find now) I found that I have to delete some files and that I have to set masterAdress to the hostname, as the cert-deamon seems to not be able to generate a cert for an IP.

Also I learnt that apiserver.advertiseAddress has to be the IP (as I changed it to the hostname as well in first try).

So now the kubernetes is up and running.

Thanks for pointing me to k3s anyway, I might give it a shot.

NobbZ · November 9, 2020, 9:58am

For the sake of completenes, I found the GitHub issue, which helped me identify the “broken” files: etcd not init etcd.pem with services.kubernetes.roles master · Issue #59364 · NixOS/nixpkgs · GitHub

randomizedcoder · July 12, 2024, 5:18pm

@NobbZ

It would be great if you could share the final Nix config for single node k8s, including some comments about the various challenges you found would be amazing.

NobbZ · July 15, 2024, 6:26am

It is probably burried in my git history. I dropped the whole setup after a very short time in favor of a k3os VM for the sake of simplicity, which again I dropped another month later, as I changed jobs and k8s didn’t play a role anymore.