JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Cleanup pki: proxy

Browse Source
This commit is contained in:
Christian Albrecht 2019-03-11 11:01:54 +01:00
parent 73657b7fcf
commit 46653f84c9
No known key found for this signature in database
GPG Key ID: 866AF4B25DF7EB00
2 changed files with 26 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
nixos/modules/services/cluster/kubernetes/pki.nix
View File

@ -124,10 +124,6 @@ in
top.caFile top.caFile
certmgrAPITokenPath certmgrAPITokenPath
]; ];
proxyPaths = mkIf top.proxy.enable [
cfg.certs.kubeProxyClient.cert
cfg.certs.kubeProxyClient.key
];
schedulerPaths = mkIf top.scheduler.enable [ schedulerPaths = mkIf top.scheduler.enable [
cfg.certs.schedulerClient.cert cfg.certs.schedulerClient.cert
cfg.certs.schedulerClient.key cfg.certs.schedulerClient.key
@ -366,19 +362,6 @@ in
127.0.0.1 etcd.${top.addons.dns.clusterDomain} etcd.local 127.0.0.1 etcd.${top.addons.dns.clusterDomain} etcd.local
''; '';
systemd.services.kube-proxy = mkIf top.proxy.enable {
environment = { inherit (top.pki.certs.kubeProxyClient) cert key; };
unitConfig.ConditionPathExists = proxyPaths;
};
systemd.paths.kube-proxy = mkIf top.proxy.enable {
wantedBy = [ "kube-proxy.service" ];
pathConfig = {
PathExists = proxyPaths;
PathChanged = proxyPaths;
};
};
services.kubernetes = { services.kubernetes = {
apiserver = mkIf top.apiserver.enable (with cfg.certs.apiServer; { apiserver = mkIf top.apiserver.enable (with cfg.certs.apiServer; {

34
nixos/modules/services/cluster/kubernetes/proxy.nix
View File

@ -45,18 +45,27 @@ in
}; };
###### implementation ###### implementation
config = mkIf cfg.enable { config = let
systemd.services.kube-proxy = {
proxyPaths = filter (a: a != null) [
cfg.kubeconfig.caFile
cfg.kubeconfig.certFile
cfg.kubeconfig.keyFile
];
in mkIf cfg.enable {
systemd.services.kube-proxy = rec {
description = "Kubernetes Proxy Service"; description = "Kubernetes Proxy Service";
wantedBy = [ "kube-node-online.target" ]; wantedBy = [ "kube-node-online.target" ];
after = [ "kubelet-online.service" ]; after = [ "kubelet-online.service" ];
before = [ "kube-node-online.target" ]; before = [ "kube-node-online.target" ];
path = with pkgs; [ iptables conntrack_tools ]; environment.KUBECONFIG = top.lib.mkKubeConfig "kube-proxy" cfg.kubeconfig;
path = with pkgs; [ iptables conntrack_tools kubectl ];
preStart = '' preStart = ''
${top.lib.mkWaitCurl ( with config.systemd.services.kube-proxy; { until kubectl auth can-i get nodes/${top.kubelet.hostname} -q 2>/dev/null; do
path = "/api/v1/nodes/${top.kubelet.hostname}"; echo kubectl auth can-i get nodes/${top.kubelet.hostname}: exit status $?
cacert = top.caFile; sleep 2
} // optionalAttrs (environment ? cert) { inherit (environment) cert key; })} done
''; '';
serviceConfig = { serviceConfig = {
Slice = "kubernetes.slice"; Slice = "kubernetes.slice";
@ -66,7 +75,7 @@ in
"--cluster-cidr=${top.clusterCidr}"} \ "--cluster-cidr=${top.clusterCidr}"} \
${optionalString (cfg.featureGates != []) ${optionalString (cfg.featureGates != [])
"--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \
--kubeconfig=${top.lib.mkKubeConfig "kube-proxy" cfg.kubeconfig} \ --kubeconfig=${environment.KUBECONFIG} \
${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \
${cfg.extraOpts} ${cfg.extraOpts}
''; '';
@ -74,6 +83,15 @@ in
Restart = "on-failure"; Restart = "on-failure";
RestartSec = 5; RestartSec = 5;
}; };
unitConfig.ConditionPathExists = proxyPaths;
};
systemd.paths.kube-proxy = {
wantedBy = [ "kube-proxy.service" ];
pathConfig = {
PathExists = proxyPaths;
PathChanged = proxyPaths;
};
}; };
services.kubernetes.pki.certs = { services.kubernetes.pki.certs = {