nixos/kubernetes: Address review: Move remaining paths to pki

nixos/modules/services/cluster/kubernetes/apiserver.nix

@@ -272,25 +272,7 @@ in
   ###### implementation
   config = mkMerge [
 
-    (mkIf cfg.enable (let
-      apiserverPaths = [
-        cfg.clientCaFile
-        cfg.etcd.caFile
-        cfg.etcd.certFile
-        cfg.etcd.keyFile
-        cfg.kubeletClientCaFile
-        cfg.kubeletClientCertFile
-        cfg.kubeletClientKeyFile
-        cfg.serviceAccountKeyFile
-        cfg.tlsCertFile
-        cfg.tlsKeyFile
-      ];
-      etcdPaths = [
-        config.services.etcd.certFile
-        config.services.etcd.keyFile
-        config.services.etcd.trustedCaFile
-      ];
-    in {
+    (mkIf cfg.enable {
         systemd.services.kube-apiserver = {
           description = "Kubernetes APIServer Service";
           wantedBy = [ "kube-control-plane-online.target" ];
@@ -360,25 +342,6 @@ in
             Restart = "on-failure";
             RestartSec = 5;
           };
-          unitConfig.ConditionPathExists = apiserverPaths;
-        };
-
-        systemd.paths.kube-apiserver = {
-          wantedBy = [ "kube-apiserver.service" ];
-          pathConfig = {
-            PathExists = apiserverPaths;
-            PathChanged = apiserverPaths;
-          };
-        };
-
-        systemd.services.etcd.unitConfig.ConditionPathExists = etcdPaths;
-
-        systemd.paths.etcd = {
-          wantedBy = [ "etcd.service" ];
-          pathConfig = {
-            PathExists = etcdPaths;
-            PathChanged = etcdPaths;
-          };
         };
 
         services.etcd = {
@@ -459,7 +422,7 @@ in
         };
       };
 
-    }))
+    })
     {
       systemd.targets.kube-control-plane-online = {
         wantedBy = [ "kubernetes.target" ];

nixos/modules/services/cluster/kubernetes/kubelet.nix

@@ -241,13 +241,7 @@ in
 
   ###### implementation
   config = mkMerge [
-    (mkIf cfg.enable (let
-      kubeletPaths = [
-        cfg.clientCaFile
-        cfg.tlsCertFile
-        cfg.tlsKeyFile
-      ];
-    in {
+    (mkIf cfg.enable {
       services.kubernetes.kubelet.seedDockerImages = [infraContainer];
 
       systemd.services.kubelet = {
@@ -310,15 +304,6 @@ in
           '';
           WorkingDirectory = top.dataDir;
         };
-        unitConfig.ConditionPathExists = kubeletPaths;
-      };
-
-      systemd.paths.kubelet = {
-        wantedBy =  [ "kubelet.service" ];
-        pathConfig = {
-          PathExists = kubeletPaths;
-          PathChanged = kubeletPaths;
-        };
       };
 
       systemd.services.docker.before = [ "kubelet.service" ];
@@ -387,7 +372,7 @@ in
       };
 
       services.kubernetes.kubelet.kubeconfig.server = mkDefault top.apiserverAddress;
-    }))
+    })
 
     (mkIf (cfg.enable && cfg.manifests != {}) {
       environment.etc = mapAttrs' (name: manifest:

nixos/modules/services/cluster/kubernetes/pki.nix

@@ -125,6 +125,23 @@ in
       top.caFile
       certmgrAPITokenPath
     ];
+    apiserverPaths = [
+      top.apiserver.clientCaFile
+      top.apiserver.etcd.caFile
+      top.apiserver.etcd.certFile
+      top.apiserver.etcd.keyFile
+      top.apiserver.kubeletClientCaFile
+      top.apiserver.kubeletClientCertFile
+      top.apiserver.kubeletClientKeyFile
+      top.apiserver.serviceAccountKeyFile
+      top.apiserver.tlsCertFile
+      top.apiserver.tlsKeyFile
+    ];
+    etcdPaths = [
+      config.services.etcd.certFile
+      config.services.etcd.keyFile
+      config.services.etcd.trustedCaFile
+    ];
     addonManagerPaths = mkIf top.addonManager.enable [
       cfg.certs.addonManager.cert
       cfg.certs.addonManager.key
@@ -150,6 +167,11 @@ in
       cfg.certs.controllerManagerClient.cert
       cfg.certs.controllerManagerClient.key
     ];
+    kubeletPaths = [
+      top.kubelet.clientCaFile
+      top.kubelet.tlsCertFile
+      top.kubelet.tlsKeyFile
+    ];
   in
   {
 
@@ -415,7 +437,7 @@ in
 
       # isolate etcd on loopback at the master node
       # easyCerts doesn't support multimaster clusters anyway atm.
-      services.etcd = with cfg.certs.etcd; {
+      services.etcd = mkIf top.apiserver.enable (with cfg.certs.etcd; {
         listenClientUrls = ["https://127.0.0.1:2379"];
         listenPeerUrls = ["https://127.0.0.1:2380"];
         advertiseClientUrls = ["https://etcd.local:2379"];
@@ -424,11 +446,35 @@ in
         certFile = mkDefault cert;
         keyFile = mkDefault key;
         trustedCaFile = mkDefault caCert;
-      };
+      });
       networking.extraHosts = mkIf (config.services.etcd.enable) ''
         127.0.0.1 etcd.${top.addons.dns.clusterDomain} etcd.local
       '';
 
+      systemd.services.kube-apiserver = mkIf top.apiserver.enable {
+        unitConfig.ConditionPathExists = apiserverPaths;
+      };
+
+      systemd.paths.kube-apiserver = mkIf top.apiserver.enable {
+        wantedBy = [ "kube-apiserver.service" ];
+        pathConfig = {
+          PathExists = apiserverPaths;
+          PathChanged = apiserverPaths;
+        };
+      };
+
+      systemd.services.etcd = mkIf top.apiserver.enable {
+        unitConfig.ConditionPathExists = etcdPaths;
+      };
+
+      systemd.paths.etcd = mkIf top.apiserver.enable {
+        wantedBy = [ "etcd.service" ];
+        pathConfig = {
+          PathExists = etcdPaths;
+          PathChanged = etcdPaths;
+        };
+      };
+
       services.flannel = with cfg.certs.flannelClient; {
         kubeconfig = top.lib.mkKubeConfig "flannel" {
           server = top.apiserverAddress;
@@ -455,6 +501,18 @@ in
         unitConfig.ConditionPathExists = proxyPaths;
       };
 
+      systemd.services.kubelet = mkIf top.kubelet.enable {
+        unitConfig.ConditionPathExists = kubeletPaths;
+      };
+
+      systemd.paths.kubelet = mkIf top.kubelet.enable {
+        wantedBy =  [ "kubelet.service" ];
+        pathConfig = {
+          PathExists = kubeletPaths;
+          PathChanged = kubeletPaths;
+        };
+      };
+
       systemd.paths.kube-proxy = mkIf top.proxy.enable {
         wantedBy = [ "kube-proxy.service" ];
         pathConfig = {