nixos/kubernetes: Address review: Separate preStart from certificates

author: Christian Albrecht <christian.albrecht@mayflower.de> 2019-03-06 16:52:27 +0100
committer: Christian Albrecht <christian.albrecht@mayflower.de> 2019-03-06 16:55:08 +0100
commit: 7323b77435f69362b0b4cc7edcb0915e9ab1ff48 (patch)
tree: ba1b9e79dd180cad3e9571de6535005c4eb273e7 /nixos/modules/services/cluster/kubernetes/pki.nix
parent: 52fe1d2e7a9c154fe962f7b47ce008bf06cfe746 (diff)
1 files changed, 24 insertions, 22 deletions
diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix
index 98284fba12ac..14af3840eee3 100644
--- a/nixos/modules/services/cluster/kubernetes/pki.nix
+++ b/nixos/modules/services/cluster/kubernetes/pki.nix
@@ -344,6 +344,7 @@ in
       };
 
       systemd.services.kube-controller-manager = mkIf top.controllerManager.enable {
+        environment = { inherit (cfg.certs.controllerManagerClient) cert key; };
         unitConfig.ConditionPathExists = controllerManagerPaths;
       };
 
@@ -355,6 +356,25 @@ in
         };
       };
 
+      systemd.services.kube-scheduler = mkIf top.scheduler.enable {
+        environment = { inherit (top.pki.certs.schedulerClient) cert key; };
+        unitConfig.ConditionPathExists = schedulerPaths;
+      };
+
+      systemd.paths.kube-scheduler = mkIf top.scheduler.enable {
+        wantedBy = [ "kube-scheduler.service" ];
+        pathConfig = {
+          PathExists = schedulerPaths;
+          PathChanged = schedulerPaths;
+        };
+      };
+
+      systemd.services.kube-control-plane-online.environment = let
+        client = with cfg.certs; if top.apiserver.enable then clusterAdmin else kubelet;
+      in {
+        inherit (client) cert key;
+      };
+
       environment.etc.${cfg.etcClusterAdminKubeconfig}.source = mkIf (!isNull cfg.etcClusterAdminKubeconfig)
         clusterAdminKubeconfig;
 
@@ -419,19 +439,12 @@ in
         };
       };
 
-      systemd.services.flannel = {
-        preStart = ''
-          ${top.lib.mkWaitCurl (with top.pki.certs.flannelClient; {
-            path = "/api/v1/nodes";
-            cacert = top.caFile;
-            inherit cert key;
-            args = "-o - | grep podCIDR >/dev/null";
-          })}
-        '';
+      systemd.services.flannel = mkIf top.flannel.enable {
+        environment = { inherit (top.pki.certs.flannelClient) cert key; };
         unitConfig.ConditionPathExists = flannelPaths;
       };
 
-      systemd.paths.flannel = {
+      systemd.paths.flannel = mkIf top.flannel.enable {
         wantedBy = [ "flannel.service" ];
         pathConfig = {
           PathExists = flannelPaths;
@@ -440,6 +453,7 @@ in
       };
 
       systemd.services.kube-proxy = mkIf top.proxy.enable {
+        environment = { inherit (top.pki.certs.kubeProxyClient) cert key; };
         unitConfig.ConditionPathExists = proxyPaths;
       };
 
@@ -451,18 +465,6 @@ in
         };
       };
 
-      systemd.services.kube-scheduler = mkIf top.scheduler.enable {
-        unitConfig.ConditionPathExists = schedulerPaths;
-      };
-
-      systemd.paths.kube-scheduler = mkIf top.scheduler.enable {
-        wantedBy = [ "kube-scheduler.service" ];
-        pathConfig = {
-          PathExists = schedulerPaths;
-          PathChanged = schedulerPaths;
-        };
-      };
-
       services.kubernetes = {
 
         apiserver = mkIf top.apiserver.enable (with cfg.certs.apiServer; {
author	Christian Albrecht <christian.albrecht@mayflower.de>	2019-03-06 16:52:27 +0100
committer	Christian Albrecht <christian.albrecht@mayflower.de>	2019-03-06 16:55:08 +0100
commit	7323b77435f69362b0b4cc7edcb0915e9ab1ff48 (patch)
tree	ba1b9e79dd180cad3e9571de6535005c4eb273e7 /nixos/modules/services/cluster/kubernetes/pki.nix
parent	52fe1d2e7a9c154fe962f7b47ce008bf06cfe746 (diff)