diff options
author | Christian Albrecht <christian.albrecht@mayflower.de> | 2019-03-06 16:52:27 +0100 |
---|---|---|
committer | Christian Albrecht <christian.albrecht@mayflower.de> | 2019-03-06 16:55:08 +0100 |
commit | 7323b77435f69362b0b4cc7edcb0915e9ab1ff48 (patch) | |
tree | ba1b9e79dd180cad3e9571de6535005c4eb273e7 /nixos/modules/services/cluster/kubernetes/pki.nix | |
parent | 52fe1d2e7a9c154fe962f7b47ce008bf06cfe746 (diff) |
nixos/kubernetes: Address review: Separate preStart from certificates
Diffstat (limited to 'nixos/modules/services/cluster/kubernetes/pki.nix')
-rw-r--r-- | nixos/modules/services/cluster/kubernetes/pki.nix | 46 |
1 files changed, 24 insertions, 22 deletions
diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index 98284fba12ac..14af3840eee3 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -344,6 +344,7 @@ in }; systemd.services.kube-controller-manager = mkIf top.controllerManager.enable { + environment = { inherit (cfg.certs.controllerManagerClient) cert key; }; unitConfig.ConditionPathExists = controllerManagerPaths; }; @@ -355,6 +356,25 @@ in }; }; + systemd.services.kube-scheduler = mkIf top.scheduler.enable { + environment = { inherit (top.pki.certs.schedulerClient) cert key; }; + unitConfig.ConditionPathExists = schedulerPaths; + }; + + systemd.paths.kube-scheduler = mkIf top.scheduler.enable { + wantedBy = [ "kube-scheduler.service" ]; + pathConfig = { + PathExists = schedulerPaths; + PathChanged = schedulerPaths; + }; + }; + + systemd.services.kube-control-plane-online.environment = let + client = with cfg.certs; if top.apiserver.enable then clusterAdmin else kubelet; + in { + inherit (client) cert key; + }; + environment.etc.${cfg.etcClusterAdminKubeconfig}.source = mkIf (!isNull cfg.etcClusterAdminKubeconfig) clusterAdminKubeconfig; @@ -419,19 +439,12 @@ in }; }; - systemd.services.flannel = { - preStart = '' - ${top.lib.mkWaitCurl (with top.pki.certs.flannelClient; { - path = "/api/v1/nodes"; - cacert = top.caFile; - inherit cert key; - args = "-o - | grep podCIDR >/dev/null"; - })} - ''; + systemd.services.flannel = mkIf top.flannel.enable { + environment = { inherit (top.pki.certs.flannelClient) cert key; }; unitConfig.ConditionPathExists = flannelPaths; }; - systemd.paths.flannel = { + systemd.paths.flannel = mkIf top.flannel.enable { wantedBy = [ "flannel.service" ]; pathConfig = { PathExists = flannelPaths; @@ -440,6 +453,7 @@ in }; systemd.services.kube-proxy = mkIf top.proxy.enable { + environment = { inherit (top.pki.certs.kubeProxyClient) cert key; }; unitConfig.ConditionPathExists = proxyPaths; }; @@ -451,18 +465,6 @@ in }; }; - systemd.services.kube-scheduler = mkIf top.scheduler.enable { - unitConfig.ConditionPathExists = schedulerPaths; - }; - - systemd.paths.kube-scheduler = mkIf top.scheduler.enable { - wantedBy = [ "kube-scheduler.service" ]; - pathConfig = { - PathExists = schedulerPaths; - PathChanged = schedulerPaths; - }; - }; - services.kubernetes = { apiserver = mkIf top.apiserver.enable (with cfg.certs.apiServer; { |