public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #57693 from mayflower/kube-apiserver-proxy-client-certs 

nixos/kubernetes: Add proxy client certs to apiserver
This commit is contained in:
Robin Gloster 2019-04-17 16:38:51 +00:00 committed by GitHub
parent 7dc6e77bc2 2e29412e9c
commit 44afc81af1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
nixos/modules/services/cluster/kubernetes/apiserver.nix
View File

@ -184,6 +184,18 @@ in
type = bool; type = bool;
}; };
proxyClientCertFile = mkOption {
description = "Client certificate to use for connections to proxy.";
default = null;
type = nullOr path;
};
proxyClientKeyFile = mkOption {
description = "Key to use for connections to proxy.";
default = null;
type = nullOr path;
};
runtimeConfig = mkOption { runtimeConfig = mkOption {
description = '' description = ''
Api runtime configuration. See Api runtime configuration. See
@ -337,6 +349,10 @@ in
"--kubelet-client-certificate=${cfg.kubeletClientCertFile}"} \ "--kubelet-client-certificate=${cfg.kubeletClientCertFile}"} \
${optionalString (cfg.kubeletClientKeyFile != null) ${optionalString (cfg.kubeletClientKeyFile != null)
"--kubelet-client-key=${cfg.kubeletClientKeyFile}"} \ "--kubelet-client-key=${cfg.kubeletClientKeyFile}"} \
${optionalString (cfg.proxyClientCertFile != null)
"--proxy-client-cert-file=${cfg.proxyClientCertFile}"} \
${optionalString (cfg.proxyClientKeyFile != null)
"--proxy-client-key-file=${cfg.proxyClientKeyFile}"} \
--insecure-bind-address=${cfg.insecureBindAddress} \ --insecure-bind-address=${cfg.insecureBindAddress} \
--insecure-port=${toString cfg.insecurePort} \ --insecure-port=${toString cfg.insecurePort} \
${optionalString (cfg.runtimeConfig != "") ${optionalString (cfg.runtimeConfig != "")
@ -431,6 +447,11 @@ in
] ++ cfg.extraSANs; ] ++ cfg.extraSANs;
action = "systemctl restart kube-apiserver.service"; action = "systemctl restart kube-apiserver.service";
}; };
apiserverProxyClient = mkCert {
name = "kube-apiserver-proxy-client";
CN = "front-proxy-client";
action = "systemctl restart kube-apiserver.service";
};
apiserverKubeletClient = mkCert { apiserverKubeletClient = mkCert {
name = "kube-apiserver-kubelet-client"; name = "kube-apiserver-kubelet-client";
CN = "system:kube-apiserver"; CN = "system:kube-apiserver";

2
nixos/modules/services/cluster/kubernetes/pki.nix
View File

@ -357,6 +357,8 @@ in
kubeletClientCaFile = mkDefault caCert; kubeletClientCaFile = mkDefault caCert;
kubeletClientCertFile = mkDefault cfg.certs.apiserverKubeletClient.cert; kubeletClientCertFile = mkDefault cfg.certs.apiserverKubeletClient.cert;
kubeletClientKeyFile = mkDefault cfg.certs.apiserverKubeletClient.key; kubeletClientKeyFile = mkDefault cfg.certs.apiserverKubeletClient.key;
proxyClientCertFile = mkDefault cfg.certs.apiserverProxyClient.cert;
proxyClientKeyFile = mkDefault cfg.certs.apiserverProxyClient.key;
}); });
addonManager = mkIf top.addonManager.enable { addonManager = mkIf top.addonManager.enable {
kubeconfig = with cfg.certs.addonManager; { kubeconfig = with cfg.certs.addonManager; {