From ff382c18c8f8e3eba1fc3ff331b7146bcb3af674 Mon Sep 17 00:00:00 2001 From: Christian Albrecht Date: Wed, 6 Mar 2019 17:56:28 +0100 Subject: [PATCH] nixos/kubernetes: Address review: Move remaining paths to pki --- .../services/cluster/kubernetes/apiserver.nix | 41 +----------- .../services/cluster/kubernetes/kubelet.nix | 19 +----- .../services/cluster/kubernetes/pki.nix | 62 ++++++++++++++++++- 3 files changed, 64 insertions(+), 58 deletions(-) diff --git a/nixos/modules/services/cluster/kubernetes/apiserver.nix b/nixos/modules/services/cluster/kubernetes/apiserver.nix index 72fb9535832..63b485c43b8 100644 --- a/nixos/modules/services/cluster/kubernetes/apiserver.nix +++ b/nixos/modules/services/cluster/kubernetes/apiserver.nix @@ -272,25 +272,7 @@ in ###### implementation config = mkMerge [ - (mkIf cfg.enable (let - apiserverPaths = [ - cfg.clientCaFile - cfg.etcd.caFile - cfg.etcd.certFile - cfg.etcd.keyFile - cfg.kubeletClientCaFile - cfg.kubeletClientCertFile - cfg.kubeletClientKeyFile - cfg.serviceAccountKeyFile - cfg.tlsCertFile - cfg.tlsKeyFile - ]; - etcdPaths = [ - config.services.etcd.certFile - config.services.etcd.keyFile - config.services.etcd.trustedCaFile - ]; - in { + (mkIf cfg.enable { systemd.services.kube-apiserver = { description = "Kubernetes APIServer Service"; wantedBy = [ "kube-control-plane-online.target" ]; @@ -360,25 +342,6 @@ in Restart = "on-failure"; RestartSec = 5; }; - unitConfig.ConditionPathExists = apiserverPaths; - }; - - systemd.paths.kube-apiserver = { - wantedBy = [ "kube-apiserver.service" ]; - pathConfig = { - PathExists = apiserverPaths; - PathChanged = apiserverPaths; - }; - }; - - systemd.services.etcd.unitConfig.ConditionPathExists = etcdPaths; - - systemd.paths.etcd = { - wantedBy = [ "etcd.service" ]; - pathConfig = { - PathExists = etcdPaths; - PathChanged = etcdPaths; - }; }; services.etcd = { @@ -459,7 +422,7 @@ in }; }; - })) + }) { systemd.targets.kube-control-plane-online = { wantedBy = [ "kubernetes.target" ]; diff --git a/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixos/modules/services/cluster/kubernetes/kubelet.nix index 01cdfccccf9..8eb212b41ec 100644 --- a/nixos/modules/services/cluster/kubernetes/kubelet.nix +++ b/nixos/modules/services/cluster/kubernetes/kubelet.nix @@ -241,13 +241,7 @@ in ###### implementation config = mkMerge [ - (mkIf cfg.enable (let - kubeletPaths = [ - cfg.clientCaFile - cfg.tlsCertFile - cfg.tlsKeyFile - ]; - in { + (mkIf cfg.enable { services.kubernetes.kubelet.seedDockerImages = [infraContainer]; systemd.services.kubelet = { @@ -310,15 +304,6 @@ in ''; WorkingDirectory = top.dataDir; }; - unitConfig.ConditionPathExists = kubeletPaths; - }; - - systemd.paths.kubelet = { - wantedBy = [ "kubelet.service" ]; - pathConfig = { - PathExists = kubeletPaths; - PathChanged = kubeletPaths; - }; }; systemd.services.docker.before = [ "kubelet.service" ]; @@ -387,7 +372,7 @@ in }; services.kubernetes.kubelet.kubeconfig.server = mkDefault top.apiserverAddress; - })) + }) (mkIf (cfg.enable && cfg.manifests != {}) { environment.etc = mapAttrs' (name: manifest: diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index 0b43f2034c2..8bacc07b008 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -125,6 +125,23 @@ in top.caFile certmgrAPITokenPath ]; + apiserverPaths = [ + top.apiserver.clientCaFile + top.apiserver.etcd.caFile + top.apiserver.etcd.certFile + top.apiserver.etcd.keyFile + top.apiserver.kubeletClientCaFile + top.apiserver.kubeletClientCertFile + top.apiserver.kubeletClientKeyFile + top.apiserver.serviceAccountKeyFile + top.apiserver.tlsCertFile + top.apiserver.tlsKeyFile + ]; + etcdPaths = [ + config.services.etcd.certFile + config.services.etcd.keyFile + config.services.etcd.trustedCaFile + ]; addonManagerPaths = mkIf top.addonManager.enable [ cfg.certs.addonManager.cert cfg.certs.addonManager.key @@ -150,6 +167,11 @@ in cfg.certs.controllerManagerClient.cert cfg.certs.controllerManagerClient.key ]; + kubeletPaths = [ + top.kubelet.clientCaFile + top.kubelet.tlsCertFile + top.kubelet.tlsKeyFile + ]; in { @@ -415,7 +437,7 @@ in # isolate etcd on loopback at the master node # easyCerts doesn't support multimaster clusters anyway atm. - services.etcd = with cfg.certs.etcd; { + services.etcd = mkIf top.apiserver.enable (with cfg.certs.etcd; { listenClientUrls = ["https://127.0.0.1:2379"]; listenPeerUrls = ["https://127.0.0.1:2380"]; advertiseClientUrls = ["https://etcd.local:2379"]; @@ -424,11 +446,35 @@ in certFile = mkDefault cert; keyFile = mkDefault key; trustedCaFile = mkDefault caCert; - }; + }); networking.extraHosts = mkIf (config.services.etcd.enable) '' 127.0.0.1 etcd.${top.addons.dns.clusterDomain} etcd.local ''; + systemd.services.kube-apiserver = mkIf top.apiserver.enable { + unitConfig.ConditionPathExists = apiserverPaths; + }; + + systemd.paths.kube-apiserver = mkIf top.apiserver.enable { + wantedBy = [ "kube-apiserver.service" ]; + pathConfig = { + PathExists = apiserverPaths; + PathChanged = apiserverPaths; + }; + }; + + systemd.services.etcd = mkIf top.apiserver.enable { + unitConfig.ConditionPathExists = etcdPaths; + }; + + systemd.paths.etcd = mkIf top.apiserver.enable { + wantedBy = [ "etcd.service" ]; + pathConfig = { + PathExists = etcdPaths; + PathChanged = etcdPaths; + }; + }; + services.flannel = with cfg.certs.flannelClient; { kubeconfig = top.lib.mkKubeConfig "flannel" { server = top.apiserverAddress; @@ -455,6 +501,18 @@ in unitConfig.ConditionPathExists = proxyPaths; }; + systemd.services.kubelet = mkIf top.kubelet.enable { + unitConfig.ConditionPathExists = kubeletPaths; + }; + + systemd.paths.kubelet = mkIf top.kubelet.enable { + wantedBy = [ "kubelet.service" ]; + pathConfig = { + PathExists = kubeletPaths; + PathChanged = kubeletPaths; + }; + }; + systemd.paths.kube-proxy = mkIf top.proxy.enable { wantedBy = [ "kube-proxy.service" ]; pathConfig = {