From ff382c18c8f8e3eba1fc3ff331b7146bcb3af674 Mon Sep 17 00:00:00 2001
From: Christian Albrecht <christian.albrecht@mayflower.de>
Date: Wed, 6 Mar 2019 17:56:28 +0100
Subject: [PATCH] nixos/kubernetes: Address review: Move remaining paths to pki
---
.../services/cluster/kubernetes/apiserver.nix | 41 +-----------
.../services/cluster/kubernetes/kubelet.nix | 19 +-----
.../services/cluster/kubernetes/pki.nix | 62 ++++++++++++++++++-
3 files changed, 64 insertions(+), 58 deletions(-)
diff --git a/nixos/modules/services/cluster/kubernetes/apiserver.nix b/nixos/modules/services/cluster/kubernetes/apiserver.nix
index 72fb9535832..63b485c43b8 100644
--- a/nixos/modules/services/cluster/kubernetes/apiserver.nix
+++ b/nixos/modules/services/cluster/kubernetes/apiserver.nix
@@ -272,25 +272,7 @@ in
###### implementation
config = mkMerge [
- (mkIf cfg.enable (let
- apiserverPaths = [
- cfg.clientCaFile
- cfg.etcd.caFile
- cfg.etcd.certFile
- cfg.etcd.keyFile
- cfg.kubeletClientCaFile
- cfg.kubeletClientCertFile
- cfg.kubeletClientKeyFile
- cfg.serviceAccountKeyFile
- cfg.tlsCertFile
- cfg.tlsKeyFile
- ];
- etcdPaths = [
- config.services.etcd.certFile
- config.services.etcd.keyFile
- config.services.etcd.trustedCaFile
- ];
- in {
+ (mkIf cfg.enable {
systemd.services.kube-apiserver = {
description = "Kubernetes APIServer Service";
wantedBy = [ "kube-control-plane-online.target" ];
@@ -360,25 +342,6 @@ in
Restart = "on-failure";
RestartSec = 5;
};
- unitConfig.ConditionPathExists = apiserverPaths;
- };
-
- systemd.paths.kube-apiserver = {
- wantedBy = [ "kube-apiserver.service" ];
- pathConfig = {
- PathExists = apiserverPaths;
- PathChanged = apiserverPaths;
- };
- };
-
- systemd.services.etcd.unitConfig.ConditionPathExists = etcdPaths;
-
- systemd.paths.etcd = {
- wantedBy = [ "etcd.service" ];
- pathConfig = {
- PathExists = etcdPaths;
- PathChanged = etcdPaths;
- };
};
services.etcd = {
@@ -459,7 +422,7 @@ in
};
};
- }))
+ })
{
systemd.targets.kube-control-plane-online = {
wantedBy = [ "kubernetes.target" ];
diff --git a/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixos/modules/services/cluster/kubernetes/kubelet.nix
index 01cdfccccf9..8eb212b41ec 100644
--- a/nixos/modules/services/cluster/kubernetes/kubelet.nix
+++ b/nixos/modules/services/cluster/kubernetes/kubelet.nix
@@ -241,13 +241,7 @@ in
###### implementation
config = mkMerge [
- (mkIf cfg.enable (let
- kubeletPaths = [
- cfg.clientCaFile
- cfg.tlsCertFile
- cfg.tlsKeyFile
- ];
- in {
+ (mkIf cfg.enable {
services.kubernetes.kubelet.seedDockerImages = [infraContainer];
systemd.services.kubelet = {
@@ -310,15 +304,6 @@ in
'';
WorkingDirectory = top.dataDir;
};
- unitConfig.ConditionPathExists = kubeletPaths;
- };
-
- systemd.paths.kubelet = {
- wantedBy = [ "kubelet.service" ];
- pathConfig = {
- PathExists = kubeletPaths;
- PathChanged = kubeletPaths;
- };
};
systemd.services.docker.before = [ "kubelet.service" ];
@@ -387,7 +372,7 @@ in
};
services.kubernetes.kubelet.kubeconfig.server = mkDefault top.apiserverAddress;
- }))
+ })
(mkIf (cfg.enable && cfg.manifests != {}) {
environment.etc = mapAttrs' (name: manifest:
diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix
index 0b43f2034c2..8bacc07b008 100644
--- a/nixos/modules/services/cluster/kubernetes/pki.nix
+++ b/nixos/modules/services/cluster/kubernetes/pki.nix
@@ -125,6 +125,23 @@ in
top.caFile
certmgrAPITokenPath
];
+ apiserverPaths = [
+ top.apiserver.clientCaFile
+ top.apiserver.etcd.caFile
+ top.apiserver.etcd.certFile
+ top.apiserver.etcd.keyFile
+ top.apiserver.kubeletClientCaFile
+ top.apiserver.kubeletClientCertFile
+ top.apiserver.kubeletClientKeyFile
+ top.apiserver.serviceAccountKeyFile
+ top.apiserver.tlsCertFile
+ top.apiserver.tlsKeyFile
+ ];
+ etcdPaths = [
+ config.services.etcd.certFile
+ config.services.etcd.keyFile
+ config.services.etcd.trustedCaFile
+ ];
addonManagerPaths = mkIf top.addonManager.enable [
cfg.certs.addonManager.cert
cfg.certs.addonManager.key
@@ -150,6 +167,11 @@ in
cfg.certs.controllerManagerClient.cert
cfg.certs.controllerManagerClient.key
];
+ kubeletPaths = [
+ top.kubelet.clientCaFile
+ top.kubelet.tlsCertFile
+ top.kubelet.tlsKeyFile
+ ];
in
{
@@ -415,7 +437,7 @@ in
# isolate etcd on loopback at the master node
# easyCerts doesn't support multimaster clusters anyway atm.
- services.etcd = with cfg.certs.etcd; {
+ services.etcd = mkIf top.apiserver.enable (with cfg.certs.etcd; {
listenClientUrls = ["https://127.0.0.1:2379"];
listenPeerUrls = ["https://127.0.0.1:2380"];
advertiseClientUrls = ["https://etcd.local:2379"];
@@ -424,11 +446,35 @@ in
certFile = mkDefault cert;
keyFile = mkDefault key;
trustedCaFile = mkDefault caCert;
- };
+ });
networking.extraHosts = mkIf (config.services.etcd.enable) ''
127.0.0.1 etcd.${top.addons.dns.clusterDomain} etcd.local
'';
+ systemd.services.kube-apiserver = mkIf top.apiserver.enable {
+ unitConfig.ConditionPathExists = apiserverPaths;
+ };
+
+ systemd.paths.kube-apiserver = mkIf top.apiserver.enable {
+ wantedBy = [ "kube-apiserver.service" ];
+ pathConfig = {
+ PathExists = apiserverPaths;
+ PathChanged = apiserverPaths;
+ };
+ };
+
+ systemd.services.etcd = mkIf top.apiserver.enable {
+ unitConfig.ConditionPathExists = etcdPaths;
+ };
+
+ systemd.paths.etcd = mkIf top.apiserver.enable {
+ wantedBy = [ "etcd.service" ];
+ pathConfig = {
+ PathExists = etcdPaths;
+ PathChanged = etcdPaths;
+ };
+ };
+
services.flannel = with cfg.certs.flannelClient; {
kubeconfig = top.lib.mkKubeConfig "flannel" {
server = top.apiserverAddress;
@@ -455,6 +501,18 @@ in
unitConfig.ConditionPathExists = proxyPaths;
};
+ systemd.services.kubelet = mkIf top.kubelet.enable {
+ unitConfig.ConditionPathExists = kubeletPaths;
+ };
+
+ systemd.paths.kubelet = mkIf top.kubelet.enable {
+ wantedBy = [ "kubelet.service" ];
+ pathConfig = {
+ PathExists = kubeletPaths;
+ PathChanged = kubeletPaths;
+ };
+ };
+
systemd.paths.kube-proxy = mkIf top.proxy.enable {
wantedBy = [ "kube-proxy.service" ];
pathConfig = {