diff options
author | pennae <github@quasiparticle.net> | 2021-12-08 05:09:32 +0100 |
---|---|---|
committer | pennae <github@quasiparticle.net> | 2021-12-29 20:12:02 +0100 |
commit | 7e28421e1704c95c056f2b2e7fc27a7569182e0f (patch) | |
tree | 5868cc2bdfc1917924fdbaed94342080354e0f5a | |
parent | abef4b10b6d75da66025b9f9fe095e820f8b96ad (diff) | |
download | nixpkgs-7e28421e1704c95c056f2b2e7fc27a7569182e0f.tar nixpkgs-7e28421e1704c95c056f2b2e7fc27a7569182e0f.tar.gz nixpkgs-7e28421e1704c95c056f2b2e7fc27a7569182e0f.tar.bz2 nixpkgs-7e28421e1704c95c056f2b2e7fc27a7569182e0f.tar.lz nixpkgs-7e28421e1704c95c056f2b2e7fc27a7569182e0f.tar.xz nixpkgs-7e28421e1704c95c056f2b2e7fc27a7569182e0f.tar.zst nixpkgs-7e28421e1704c95c056f2b2e7fc27a7569182e0f.zip |
nixos/kubernetes: make lib option internal and readonly
this set almost certainly shouldn't be touched by users, nor listed in the manual. make it internal and use it only through the option path to make clear that this should not be modified.
6 files changed, 23 insertions, 16 deletions
diff --git a/nixos/modules/services/cluster/kubernetes/controller-manager.nix b/nixos/modules/services/cluster/kubernetes/controller-manager.nix index ed25715fab7..6d54659720c 100644 --- a/nixos/modules/services/cluster/kubernetes/controller-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/controller-manager.nix @@ -6,6 +6,7 @@ let top = config.services.kubernetes; otop = options.services.kubernetes; cfg = top.controllerManager; + klib = options.services.kubernetes.lib.default; in { imports = [ @@ -56,7 +57,7 @@ in type = int; }; - kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes controller manager"; + kubeconfig = klib.mkKubeConfigOptions "Kubernetes controller manager"; leaderElect = mkOption { description = "Whether to start leader election before executing main loop."; @@ -129,7 +130,7 @@ in "--cluster-cidr=${cfg.clusterCidr}"} \ ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ - --kubeconfig=${top.lib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig} \ + --kubeconfig=${klib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig} \ --leader-elect=${boolToString cfg.leaderElect} \ ${optionalString (cfg.rootCaFile!=null) "--root-ca-file=${cfg.rootCaFile}"} \ @@ -156,7 +157,7 @@ in path = top.path; }; - services.kubernetes.pki.certs = with top.lib; { + services.kubernetes.pki.certs = with klib; { controllerManager = mkCert { name = "kube-controller-manager"; CN = "kube-controller-manager"; diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index af39b87fa77..807d8d1a193 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -192,6 +192,8 @@ in { inherit mkKubeConfigOptions; }; type = types.attrs; + readOnly = true; + internal = true; }; secretsPath = mkOption { diff --git a/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixos/modules/services/cluster/kubernetes/kubelet.nix index 3e8eac96f6b..2d58547ce4c 100644 --- a/nixos/modules/services/cluster/kubernetes/kubelet.nix +++ b/nixos/modules/services/cluster/kubernetes/kubelet.nix @@ -6,6 +6,7 @@ let top = config.services.kubernetes; otop = options.services.kubernetes; cfg = top.kubelet; + klib = options.services.kubernetes.lib.default; cniConfig = if cfg.cni.config != [] && cfg.cni.configDir != null then @@ -27,7 +28,7 @@ let config.Cmd = ["/bin/pause"]; }; - kubeconfig = top.lib.mkKubeConfig "kubelet" cfg.kubeconfig; + kubeconfig = klib.mkKubeConfig "kubelet" cfg.kubeconfig; manifestPath = "kubernetes/manifests"; @@ -177,7 +178,7 @@ in type = str; }; - kubeconfig = top.lib.mkKubeConfigOptions "Kubelet"; + kubeconfig = klib.mkKubeConfigOptions "Kubelet"; manifests = mkOption { description = "List of manifests to bootstrap with kubelet (only pods can be created as manifest entry)"; @@ -358,7 +359,7 @@ in services.kubernetes.kubelet.hostname = with config.networking; mkDefault (hostName + optionalString (domain != null) ".${domain}"); - services.kubernetes.pki.certs = with top.lib; { + services.kubernetes.pki.certs = with klib; { kubelet = mkCert { name = "kubelet"; CN = top.kubelet.hostname; diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index 76ab03cd520..00d572a5098 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -1,10 +1,11 @@ -{ config, lib, pkgs, ... }: +{ config, options, lib, pkgs, ... }: with lib; let top = config.services.kubernetes; cfg = top.pki; + klib = options.services.kubernetes.lib; csrCA = pkgs.writeText "kube-pki-cacert-csr.json" (builtins.toJSON { key = { @@ -29,7 +30,7 @@ let cfsslAPITokenLength = 32; clusterAdminKubeconfig = with cfg.certs.clusterAdmin; - top.lib.mkKubeConfig "cluster-admin" { + klib.mkKubeConfig "cluster-admin" { server = top.apiserverAddress; certFile = cert; keyFile = key; @@ -250,7 +251,7 @@ in # - it would be better with a more Nix-oriented way of managing addons systemd.services.kube-addon-manager = mkIf top.addonManager.enable (mkMerge [{ environment.KUBECONFIG = with cfg.certs.addonManager; - top.lib.mkKubeConfig "addon-manager" { + klib.mkKubeConfig "addon-manager" { server = top.apiserverAddress; certFile = cert; keyFile = key; @@ -343,7 +344,7 @@ in ''; services.flannel = with cfg.certs.flannelClient; { - kubeconfig = top.lib.mkKubeConfig "flannel" { + kubeconfig = klib.mkKubeConfig "flannel" { server = top.apiserverAddress; certFile = cert; keyFile = key; diff --git a/nixos/modules/services/cluster/kubernetes/proxy.nix b/nixos/modules/services/cluster/kubernetes/proxy.nix index 5f3da034120..986301f6bd9 100644 --- a/nixos/modules/services/cluster/kubernetes/proxy.nix +++ b/nixos/modules/services/cluster/kubernetes/proxy.nix @@ -6,6 +6,7 @@ let top = config.services.kubernetes; otop = options.services.kubernetes; cfg = top.proxy; + klib = options.services.kubernetes.lib.default; in { imports = [ @@ -43,7 +44,7 @@ in type = str; }; - kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes proxy"; + kubeconfig = klib.mkKubeConfigOptions "Kubernetes proxy"; verbosity = mkOption { description = '' @@ -72,7 +73,7 @@ in ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ --hostname-override=${cfg.hostname} \ - --kubeconfig=${top.lib.mkKubeConfig "kube-proxy" cfg.kubeconfig} \ + --kubeconfig=${klib.mkKubeConfig "kube-proxy" cfg.kubeconfig} \ ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ ${cfg.extraOpts} ''; @@ -88,7 +89,7 @@ in services.kubernetes.proxy.hostname = with config.networking; mkDefault hostName; services.kubernetes.pki.certs = { - kubeProxyClient = top.lib.mkCert { + kubeProxyClient = klib.mkCert { name = "kube-proxy-client"; CN = "system:kube-proxy"; action = "systemctl restart kube-proxy.service"; diff --git a/nixos/modules/services/cluster/kubernetes/scheduler.nix b/nixos/modules/services/cluster/kubernetes/scheduler.nix index 87263ee72fa..442e3fe3a69 100644 --- a/nixos/modules/services/cluster/kubernetes/scheduler.nix +++ b/nixos/modules/services/cluster/kubernetes/scheduler.nix @@ -6,6 +6,7 @@ let top = config.services.kubernetes; otop = options.services.kubernetes; cfg = top.scheduler; + klib = options.services.kubernetes.lib.default; in { ###### interface @@ -32,7 +33,7 @@ in type = listOf str; }; - kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes scheduler"; + kubeconfig = klib.mkKubeConfigOptions "Kubernetes scheduler"; leaderElect = mkOption { description = "Whether to start leader election before executing main loop."; @@ -69,7 +70,7 @@ in --address=${cfg.address} \ ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ - --kubeconfig=${top.lib.mkKubeConfig "kube-scheduler" cfg.kubeconfig} \ + --kubeconfig=${klib.mkKubeConfig "kube-scheduler" cfg.kubeconfig} \ --leader-elect=${boolToString cfg.leaderElect} \ --port=${toString cfg.port} \ ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ @@ -87,7 +88,7 @@ in }; services.kubernetes.pki.certs = { - schedulerClient = top.lib.mkCert { + schedulerClient = klib.mkCert { name = "kube-scheduler-client"; CN = "system:kube-scheduler"; action = "systemctl restart kube-scheduler.service"; |