diff options
6 files changed, 23 insertions, 16 deletions
diff --git a/nixos/modules/services/cluster/kubernetes/controller-manager.nix b/nixos/modules/services/cluster/kubernetes/controller-manager.nix index ed25715fab7..6d54659720c 100644 --- a/nixos/modules/services/cluster/kubernetes/controller-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/controller-manager.nix @@ -6,6 +6,7 @@ let top = config.services.kubernetes; otop = options.services.kubernetes; cfg = top.controllerManager; + klib = options.services.kubernetes.lib.default; in { imports = [ @@ -56,7 +57,7 @@ in type = int; }; - kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes controller manager"; + kubeconfig = klib.mkKubeConfigOptions "Kubernetes controller manager"; leaderElect = mkOption { description = "Whether to start leader election before executing main loop."; @@ -129,7 +130,7 @@ in "--cluster-cidr=${cfg.clusterCidr}"} \ ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ - --kubeconfig=${top.lib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig} \ + --kubeconfig=${klib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig} \ --leader-elect=${boolToString cfg.leaderElect} \ ${optionalString (cfg.rootCaFile!=null) "--root-ca-file=${cfg.rootCaFile}"} \ @@ -156,7 +157,7 @@ in path = top.path; }; - services.kubernetes.pki.certs = with top.lib; { + services.kubernetes.pki.certs = with klib; { controllerManager = mkCert { name = "kube-controller-manager"; CN = "kube-controller-manager"; diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index af39b87fa77..807d8d1a193 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -192,6 +192,8 @@ in { inherit mkKubeConfigOptions; }; type = types.attrs; + readOnly = true; + internal = true; }; secretsPath = mkOption { diff --git a/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixos/modules/services/cluster/kubernetes/kubelet.nix index 3e8eac96f6b..2d58547ce4c 100644 --- a/nixos/modules/services/cluster/kubernetes/kubelet.nix +++ b/nixos/modules/services/cluster/kubernetes/kubelet.nix @@ -6,6 +6,7 @@ let top = config.services.kubernetes; otop = options.services.kubernetes; cfg = top.kubelet; + klib = options.services.kubernetes.lib.default; cniConfig = if cfg.cni.config != [] && cfg.cni.configDir != null then @@ -27,7 +28,7 @@ let config.Cmd = ["/bin/pause"]; }; - kubeconfig = top.lib.mkKubeConfig "kubelet" cfg.kubeconfig; + kubeconfig = klib.mkKubeConfig "kubelet" cfg.kubeconfig; manifestPath = "kubernetes/manifests"; @@ -177,7 +178,7 @@ in type = str; }; - kubeconfig = top.lib.mkKubeConfigOptions "Kubelet"; + kubeconfig = klib.mkKubeConfigOptions "Kubelet"; manifests = mkOption { description = "List of manifests to bootstrap with kubelet (only pods can be created as manifest entry)"; @@ -358,7 +359,7 @@ in services.kubernetes.kubelet.hostname = with config.networking; mkDefault (hostName + optionalString (domain != null) ".${domain}"); - services.kubernetes.pki.certs = with top.lib; { + services.kubernetes.pki.certs = with klib; { kubelet = mkCert { name = "kubelet"; CN = top.kubelet.hostname; diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index 76ab03cd520..00d572a5098 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -1,10 +1,11 @@ -{ config, lib, pkgs, ... }: +{ config, options, lib, pkgs, ... }: with lib; let top = config.services.kubernetes; cfg = top.pki; + klib = options.services.kubernetes.lib; csrCA = pkgs.writeText "kube-pki-cacert-csr.json" (builtins.toJSON { key = { @@ -29,7 +30,7 @@ let cfsslAPITokenLength = 32; clusterAdminKubeconfig = with cfg.certs.clusterAdmin; - top.lib.mkKubeConfig "cluster-admin" { + klib.mkKubeConfig "cluster-admin" { server = top.apiserverAddress; certFile = cert; keyFile = key; @@ -250,7 +251,7 @@ in # - it would be better with a more Nix-oriented way of managing addons systemd.services.kube-addon-manager = mkIf top.addonManager.enable (mkMerge [{ environment.KUBECONFIG = with cfg.certs.addonManager; - top.lib.mkKubeConfig "addon-manager" { + klib.mkKubeConfig "addon-manager" { server = top.apiserverAddress; certFile = cert; keyFile = key; @@ -343,7 +344,7 @@ in ''; services.flannel = with cfg.certs.flannelClient; { - kubeconfig = top.lib.mkKubeConfig "flannel" { + kubeconfig = klib.mkKubeConfig "flannel" { server = top.apiserverAddress; certFile = cert; keyFile = key; diff --git a/nixos/modules/services/cluster/kubernetes/proxy.nix b/nixos/modules/services/cluster/kubernetes/proxy.nix index 5f3da034120..986301f6bd9 100644 --- a/nixos/modules/services/cluster/kubernetes/proxy.nix +++ b/nixos/modules/services/cluster/kubernetes/proxy.nix @@ -6,6 +6,7 @@ let top = config.services.kubernetes; otop = options.services.kubernetes; cfg = top.proxy; + klib = options.services.kubernetes.lib.default; in { imports = [ @@ -43,7 +44,7 @@ in type = str; }; - kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes proxy"; + kubeconfig = klib.mkKubeConfigOptions "Kubernetes proxy"; verbosity = mkOption { description = '' @@ -72,7 +73,7 @@ in ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ --hostname-override=${cfg.hostname} \ - --kubeconfig=${top.lib.mkKubeConfig "kube-proxy" cfg.kubeconfig} \ + --kubeconfig=${klib.mkKubeConfig "kube-proxy" cfg.kubeconfig} \ ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ ${cfg.extraOpts} ''; @@ -88,7 +89,7 @@ in services.kubernetes.proxy.hostname = with config.networking; mkDefault hostName; services.kubernetes.pki.certs = { - kubeProxyClient = top.lib.mkCert { + kubeProxyClient = klib.mkCert { name = "kube-proxy-client"; CN = "system:kube-proxy"; action = "systemctl restart kube-proxy.service"; diff --git a/nixos/modules/services/cluster/kubernetes/scheduler.nix b/nixos/modules/services/cluster/kubernetes/scheduler.nix index 87263ee72fa..442e3fe3a69 100644 --- a/nixos/modules/services/cluster/kubernetes/scheduler.nix +++ b/nixos/modules/services/cluster/kubernetes/scheduler.nix @@ -6,6 +6,7 @@ let top = config.services.kubernetes; otop = options.services.kubernetes; cfg = top.scheduler; + klib = options.services.kubernetes.lib.default; in { ###### interface @@ -32,7 +33,7 @@ in type = listOf str; }; - kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes scheduler"; + kubeconfig = klib.mkKubeConfigOptions "Kubernetes scheduler"; leaderElect = mkOption { description = "Whether to start leader election before executing main loop."; @@ -69,7 +70,7 @@ in --address=${cfg.address} \ ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ - --kubeconfig=${top.lib.mkKubeConfig "kube-scheduler" cfg.kubeconfig} \ + --kubeconfig=${klib.mkKubeConfig "kube-scheduler" cfg.kubeconfig} \ --leader-elect=${boolToString cfg.leaderElect} \ --port=${toString cfg.port} \ ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ @@ -87,7 +88,7 @@ in }; services.kubernetes.pki.certs = { - schedulerClient = top.lib.mkCert { + schedulerClient = klib.mkCert { name = "kube-scheduler-client"; CN = "system:kube-scheduler"; action = "systemctl restart kube-scheduler.service"; |